Sponsored by..

Thursday 5 June 2014

dedicatedpool.com.. spam or Joe Job?

I received a number of spam emails mentioning a Bitcoin mining website dedicatedpool.com, subjects spotted are:

Subject: Bitcoins are around you - don't miss the train!
Subject: Dedicatedpool.com business proposal (Save up on taxes)
Subject: Make money with darkcoin and bitcoin now!
Body text:

Hello,
Have you heard about bitcoins? I bet you did. Do you know how to make
money on it? Don.t worry, we are professionals in bitcoin and alternative
cryptocurrencies world and we will help you monetize your computing
hardware into bitcoins in no time. Come and joins us at
http://dedicatedpool.com and join our IRC chat at
http://dedicatedpool.com/?page=about&action=chat
--
Ryan, dedicatedpool.com support/admin

------------------------

Don't want Government to steal your money?
Join us at http://dedicatedpool.com and learn how you can save up on
taxes by using bitcoin, darkcoin and other cryptocurrencies!
We will provide you with detailed instructions on how to set up all
hardware in your house and start keeping your money instead of paying
taxes. 100% legal!
Please register at http://dedicatedpool.com

--
Ryan, dedicatedpool.com support/admin

------------------------

Do you have income but you don't want Obama to steal it from you? Come and
join us and turn your electricity cost into cash!
The only pool you can trust - come and mine bitcoins/altcoins with us. We
will provide you detailed guide on how to setup equipment in your house
that will turn electricity into bitcoins!
No taxes no problems: http://Dedicatedpool.com/
--
Ryan, dedicatedpool.com support/admin

However, the pattern of the spam looks like a Joe Job rather than some horribly misguided attempt to market the website. There are several signs that make it look like someone is trying to cause trouble for the site operators:
  1. The spam was sent repeatedly to a spamcop.net address, the type of address that would have a high probability of filing an abuse report. I call this a "reverse listwash".
  2. The spam mentions the established dedicatedpool.com website repeatedly (rather than using some sort of redirector) but the originating IPs appear to be from an illegal botnet (see note 1). The use of a botnet indicates a malicious intent.
  3. Spammers don't tend to include personal details of any sort in their messages, but the inclusion of "Ryan" (who does genuinely appear to be the administrator) seems suspicious.
 In my opinion, the balance of probabilities is that this is not sent out by dedicatedpool.com themselves, but is sent out by someone wanting to disrupt their business.

Note 1: I have seen the following IPs as originating the spam..
188.54.89.107
92.83.156.130
31.192.3.89
37.99.127.11
87.109.78.213


Wednesday 4 June 2014

Amazon.com spam / order.zip

This fake Amazon spam has a malicious attachment:

Date:      Wed, 04 Jun 2014 11:55:10 +0200 [05:55:10 EDT]
From:      "Amazon.com"
Subject:      Shipping Confirmation : Order #002-1301707075-0206502025

Amazon
Your Recommendations
     |      Your Orders      |      Amazon.com
Shipping Confirmation
Order #002-1660680038-7011611870
Hello ,
Thank you for shopping with us. We'd like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order report is attached here.
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.

Attached to the spam is an archive file order.zip which in turn contains a malicious executable order_id_26348273894729847239.exe which has a VirusTotal detection rate of 4/51.

Automated analysis tools [1] [2] [3] shows the malware altering system files and creating a fake csrss.exe and svhost.exe to run at startup.

The malware also attempts to phone home to two IP addresses at 91.226.212.32 and 193.203.48.37 hosted in Russia but controlled by a Ukranian person or entity PE Ivanov Vitaliy Sergeevich. These network blocks are well-known purveyors of crapware, and I recommend that you block the following:

91.226.212.0/23
193.203.48.0/22

Thursday 29 May 2014

More eFax / Dropbox malware spam

This fake eFax message downloads malware from Dropbox, similar to yesterday's attack but with different binaries:

From:     Incoming Fax [no-reply@efax.co.uk]
Date:     29 May 2014 10:26
Subject:     INCOMING FAX REPORT : Remote ID: 499-364-9797

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: Thu, 29 May 2014 18:26:56 +0900
Speed: 4360bps
Connection time: 07:09
Pages: 9
Resolution: Normal
Remote ID: 915-162-0353
Line number: 0
DTMF/DID:
Description: Internal report

We have uploaded fax report on dropbox, please use the following link to download your file:

https://www.dropbox.com/meta_dl/[redacted]
The malicious download is from [donotclick]www.dropbox.com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICJvempiZ256bDM2aGRlMTgifQ/AAKxr3bqwwmIfwE_cp_xalkzMz7tKRtiivmPhViZTBLBkA?dl=1 which is an archive file FAX-21651_7241.zip which in turn contains the malicious executable FAX-21651_7241.scr

This binary has a VirusTotal detection rate of 6/53 and the Malwr report shows that it downloads a file from soleilberbere.com/images/2905UKdw.tar which subsequently drops a file eucis.exe with a VirusTotal detection rate of just 3/51. Automated reports [1] [2] are pretty inconclusive as to what this does.

Wednesday 28 May 2014

"TPPCO" PPI SMS spam

Despite some high-profile recent cases where SMS spammers have been busted by the ICO, the wave of spam seems to be continuing. This one came less than an hour ago from +447729938098.
Unsure if you qualify for a refund of PPI paid on a loan or credit card? Reply PPI and we will run a no obligation check or reply STOP to opt out. TPPCO
I have no idea who "TPPCO" are, but they are a common sender of these spam message. In this case, the spam was sent to a number that is TPS registered, and I believe that the approach is fraudulent in any case - in most cases the spammers will get paid for a lead even if it turns out that the claimant wasn't eligible.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Carriers and the ICO are cracking down on these scumbags, but they need reports from victims to gather enough evidence.

You can also report persistent spam like this via the ICO's page on the subject, which might well end up in the spammers getting a massive fine.

eFax message from "unknown" spam downloads malware from Dropbox

This fake eFax message downloads malicious content from a Dropbox link.

From:     eFax [message@inbound.efax.com]
Date:     28 May 2014 13:12
Subject:     eFax message from "unknown" - 1 page(s), Caller-ID: 1-949-698-5643

Fax Message [Caller-ID: 1-949-698-5643
You have received a 1 page fax at Wed, 28 May 2014 09:11:44 GMT.

* The reference number for this fax is atl_did1-1400166434-95058563842-154.

Click here to view this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!

       

j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox

2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.
The telephone number will vary from spam-to-spam, but the download link seems consistent and is [donotclick]dl.dropboxusercontent.com/s/uk0mlaixvbg52g2/Fax_938_391102933_1245561.zip?dl=1&token_hash=AAEUA5cH_mfvkp4l4CePv7t100XZKo4GBq6ZxY1UiElKyQ&expiry=1401269894 which leads to a ZIP file Fax_938_391102933_1245561.zip which unzips to a malicious executable Fax_938_391102933_1245561.scr.

This binary has a VirusTotal detection rate of 6/53. Automated reporting tools [1] [2] show a download from landscaping-myrtle-beach.com/wp-content/uploads/2014/05/2805UKdw.dkt which in turn drops the following files:
This last one makes a connection to innogate.co.kr for unknown reasons.

Recommended blocklist:
landscaping-myrtle-beach.com
innogate.co.kr





Friday 23 May 2014

Fake NatWest email downloads malware via Dropbox

This fake NatWest email follows the same pattern as this one except that it is downloading malware via Dropbox rather than Bitly.

From:     NatWest.co.uk [noreply@natwest.co.uk]
Date:     23 May 2014 11:36
Subject:     NatWest Statement

 View Your May 2014 Online Financial Activity Statement


Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It's available for you to view at this secure site. Just click to select how you would like to view your statement:


View/Download as a PDF

View all EStatements

So check out your statement right away, or at your earliest convenience.

Thank you for managing your account online.

Sincerely,

NatWest Bank


Please do not respond to this e-mail. If you have any questions about this inquiry message or your NatWest Bank account, please speak to a Customer Service representative at +44 121 635 1592


NatWest Bank Customer Service Department

P.O. Box 414 | 38 Strand, WC2N 5JB, London

Copyright 2014 NatWest Company. All rights reserved.

AGNEUOMS0006001

The link in the email goes to [donotclick]dl.dropboxusercontent.com/s/h8ee7pet8g3myfh/NatWest_Financial_Statement.zip?dl=1&token_hash=AAGNPq4-blG8MXToyYPu1l8lXEyrOQNz6EjK7rUBRaSHGg&expiry=1400838977 which downloads an archive file NatWest_Financial_Statement.zip which in turn contains the malicious executable NatWest_Financial_Statement.scr. This has a VirusTotal detection rate of just 3/52.

Automated analysis tools [1] [2] show that it downloads a component from [donotclick]accessdi.com/wp-content/uploads/2014/04/2305UKmw.zip

The Malwr analysis shows that it then downloads some additional EXE files:
 As is typical with the attack, the payload appears to be P2P/Gameover Zeus/Zbot.

Thursday 22 May 2014

lormaneducation.net / lorman.com "Lorman Education" spam

These spammers are sending to email addresses they have guessed by parsing my website.

From:     Toni Klawiter - Lorman Education [customerservice@lormaneducation.net]
Date:     22 May 2014 16:18
Subject:     Status Classification: Exempt vs. Nonexempt
Signed by:     lormaneducation.net

        
Seminars     Live Webinars
   
OnDemand     Membership
   

Status Classification: Exempt vs. Nonexempt

OnDemand Webinar - 93 Minutes

Learn How To:

    Identify general principles under the Fair Labor Standards Act.
    Explain salary requirements and the highly compensated employee exemption.
    Review what an employer can do to assure classifications are accurate and minimize risks.
    Discuss the executive, administrative, professional and computer professional duties tests.

More Information


Faculty

 Michael A. Pavlick
Michael A. Pavlick
K&L Gates LLP

The link in the email goes to lormaneducation.net and then forwards immediately to lorman.com, which is a typical technique that spammers use to try to avoid getting blacklisted.

lormaneducation.net is hosted on 64.77.120.67 (Peer 1, US) along with these following domains which look similarly spammy:

askthefaculty.com
hospitalityandtourismtraining.com
hospitalityandtourismtraining.net
instituteofpropertymanagement.com
instituteofpropertymanagement.net
insurancetrainingresource.com
insurancetrainingresource.net
investmentadvisortraining.com
investmentadvisortraining.net
lorman-education.net
lorman-webinar.com
lorman-webinars.com
lorman.com
lormancontinuingeducation.com
lormaneducation.com
lormaneducation.net
lormaneducationwebinar.com
lormaneducationwebinars.com
lormanondemand.com
lormanpartner.com
lormanseminars.com
lormanseminars.net
lormanteleconferences.com
lormanteleconferences.net
lormantraining.com
lormantraining.net
lormanwebinar.com
lormanwebinars.com

The WHOIS details on the lormaneducation.net spamvertised domain are:

    Admin Name: Webmaster
    Admin Organization: Lorman Education Group, Inc.
    Admin Street: PO Box 509
    Admin City: Eau Claire
    Admin State/Province: WI
    Admin Postal Code: 54702-0509
    Admin Country: US
    Admin Phone: +1.7158333940
    Admin Phone Ext:
    Admin Fax:
    Admin Fax Ext:
    Admin Email: webmaster@lorman.com


Spam originates from 184.175.164.1 (US Signal) in a range suballocated to Lorman that you might want to block traffic from of 184.175.164.0/26.

If this company thinks that promoting its seminars through spam is a legitimate way of promoting a business then I would personally give their "seminars" a very wide berth.

#BringBackOurGirls scam

This scam email attempts to steal money from unsuspecting but altruistic people by hijacking the legitimate #BringBackOurGirls campaign.

From:     Joy Marcus [joymcus55@gmail.com]
Date:     22 May 2014 00:24
Subject:     #BringBackOurGirls
Signed by:     gmail.com

Hello,
My beloved brother and sister. I hope my message get to you in peace.
My name is Mary Sambo from Borno state in Nigeria. I am crying while
putting this message together in the church hostel. I lost my husband to
the terrorist attack that is happening in Borno state, my daughters was
kidnap along with the 270 girls been kidnap in school chibok village in
Nigeria, by the terrorist.

Which the entire world is now searching for them. I am 7 month pregnant
and i am staying at the church hostel, we are 30 in a single room, i
don't have access to good medical care and i am afraid my living
condition might affect my unborn child.

I am asking for help from you in other for me to get a place for myself
and also register myself to health center where i will get proper
medical care. Please help me with anything you, May Almighty God reward
you.
Hope to hear from you.
Regards.

Mary Sambo.
Please reply here: marysamb91@yahoo.com
Apparently this church hostel that she is staying in has internet access good enough to send out spam. And although the scammer is soliciting replies to marysamb91@yahoo.com it is sent from joymcus55@gmail.com which has its own Google+ profile.. which contains a picture.

Now, I don't know about you.. but I don't think that this looks like a Nigerian woman who has to live in a church hostel. That's because it is a photograph of actress and model Yvette Fintland who would no doubt be very displeased to see her photo being abused in this way (and has nothing whatsoever to do with this scam or spam).

There are no words that can adequately describe the horror of the kidnapping of 200 innocent children. And there are no words that adequately describe the disgust at people who are prepared to exploit this awful event for their own personal gain.

Wednesday 21 May 2014

Something evil on 93.171.173.173 (Sweet Orange EK)

93.171.173.173 (Alfa Telecom, Russia) is currently distributing the Sweet Orange EK via a bunch of hijacked GoDaddy subdomains. The malware is being spread through code injected into legitimate but hacked websites.

For example [donotclick]www.f1fanatic.co.uk is a compromised website that tries to redirect visitors to two different exploit kits:

[donotclick]adv.atlanticcity.house:13014/sysadmin/wap/fedora.php?database=3
[donotclick]fphgyw.myftp.biz/kfafyfztzhtwvjhpr37ffn9qi7w0ali5rhczqxcgif3d4

The second one is an attempt to load the Fiesta EK although the payload site is currently down. But the .house domain appears to be Sweet Orange (incidentally this is the first time that I've seen one of the new TLDs abused in this way).


The server on 93.171.173.173 hosts a number of subdomains that are hijacked from GoDaddy customers. I recommend that you block either the subdomain or domains themselves:

img.carmelakaiser.com
img.fortunerealtyli.com
img.realtyconnectli.com
yim.nwcreferrals.com
img.mwinsulationllc.info
img.michaelvallone.com
img.mwinsulationllc.com
adv.davetalbert.com
img.nwcreferrals.com
adv.ajs.club
adv.boisecity.house
adv.catskills.house
adv.atlanticcity.house
adv.beachrental.house
adv.chattanooga.house
adv.beachcottage.house
adv.beachrentals.house
adv.breckenridge.house
adv.coppermountain.house

The EK page itself has a VirusTotal detection rate of 0/53, although hopefully some of the components it installs will trigger a warning.


PrimeAspire (primeaspire.com) spam

UPDATE: PrimeAspire have responded to this post, scroll down to the bottom.

Startup or no startup, sending spam to a spamtrap is not a good way to drum up business..

From:     Team@primeaspire.com
To:     donotemail@wearespammers.com
Date:     20 May 2014 13:32
Subject:     PrimeAspire - The Freelance Platform

Hello,

Following our recent launch we'd like to invite you to PrimeAspire where you can post any task and securely get skilled people to complete specific freelance tasks.

The platform is completely free and used by talented people looking for freelance projects.

Learn more

Thanks,

The PrimeAspire team

P Please consider the environment before printing this email.  Thank you.

Prime Aspire is a freelance marketplace. This message, its contents and any attachments are private, confidential and may contain information that is subject to copyright. You may not disclose, use or disseminate all or part of this message without our prior written consent. If you are not the intended recipient, please notify us immediately by replying to this message and then delete it from your system. Whilst we take reasonable precautions to prevent computer viruses, we cannot accept responsibility for viruses transmitted to your computer and it is your responsibility to make all necessary checks. We may monitor email traffic data and the content of emails to ensure efficient operation of our business, for security, for staff training and for other administrative purposes.

This email was sent from Prime Aspire Limited (Registered number: 7850209). Prime Aspire Limited is registered in England and Wales. Registered address: SUITE 34, New House, 67-68 Hatton Garden, London EC1N 8JY United Kingdom. For further information, please click www.primeaspire.com

To unsubscribe please reply with the word "Unsubscribe".

But (and just as a warning, I'm going to get sweary here) wait a fucking minute.. "This message, its contents and any attachments are private, confidential and may contain information that is subject to copyright. You may not disclose, use or disseminate all or part of this message without our prior written consent." You fucking spammed me with this. I will do with it what I fucking well please.

CEO of PrimeAspire is one Chris Adiolé. PrimeAspire (strictly speaking it is Prime Aspire Ltd) is a real company (07850209 in the UK), and Mr Adiolé even has his name on the domain WHOIS details rather than hiding behind a proxy service.

Registrant Name: Christopher Adiole
Registrant Organization:
Registrant Street: 67-68 Hatton Garden
Registrant City: London
Registrant State/Province: KKD
Registrant Postal Code: EC1N 8JY
Registrant Country: GB
Registrant Phone: +44.20700000000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@primeaspire.com


Originating IP is 79.170.44.6 which is Heart Internet in the UK. The primeaspire.com domain is hosted with the same firm on 79.170.40.239.

So, let's assume that this is a real proposition and not some sort of scam. Fair enough. But promoting your startup through spam is always a very bad move, but adding meaningless legalese crap to it is really going to piss people off..

UPDATE: many Kudos points to Chris Adiolé for addressing the issue and apologising. So perhaps they're not such a bad bunch after all :)

Hi,

I note you recently published an article on your blog with regards to a promotional email you received from PrimeAspire.

We are a small startup and after our launch in February we worked with a marketing agency who supplied us with email addresses, claiming to be addresses of people that opted to receive emails about freelancing and related services. Unfortunately, we took their words at face value and failed to check the email addresses before sending out the emails.

On behalf of PrimeAspire, I sincerely apologise for the inconvenience. We are an honest startup working hard on our product and have no intention to send spam emails or use sinister marketing procedures to promote our product.

Thanks,

UPDATE 2: but now PrimeAspire are likely to lose their Kudos point due to this rather rude message from some Indian SEO guy..

From:     Tutu Kumar [tutukumarseosolutions@gmail.com]
Date:     25 June 2014 09:16
Subject:     Remove the blog of "PrimeAspire (primeaspire.com) spam"

Hello Dynamoo.com Team,

I'm Tutu Kumar from india, also a SEO Expert. Now i'm working SEO for  Primeaspire.com. And i saw google search pages our blog title
PrimeAspire (primeaspire.com) spam.
 This blog title is bad effect for our website but content is good.
Kindly remove the blog of your website.


Thank You
Tutu Kumar
Funnily enough, I don't feel inclined to do that. PrimeAspire sent me a spam.. that happened, and Chris Adiolé apologised which I think shows a great deal of integrity. Perhaps Mr Kumar needs to generate some positive press instead rather than concentrating on my little blog.

Tuesday 20 May 2014

Fake Sage Invoice spam leads to malware

This fake Sage spam leads to malware:

Date:      Tue, 20 May 2014 09:20:53 +0100 [04:20:53 EDT]
From:      Sage [Wilbur.Contreras@sage-mail.com]
Subject:      FW: Invoice_6895366

Please see attached copy of the original invoice (Invoice_6895366). 

Attached is an archive file Invoice6895366.zip which in turn contains a malicious executable Invoice200522014.scr which has a VirusTotal detection rate of 8/52.

The Malwr analysis shows that it then goes on to download further components from [donotclick]protecca.com/fonts/2005UKdp.zip some of which are:
 These appear to be part of a peer-to-peer Zbot infection.

Monday 19 May 2014

"TT PAYMENT COPY" spam

This spam has a malicious attachment:

Date:      Sun, 18 May 2014 20:54:20 -0700 [05/18/14 23:54:20 EDT]
Subject:      Re TT PAYMENT COPY

please confirm the attachment payment Copy and get back to me?

Attached is an archive file TT PAYMENT COPY.zip which in turn contains another archive file TT PAYMENT COPY.rar (which relies on the victim having a program to uncompress the RAR file). Once that is done, a malicious executable PaySlip.exe is created. This file has a VirusTotal detection rate of 27/53. Automated analysis tools (such as this one) don't reveal what is happening, but you can guarantee it is nothing good.

Thursday 15 May 2014

"NatWest Statement" spam contains a bit.ly link

This fake NatWest spam sends victims to a malicious download via a bit.ly link.

From:     NatWest.co.uk
Date:     15 May 2014 13:11
Subject:     NatWest Statement

 View Your April 2014 Online Merchant Financial Activity Statement
   



Keep track of your account with your latest Online Merchant Financial Activity Statement from NatWest Bank. It's available for you to view at this secure site. Just click to select how you would like to view your statement:


View/Download as a PDF

View all EStatements

So check out your statement right away, or at your earliest convenience.

Thank you for managing your account online.

Sincerely,

NatWest Bank


Please do not respond to this e-mail. If you have any questions about this inquiry message or your NatWest Bank ®
Merchant account, please speak to a Customer Service representative at 1-800-374-2639


NatWest Bank Customer Service Department

P.O. Box 414 | 38 Strand, WC2N 5JB, London

Copyright 2014 NatWest Company. All rights reserved.

AGNEUOMS0006001 
The link in the email goes to [donotclick]bit.ly/1jKW2GJ which then downloads a malicious file Statement-pdf.scr which has a VirusTotal detection rate of 8/53. Automated analysis tools [1] [2] [3] [4] are inconclusive about what the malware actually does.

One thing about bit.ly links is that if you put a "+" at the end of the link you can see how many people clicked it. In this case, 236 people have clicked so far, mostly in North America. I suspect that quite a few of those are malware researchers!


"Advertising for Red Bull (Energy Drink)" car wrap scam

This spam does not come from Red Bull or anybody related to them:

From:      RED-BULL CARADVERT
Reply-To:      rolandbest196@gmail.com
Subject:      Advertising for Red Bull (Energy Drink) 05/13 /2014

Hello,

We are currently seeking to employ individualÃÔ world wide. How would you like to make money by simply driving your car advertising for RED BULL.

How it works?

HereÃÔ the basic premise of the "paid to drive" concept: RED BULL seeks people -- regular citizens,professional drivers to go about their normal routine as they usually do, only with a big advert for "RED BULL" plastered on your car. The ads are typically vinyl decals, also known as "auto wraps,"that almost seem to be painted on the vehicle, and which will cover any portion of your car's exterior surface.

What does the company get out of this type of ad strategy? Lots of exposure and awareness. The auto wraps tend to be colorful, eye-catching and attract lots of attention. Plus, it's a form of advertising with a captive audience,meaning people who are stuck in traffic can't avoid seeing the wrapped car alongside them. This program will last for 3 months and the minimum you can participate is 1 month.

You will be compensated with $300 per week which is essentially a "rental"payment for letting our company use the space no fee is required from you RED BULL shall provide experts that would handle the advert placing on your car. You will receive an up front payment of $300 inform of check via courier service for accepting to carry this advert on your car.

It is very easy and simple no application fees required contact email along with the following you are interested in these offer.
rolandbest195@gmail.com

Full Name:
Address:
City:
State:
Zip code:
Country:
Make of car/ year:
Telephone numbers:

We shall be contacting you as soon as we receive this information.

Kind Regards
Roland Best
Hiring Manager,
Red Bull™
It's a scam.. but what is the scam exactly? The whole process is nicely detailed here, but essentially the scammers send you a fake cheque ("check" I in the US) as payment. This cheque includes an amount that you are meant to pay the "graphic artist" for the work needed to create the wrap. Of course, once you have sent your own money to the "artist" (in reality a scam artist) then the fake cheque will be rejected, and you will end up out of pocket (and possibly in trouble with the police or bank for fraud).

The overpayment scam is a common one, and it is used in all sorts of different set-ups. If anyone sends you a cheque and then asks you to pay it in and forward some of the money elsewhere then you can almost guarantee that someone is trying to rip you off.

Wednesday 14 May 2014

citibank.com "Important - Commercial Form" spam

This fake Citibank spam comes with a malicious attachment:

Date:      Wed, 14 May 2014 11:56:34 -0500 [12:56:34 EDT]
From:      Nola Painter [Nola.Painter@citibank.com]
Subject:      FW: Important - Commercial Form

citibank.com
Commercial Banking Form

To: [redacted]

Case: C1957115
Please scan attached document and fax it to +1 800-285-1110 .

All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record. Not yet filing your accounts online? See how easy it is... For enquiries, please telephone the Service Desk on +1 800-285-4794 or email enquiries@citibank.com. This email was sent from a notification-only email address which cannot accept incoming mail. Please do not reply directly to this message. .

Yours faithfully

Nola Painter
Commercial Banking
Citibank N.A
Nola.Painter@citibank.com

Copyright © 2014 Citigroup Inc.                                                                    
Citibank 


Other senders spotted include:
Lavonne Bermudez [Lavonne.Bermudez@citibank.com]
Gabriel Britton [Gabriel.Britton@citibank.com]

Attached to the message is an archive file CommercialForm.zip which in turn contains a malicious executable CommercialForm.exe which has a VirusTotal detection rate of 19/52. Automated analysis tools [1] [2] [3] show that it downloads an encrypted file from [donotclick]desktopcrafts.com/wp-content/uploads/2014/05/Targ-1405USdp.enc although what that does is currently unclear.

One. Two. Three. Network Operations Center hosting things as bad as can be.

Network Operations Center don't exactly have a glowing reputation of cleanliness when it comes to malware. These following IPs and hosts seem to be distributing something nasty which appears to be injected into victim sites.

I don't have a good analysis of what is going on at the moment, so you'll just have to take my word for it at the moment. The activity has been observed on the following Network Operations Center IP addresses over the past few days:

64.120.207.252
66.96.246.135
66.197.241.194
173.212.223.243
184.22.149.175
184.22.149.176
184.22.149.177
184.22.149.178
184.82.38.54
209.159.153.171
209.159.153.186

A lot of these IPs are connected with things like porn sites, but they also have a number of malicious subdomains in the form .one .two and .three on them. You can safely assume that the domains themselves are malicious (listed as the end of the post if you want to block them). Malicious subdomains spotted are:

one.odpewnvd.biz
two.odpewnvd.biz
three.odpewnvd.biz
one.jldywencp.biz
three.jldywencp.biz
one.gdliiitra.biz
two.gdliiitra.biz
three.gdliiitra.biz
one.dkjeeeielv.biz
two.dkjeeeielv.biz
three.dkjeeeielv.biz
one.kleionrtue.biz
two.kleionrtue.biz
one.jhvbhvhch.biz
three.jhvbhvhch.biz
one.fnfgcngjhv.biz
two.fnfgcngjhv.biz
three.fnfgcngjhv.biz
one.khvvkhvchk.biz
two.khvvkhvchk.biz
three.khvvkhvchk.biz
one.hgvjhvjhvjh.biz
two.hgvjhvjhvjh.biz
three.hgvjhvjhvjh.biz
one.jhvjhvhvhjv.biz
two.jhvjhvhvhjv.biz
three.jhvjhvhvhjv.biz
one.kguukgukigk.biz
two.kguukgukigk.biz
three.kguukgukigk.biz
one.khvkhvkhvkjv.biz
two.khvkhvkhvkjv.biz
three.khvkhvkhvkjv.biz
one.kjghkjdfjhdc.biz
two.kjghkjdfjhdc.biz
three.kjghkjdfjhdc.biz
one.jhvkjvhfkcykc.biz
two.jhvkjvhfkcykc.biz
three.jhvkjvhfkcykc.biz
one.fdsglj.biz
two.fdsglj.biz
three.fdsglj.biz
one.dfwvdfsk.biz
two.dfwvdfsk.biz
three.dfwvdfsk.biz
one.fderefjfv.biz
two.fderefjfv.biz
three.fderefjfv.biz
one.jdfslfdsgy.biz
two.jdfslfdsgy.biz
one.jhfjgdhfds.biz
two.jhfjgdhfds.biz
three.jhfjgdhfds.biz
one.vfdsgsrgsg.biz
two.vfdsgsrgsg.biz
three.vfdsgsrgsg.biz
one.bfsdmhglsdg.biz
one.fdfjkhfsadv.biz
two.fdfjkhfsadv.biz
three.fdfjkhfsadv.biz
one.fdsfgsgdvsd.biz
two.fdsfgsgdvsd.biz
three.fdsfgsgdvsd.biz
one.hfgkjhkklbj.biz
two.hfgkjhkklbj.biz
three.hfgkjhkklbj.biz
one.khfjhcfhgfk.biz
two.khfjhcfhgfk.biz
three.khfjhcfhgfk.biz
one.vdgbfslgdfs.biz
two.vdgbfslgdfs.biz
three.vdgbfslgdfs.biz
one.vsfbglmldsv.biz
two.vsfbglmldsv.biz
three.vsfbglmldsv.biz
two.jreoplte.biz
three.jreoplte.biz
one.djsliufhgs.biz
two.djsliufhgs.biz
three.djsliufhgs.biz
one.vfknvdwowe.biz
two.vfknvdwowe.biz
one.vfsnjvdsisw.biz
two.vfsnjvdsisw.biz
three.vfsnjvdsisw.biz
one.dwfnkvgd.biz
two.dwfnkvgd.biz
three.dwfnkvgd.biz
one.fewfjisi.biz
two.fewfjisi.biz
three.fewfjisi.biz
one.vcdsknvkds.biz
two.vcdsknvkds.biz
three.vcdsknvkds.biz
one.hfdodiopr.biz
two.hfdodiopr.biz
three.hfdodiopr.biz
one.nchepeweo.biz
two.nchepeweo.biz
three.nchepeweo.biz
one.odhbowdwe.biz
two.odhbowdwe.biz
three.odhbowdwe.biz
one.khvjhv.biz
two.khvjhv.biz
one.hghdswo.biz
two.hghdswo.biz
three.hghdswo.biz
one.jhchgch.biz
two.jhchgch.biz
three.jhchgch.biz
one.dmslcfwq.biz
three.dmslcfwq.biz
one.bjfyteshi.biz
two.bjfyteshi.biz
three.bjfyteshi.biz
three.fdgblkdor.biz
one.hgufkjyvu.biz
two.hgufkjyvu.biz
one.hgvhfdesl.biz
two.hgvhfdesl.biz
three.hgvhfdesl.biz
one.berzaoli.biz
two.berzaoli.biz
three.berzaoli.biz
one.guilerty.biz
two.guilerty.biz
three.guilerty.biz
one.nertriko.biz
two.nertriko.biz
three.nertriko.biz
one.hutyerfliop.biz
two.hutyerfliop.biz
three.hutyerfliop.biz
one.kiortnion.biz
two.kiortnion.biz
three.kiortnion.biz
one.mdfckel.biz
two.mdfckel.biz
three.mdfckel.biz
one.dfioptie.biz
two.dfioptie.biz
three.dfioptie.biz
one.kdifpewiofg.biz
two.kdifpewiofg.biz
three.kdifpewiofg.biz
two.jlopirtdsmncx.biz

Recommended blocklist:
64.120.207.252
66.96.246.135
66.197.241.194
173.212.223.243
184.22.149.175
184.22.149.176
184.22.149.177
184.22.149.178
184.82.38.54
209.159.153.171
209.159.153.186
odpewnvd.biz
jldywencp.biz
gdliiitra.biz
dkjeeeielv.biz
kleionrtue.biz
jhvbhvhch.biz
fnfgcngjhv.biz
khvvkhvchk.biz
hgvjhvjhvjh.biz
jhvjhvhvhjv.biz
kguukgukigk.biz
khvkhvkhvkjv.biz
kjghkjdfjhdc.biz
jhvkjvhfkcykc.biz
fdsglj.biz
dfwvdfsk.biz
fderefjfv.biz
jdfslfdsgy.biz
jhfjgdhfds.biz
vfdsgsrgsg.biz
bfsdmhglsdg.biz
fdfjkhfsadv.biz
fdsfgsgdvsd.biz
hfgkjhkklbj.biz
khfjhcfhgfk.biz
vdgbfslgdfs.biz
vsfbglmldsv.biz
jreoplte.biz
djsliufhgs.biz
vfknvdwowe.biz
vfsnjvdsisw.biz
dwfnkvgd.biz
fewfjisi.biz
vcdsknvkds.biz
hfdodiopr.biz
nchepeweo.biz
odhbowdwe.biz
khvjhv.biz
hghdswo.biz
jhchgch.biz
dmslcfwq.biz
bjfyteshi.biz
fdgblkdor.biz
hgufkjyvu.biz
hgvhfdesl.biz
berzaoli.biz
guilerty.biz
nertriko.biz
hutyerfliop.biz
kiortnion.biz
mdfckel.biz
dfioptie.biz
kdifpewiofg.biz
jlopirtdsmncx.biz


Monday 12 May 2014

Yahoo! Advertising Services (formerly overture.com) email address leak

A long, long time ago there used to be a company called Overture.com that did online advertising, and it was acquired by Yahoo! some time ago.

Now, I use a unique email address for every service I use, and today I was surprised to see the address I used for Overture being used in this spam. I believe this is the first time that I have ever seen spam to this address, so I assume that this is a recent leak of addresses (and Yahoo! has had all sort of problems with breaches at the Heatbleed bug recently).

The botnet sending out this spam does seem to have access to leaked email data that I haven't seen used before. So is this an early warning of yet another problem at Yahoo?

Friday 9 May 2014

Dr. Annette Bosworth is a moron spammer

I'm not very interested in US politics, and I certainly don't live there. So why is this moron spammer trying to get me to vote for her?

From:     Anette Bosworth [anette.bosworth@bosworthcampaign.com]
Reply-To:     anette.bosworth@bosworthcampaign.com
Date:     9 May 2014 15:27
Subject:     Not Cool, Guys
Signed by:     bosworthcampaign.com

Honestly, who acts like this? 

This is my first run for political office.  I am a doctor, not a career politician, but I just couldn’t sit on the sidelines and watch what is happening to our great nation any longer.

I have always stood up for what I believe in.  The first time I stood up to a bully I was 7 years old.

Today, the biggest bully I see is the federal government.  I grew up on a working farm in Plankinton, South Dakota.  I am a doctor who works with the elderly and the poor.  The clinic I own is a small business.  In every area of work and life, there is just too much government interference.

Being a doctor, I understand how unfair and harmful Obamacare really is -- and I have vowed to repeal every single word of it.  I also pledge to cut taxes, defend the second amendment, and to protect the unborn.

Washington, D.C. insiders don’t want to see people like you and me change their way of doing business.

Change is possible, but it takes effort from all of us.

I am fighting for that change against an establishment insider with millions of dollars, much of it PAC money from special interest groups.

My opponent has so much PAC money, he can afford to be wasteful – and he is.  Just this week, he produced a slick advertisement for TV that didn’t even feature voters from the state of South Dakota.  And when he was caught, he didn’t even apologize -- he just threw the advertisement away.

That’s not how I do things.

I am a fiscal conservative.  I promise that if you donate now, your hard earned donation will be used in a responsible way to fight big government and wasteful spending.  I need your help to get there. Will you join me?

Absentee ballots in South Dakota are mailed out this month and that’s when voting begins – will you chip in $5 or more today?

The donation you make today will help us get our message to voters.

Thanks,
Dr. Annette Bosworth
image2.png

To unsubscribe please click here
   

Dr. Annette Bosworth
2601 S. Minnesota Ave, Suite 105-129, Sioux Falls, SD, 57105

Paid for by Dr. Annette Bosworth for U.S. Senate

Contributions to Bosworth for US Senate are not tax deductible

It seems that she's a Doctor of some sort, but she opposes affordable healthcare. As a European we are constantly amazed and horrified at the way US healthcare professionals just let people die when the money runs out of their insurance policy.. if they have an insurance policy. Until Obama forced changes to the US healthcare system through it was 100 years behind that in Europe. Now it is only 80 years or so behind. Progress I guess.

Also, Annette Bosworth (or whatever idiot is spamming on her behalf) is attempting to solicit funds through fundly.com which violates their terms of service. Luckily she hasn't been able to recruit many other morons to her cause and has only raised $1,150 out of a target of $750,000.

Well, since this is an abuse of the Fundly terms of service, then getting it shut down and losing the funds could be a bit of a laugh.

The spam originates from two18.2bits.co (63.143.38.243) and spamvertises a site at marketer.2bits.co (63.143.38.226). Both these IPs are allocated to Limestone Networks in the US, but are suballocated to a customer called Joseph (Joey) Burzynski of ResistedNormalcy LLC and/or MarketKar.ma in Dallas. The email is digitally signed for the domain bosworthcampaign.com which has hidden WHOIS details.

Of course, this could be a subtle Joe Job intended to frame Annette Bosworth and make her look like a moron. But according to Joey Burzynski's own Facebook page at www.facebook.com/resistednormalcy/likes he "likes" Annette Bosworth. And tattoos. A lot.

There are plenty of other indicators online that Dr Bosworth has employed the promotional "talents" of Mr Burzynski.

I'm not the only one that thinks that this is spammy either, because Gmail says..


Presumably Annette Bosworth thinks that her point of view is so important that she can spam it out to people at random, regardless of where they live. I personally think she is a moron spammer and hope that the electors of South Dakota treat her accordingly.

UPDATE 12 May 2014: According to US law..
Contributions and donations may not be solicited, accepted, or received from, or made directly or indirectly by, foreign nationals who do not have permanent residence in the United States (i.e., those without green cards). This prohibition encompasses all US elections; including federal, state and local elections. 11 CFR 110.20(b).
So it would be prohibited for Dr Bosworth's campaign to accept a donation from me as I live in the UK and have never even visited to the US.

So it's probably a bad move that they accepted my ten bucks.

 There's a lively discussion about this over at the Madville Times.

UPDATE 13 May 2014: it has been said that Americans don't get irony. When I made my illegal $10 contribution to Annette Bosworth's campaign, I added the comment "Ten Bucks Well Spent!" because I knew that that accepting the money from a foreign donor would have some entertaining repercussions.

What I didn't expect was that not only would be donation be accepted, but that Dr Bosworth would also quote me on her Facebook page..


I like the comment "GOOD AMERICAN;;" (even with the spurious semicolons. Perhaps Americans don't understand semicolons either. I'm not sure I do) because of course I am British. And if Dr Bosworth's supporters knew my political leanings then they would assume I was the Spawn of Satan.

Interestingly, this means that they not only accepted the donation but someone took the time to review it.. surely then they should have spotted that I was not in the US.

Ten bucks well spent indeed!

And for those asking.. here is the receipt:

UPDATE 5 June 2014: Annette Bosworth has been arrested on charges of perjury.

HMRC spam / VAT0781569.zip

This fake HMRC spam comes with a malicious attachment:

Date:      Fri, 9 May 2014 12:47:49 +0530 [03:17:49 EDT]
From:      "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject:      Successful Receipt of Online Submission for Reference 0781569


Thank you for sending your VAT Return online. The submission for reference 0781569 was
successfully received on Fri, 9 May 2014 12:47:49 +0530  and is being processed. Make VAT
Returns is just one of the many online services we offer that can save you time and
paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Cable&Wireless Worldwide in partnership with
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for
legal purposes. 

It says "On leaving the GSi this email was certified virus free" which (as you might suspect) is utter bollocks, because it comes with a malicious payload. Attached to the message is an archive VAT0781569.zip which in turn contains two identical malicious executables AccountDocuments.scr and VAT090514.scr which have a VirusTotal detection rate of 15/52.


This is part one of the infection chain. Automated analysis [1] [2] [3] shows that components are then downloaded from the following locations:

[donotclick]bmclines.com/0905UKdp.rar
[donotclick]gamesofwar.net/img/icons/0905UKdp.rar
[donotclick]entslc.com/misc/farbtastic/heap170id3.exe
[donotclick]distrioficinas.com/css/b01.exe


The malicious binary heap170id3.exe has a VirusTotal detection rate of 9/52. Automated analysis [1] [2] shows that this makes a connection to a server at 94.23.32.170 (OVH, France).

The other malicious binary, b01.exe had a VirusTotal detection rate of 11/52. Analysis of this shows [1] [2] that it attempts to connect to several different email services, presumably to send out spam.

Thursday 8 May 2014

Maersk Line Shipping Phish

Some people will phish for anything, this seems to be looking for credentials to My Maersk Line, I guess to allow the scammers to illegally ship items at someone else's expense.


From:     Maersk Line Shipping [sunil.dharmappa@stalliongroup.com]
Reply-To:     shipping@maersklines.com
Date:     8 May 2014 14:55
Subject:     TRACK YOUR CONTAINERS & CARGO NOW!


Dear Sir/madam,

we  want to inform you that your supplier/seller shipped your goods  through our shipping services, we hope your supplier must have given you the details about your container vessel ,we strongly recommend that you confirm your goods/cargo immediately by tracking your goods online.
 All shipped container/goods must be tracked  to enable  you to know the location of your shipment and to know the arrival date of vessel. This is why MAERSK LINE has enabled a user friendly interface for our customers to track there goods by themselves without the help of the agents.

Download the container tracking form attached and  log in with your email now to know the status and location of your container/shipment. You must use the email which you used in communicating with your supplier/seller that is the email our tracking system will recognize because it is the email your supplier registered your goods with .You will be able to save the search criteria for easy reuse at a later stage. You will also have the opportunity to search for shipment from/from specific locations and many other features.

Check the attached now .

Best regards

Maersk shipping company.

Terms of use | Privacy policy | Sitemap | Maersk Line. All rights reserved.


Attached is a file maersk container tracking.htm ..


This attempts to harvest credentials and then POSTS them via a dedicated phishing site at send.apbem.org.br/zolamaersksend.php (189.73.155.37 / Brasil Telecom, Brazil). Once the username and password have been stolen, the victim is sent to the real My Maersk site (which doesn't actually require a password for basic container tracking).

Not many people will have a relevant shipping account at Maersk, but you can imaging the potential value of being able to ship stolen or illegal goods for free..

Wednesday 7 May 2014

unitedtraderegister.eu / europeantraderegister.net spam

This spam is attempting to solicit signups for a worthless "World Trade Register" website.

From:     utr@unitedtraderegister.eu
Date:     7 May 2014 00:04
Subject:     Are you ready?
Signed by:     unitedtraderegister.eu

Dear Partner,

In order to have your company inserted in the
global trade register of partner companies for
the 2015/2016 edition you must print, complete
and send the enclosed form before the end of
next week to the following address:

World Trade Register
P.O. Box 3079
3502 GB Utrecht
The Netherlands

or fax it to:
Fax: +31 205 248 107

or reply to this email and attach the form to it.

Updating is free of charge!
To unsubscribe please visit this link:
unitedtraderegister.eu/unsubscribe.php?email=info@[redacted]
In case the form is missing you can download it here:
unitedtraderegister.eu/wtr.pdf
The company behind this spam is a ROKSO-listed organisation called World Company Register / EU Business Register. A ROKSO listing basically means that this is one of the worst spammers currently in the world.

unitedtraderegister.eu forwards to europeantraderegister.net (and worldtraderegister.net is on the same server). This is an old-fashioned directory scam and it should be ignored.

"Lloyds Commercial Banking" "Important BACs" spam

This fake bank spam comes with a malicious attachment:

Date:      Tue, 6 May 2014 08:29:83 GMT
From:      Lloyds Commercial Banking [Annmarie.Baldwin@lloydsbank.com]
Subject:      FW : Important BACs


Important account documents


Reference: C06
Case number: 0995479

Please review attached BACs documents and fax it to +44 (0) 845 600 3319.
Please note that the Terms and Conditions available below are the Bank's most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager.

Yours faithfully



Annmarie Baldwin
Senior Manager, Lloyds Commercial Banking


Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.

Please remember we guarantee the security of messages sent by email. 
The last line gave me a laugh.. "Please remember we guarantee the security of messages sent by email." Attached to the message is a file LloydsCase-0995479.zip which in turn contains a malicious executable LloydsCase-07052014.scr. The binary is identical in function to the one used in this TNT spam run doing the rounds at the same time.

"TNT UK Limited" spam

This fake TNT spam has a malicious attachment:

Date:      Wed, 7 May 2014 01:50:00 -0600 [03:50:00 EDT]
From:      TNT COURIER SERVICE [tracking@tnt.co.uk]
Subject:      TNT UK Limited - Package tracking 236406937389

TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.

DETAILS OF PACKAGE
Reg order no: GB5766211

Your package have been picked up and is ready for dispatch. Please print attached form
and pick up at the nearest office.

Connote #        :        236406937389
Service Type        :        Export Non Documents - Intl
Shipped on        :        07 Apr 13 00:00
Order No                :        5766211
Status                :       Driver's Return Description      :       Wrong Postcode
Service Options: You are required to select a service option below.

The options, together with their associated conditions 
The attachment is GB5766211.zip which contains the malicious executable GB07052014.scr (note the date is encoded into the filename). This has a VirusTotal detection rate of 7/52.

Automated analysis tools [1] [2] [3] show a UDP connection to wavetmc.com and a further binary download from demo.providenthousing.com/wp-content/uploads/2014/05/b01.exe

This second executable has a VirusTotal detection rate of 20/51. The Malwr report and Anubis report both show attempted connection to various mail servers (e.g. Gmail and Hotmail). Furthermore the Anubis report shows a data transfer to 83.172.8.59 (Tomsk Telecommunication Company, Russia).

Recommended blocklist:
83.172.8.59
wavetmc.com
demo.providenthousing.com

"This email contains an invoice file attachment" spam

Another case of a very terse spam with a malicious email attachment:

Date:      Wed, 7 May 2014 14:06:46 +0700 [03:06:46 EDT]
From:      Accounts Dept [menopausaln54@jaygee.co.uk]
Subject:      Email invoice: 1888443

This email contains an invoice file attachment 
I guess the psychology here is that if you can't tell a convincing lie, then tell a short one. The attachment is emailinvoice.069911.zip which in turn contains a malicious executable emailinvoice.899191.exe which has a VirusTotal detection rate of 5/52.

Automated analysis tools of this binary [1] [2] [3] shows that it downloads a further component from one of the following locations:

pgalvaoteles.pt/111
axisbuild.com/111
sadiqtv.com/111
hostaldubai.com/111
nbook.far.ru/111
relimar.com/111
webbook.pluto.ro/111
bugs.trei.ro/111
gaunigeria.com/111
rubendiaz.net/111
adventiaingenieria.es/111
assurances-immobilier.com/111
markus.net.pl/111
www.mrpeter.it/111
inmobiliariarobinson.com/111
cigelecgeneration.com/111
hbeab.com/111
lefos.net/111
pk-100331.fdlserver.de/111
decota.es/111
lefos.net/111
krasienin.cba.pl/111
rallyeair.com/111
camnosa.com/111
caclclo.web.fc2.com/111
beautysafari.com/111
www.delytseboer.com/111
atelierprincesse.web.fc2.com/111
czarni.i15.eu/111
gogetgorgeous.com/111

This "111.exe" binary has an even lower VirusTotal detection rate of 3/51. Automated analysis of this shows [1] [2] [3] shows the malware installs itself deeply into the target system.

There is a further dowload of a malicious binary from files.karamellasa.gr/tvcs_russia/2.exe which has a detection rate of 5/50 and identifies as a variant of Zeus. This creates fake svchost.exe and csrss.exe executables on the target system [1] [2] [3].

Recommended blocklist:
pgalvaoteles.pt
axisbuild.com
sadiqtv.com
hostaldubai.com
nbook.far.ru
relimar.com
webbook.pluto.ro
bugs.trei.ro
gaunigeria.com
rubendiaz.net
adventiaingenieria.es
assurances-immobilier.com
markus.net.pl
www.mrpeter.it
inmobiliariarobinson.com
cigelecgeneration.com
hbeab.com
lefos.net
pk-100331.fdlserver.de
decota.es
lefos.net
krasienin.cba.pl
rallyeair.com
camnosa.com
caclclo.web.fc2.com
beautysafari.com
www.delytseboer.com
atelierprincesse.web.fc2.com
czarni.i15.eu
gogetgorgeous.com
files.karamellasa.gr