Sponsored by..

Friday, 20 June 2014

RNBI pump-and-dump spam: "Are you a go getter?"

This pump-and-dump spam is promoting a US stock Rainbow International Corp (RNBI) with false information designed to pump up the share price while someone dumps stock:

From: RealInvestments Daily Tip
Subject: Are you a go getter?

Hi [redacted],

Hope all is well with you and the family. I know you reached out to me last month looking for a good investment amid this crazy market. I must tell you it has been very hard to find something solid. Theres very few hidden gems out there and I honestly didnt even think I would be able to find something. That being said the best Ive been able to find is RNBI and when I say best, it really seems to be a god send. I told a few of my other clients about it last month as it seemed pretty cheap and it has gone up by more than 50% since. Im giving you a heads up on RNBI because I spoke with a few of my colleagues and they agree that it will hit a dollar some time in the coming weeks. Dont tell anyone you hear this from me please we're suppose to keep it on the down low. The company operates in the legalhemp industry, apparently the sector has been going nuts since colorado and washington made the stuff legal and apparently RNBI is going to announce some big news soon. Not sure what it is but my source is usually pretty spot on.

Take care and let me know if you need anything else. Ill keep you posted if I have some more news.

(c) 2014. StockTips. All rights reserved.

7080 Santa Monica Blvd, West Hollywood, CA 90038
At the moment there is only one subject and body text, but this will no doubt change as the spam evolves. A quick analysis of RNBI shows a company with no significant assets or income and no news or press releases indicating anything going on. The stock was aggressively pumped last month, but this latest round is using illegal spamming to try to promote the stock.

There are some anomalies with this stock. Despite having virtually no income or assets, the market capitalisation is still $52m which seems a lot. The stock chart shows that the price collapsed from a high of $0.59 late last year to $0.06 and then $0.09 before aggressive pumping took it up to about $0.20 or so, shifting around 34 million shares (or about $7m worth of stock). Before the pumping, the daily trade level was basically zero.

In my personal opinion, it is likely that this action is being taken by a major stockholder wanting to dump their shares for whatever reason. Remember that most stocks promoted by pump-and-dump spam collapse afterwards, so it is a good idea to give RNBI a very wide berth.

UPDATE 1. there is now a second wave of spam pretending to be from InvestorsHub which contains some junk text and an image with an MD5 of 0D179335984C7286F170C8354B69D4BF:

From:     InvestorsHub
Date:     20 June 2014 16:34
Subject:     Daily Stocks Tips

UPDATE 2. A third wave of image-based spam is on the way with a different embedded image.

From:     InvestorsHub News
Date:     20 June 2014 19:19
Subject:     This stock will go nuts today

UPDATE 3. Yet another image-based spam pumping RNBI is in circulation.
From:     Investors Hub Newsdesk
Date:     21 June 2014 07:11
Subject:     IHUB Newsdesk - This is the next big stock play

UPDATE 4. Two more versions of the pump-and-dump spam. The first version is surprisingly aggressive:

From:     Scottrade
Date:     21 June 2014 19:58
Subject:     Invest today. Cash Out next month

Dear conrad,

I was very furious when I listened to your voicemail last night.

You know, I did tell you about R N B I last month but you’re the one who was not interested in buying at the time. It was trading for just 10 or 15 cents if I remember correctly. You cannot now blame me by saying I didn’t tell you.

Anyway bullshit aside if you are still angry about missing the first wave I’m telling you its not too late but you need to listen to me now and buy as many s.h.a.r.es of R N B I as you can on Monday morning before they get too expensive and if you don’t it’s your own fault I don’t want you calling me again and leaving me another nasty voicemail.

I spoke with my analyst buddy who is working on this specific stock-analysis and he told me we should expect to see shares hit past a dollar within the next 30 days. Do what you must.

Take care
Your bud
Second version:

From:     TD Ameritrade
Date:     22 June 2014 17:21
Subject:     Another Big Report this Monday at the open!

Open your account today in just minutes  |  View online
You’ve already taken the first step toward your financial goals by starting your application for a TD Ameritrade account. Take the next step and start trade today.

It’s quick and easy. And as a client, you’ll have access to the tools and resources you need to trade and invest with more confidence, including our top stocks picks:

UPDATE 5. Now the spammers are pretending to be from Bloomberg:

From:     Bloomberg.com
Date:     23 June 2014 10:07
Subject:     Financial News: Our New Stock Alert!
Thank you,
The Bloomberg.com Team


Please do not reply to this message; it was sent from an unmonitored email address. If you received this message in error, please contact us.


Update Your Profile | Manage Preferences
Bloomberg.com | 731 Lexington Avenue, New York, NY 10022

UPDATE 6.  This new version of the spam comes with a .VCF attachment which will install a contact into your address book:

From:     Money Runners
Date:     23 June 2014 15:59
Subject:     The Money Runners Group: More Gains This Week - Stay Tuned!

Hi [redacted], my name is Denise Stewart and i'm your new stocks adviser.

Check my vCard in attachement
Attached is a file name2.vcf which contains the following data:
FN:Denise Stewart
N:Denise Stewart;;;;
ADR:;;0659 LEE Tim Road;Denver;CO;80304;USA
ORG:Rainbow International, Corp. (RNBI)
NOTE:By the entrance ways at each end of the coach was a toilet.
A file like this is a contact card and webmail applications such as Gmail or email clients such as Outlook can add it as a contact.

The idea is that you'll wonder who the heck this person is and click through on the link to Yahoo! Finance, which shows the bump in stock prices due to the pump-and-dump run.

Ummm... well, it's an interesting approach but if people are daft enough to fall for this sort of spam then it might be a bit too subtle for them.

UPDATE 7. Two new variants. The first one combines some of the elements seen earlier:

From:     Tonia Maynard
Date:     23 June 2014 18:39
Subject:     We've Just Come Across Something Huge!

Hi [redacted]

The next one has new elements in it:

From:     MarketClub Daily Top Stocks
Date:     23 June 2014 16:59
Subject:     Today's Top Trending Stocks

Top Trending Stocks for Monday, June 23rd

The stocks below have been rated as today's top stocks by MarketClub's Trade Triangle and Smart Scan technology.

#    Symbol    Description    Open    High    Low    Last    Change    %    Vol    Score
1.    RNBI     Rainbow International, Corp.     0.16    0.25    0.21    0.22    +52.185    +50.32%    1,203,226     +100
 View Full List ...

Thousands of people, just like you, have made the jump from using our Top Stocks list to MarketClub.

Learn how MarketClub can advance your trading with an entire set of online trading tools, not just the ability to create lists like this. Try MarketClub for only $8.95 for 30 days.

Follow us on Facebook for updates throughout the trading day.

View all details and studies at http://club.ino.com/. Want more scans, instant alerts, and a custom portfolio? MarketClub has it all across all markets.

To unsubscribe from Top 10 Trending Stocks emails, please visit this link for fast removal. To manage all of your INO.com email subscriptions or unsubscribe from all lists, visit our Email Services page.

U.S. Government Required Disclaimer - Commodity Futures Trading Commission

UPDATE 9. After a brief pause, there's another format of spam. (Incidentally the pause in spam caused the stock price to drop 22%!)

From:     USMarketAdvisor
Date:     24 June 2014 21:53
Subject:     If you get in now you could triple fast

Dear member,

We've been trying to bring something with substance to you for some time now and we've finally found it. R.N.B.I is a stock that will make your portfolio shine again and give us the reputation as strong analysts. It is currently trading for 20 cents. If you can buy some shares at the current pricing you will be in for a hell of a ride as we are predicting that we will see R,N,B,I go to a dollar by mid july. This company is a very special one as it operates in the legal marijuana sector in Colorado. As you've probably heard, that sector is totally on fire at the moment and you would be a fool to think that marijuana is not getting legalized nationwide in the coming short while. Can you imagine what this will do to the price of R_N_B_I? The company is already having a hard time supplying enough cannabis to its customers as it is with just Colorado and Washington allowing legal sales. Imagine when the whole country begins asking for some. At 20 cents R-N-B-I is an absolute steal and I would load up as much as I can.

Your premium analyst,
This email was sent to [redacted]. To ensure that you continue receiving our emails,
please add us to your address book or safe list.
(c) 2014 USMarketAdvisor.
550 Bowie Street, Austin, Texas 78703-4644
Privacy | Terms | Customer Service
Unsubscribe or Change Email Preferences
for all USMarketAdvisor emails.

UPDATE 10. Another spam this time, with the sender set to "FoxNews.com".

From:     FoxNews.com
Date:     25 June 2014 10:33
Subject:     BREAKING NEWS: Huge Winner Today! New Alert Inside

Once in a while there comes an opportunity that is too good to pass.
This time has come again. R*N*B*I is a diamond in the rough and this undervalued company is about to make us all very wealthy.
Our peers will look up to us and say "wow he's smart".
That's because if we can buy R*N*B*I for about 20 cents today we will likely get 5x our investment as analysts are predicting it will reach a dollar in the coming weeks.
TThere's also a bit of history behind this.
Just a few weeks ago the company was at 35 cents!
It has taken one step back and is getting ready to make 5 steps forward and we are lucky to be able to buy shares for as cheap as 20 cents right now.
It's not every day that a legal cannabis company can be bought for so cheap.

If we look at the historical chart and analysts' recommendations this looks like the perfect buy right now and I would get as many shares as I can at the current prices.

More Newsletters | Unsubscribe | Privacy Policy

©2014 StocksNews Network, LLC. All Rights Reserved.

StocksNews never sends unsolicited email. You received this email because you requested a subscription to Breaking Alerts from StocksNews. 

UPDATE 11. A variation of the previous spam, this time purporting to be from "MovingPennies".

From:     MovingPennies
Date:     25 June 2014 14:15
Subject:     BREAKING NEWS: All Eyes On (R N B I)

There's been a lot of speculation about where the market is going.

Truth be told no one really knows but it seems like we can expect to see things continue going up a bit.
That being said more companies these days are really overpriced.
Would you get in google at the current share price? Or apple? Or coca cola? they all seem to expensive at the moment.
Instead I've been searching for an answer... R*N-B*I is a stock that is currently very undervalued and its 2-month chart tells a story.
Just weeks ago it was at 35 cents. Now we can pick it up for right around 20 cents and analysts are expecting it to reach a dollar in the coming weeks.
If that's not a good deal I don't know what is. The company operates in the legal cannabis industry.
They're set up in Colorado and there is a lot of action happening there right now as you know.
Colorado and Washington both legalized cannabis recently and the amount of money being made in the industry right this moment is mind boggling.

If I were you I'd buy as many shares of R-N*B-I as possible at these cheap prices.

UPDATE 12. The spam has evolved again, now pretending to be from MomentumOTC:

From:     MomentumOTC
Date:     26 June 2014 09:37
Subject:     This company will make us big bucks

In recent days R^N^B^I has become very cheap to invest in.
Shares are now trading for right around 15 cents and it looks like it is about to soar again.
Two weeks ago it was trading as high as 35 cents, so you can imagine how much of a bargain it is at the current levels.
For a company that operates in the legal canabis industry we are very lucky to get shares at 15 cents.

Analysts are recommending to buy-it-now.

More Newsletters | Unsubscribe | Privacy Policy

©2014 MomentumOTC Network, LLC. All Rights Reserved.

MomentumOTC never sends unsolicited email. You received this email because you requested a subscription to Breaking Alerts from MomentumOTC. 
UPDATE 13. A new version of the spam is in progress (which still can't spell "cannabis"), this time pretending to be from "BestOTC Network, LLC":
From:     BestOTC
Date:     26 June 2014 14:12
Subject:     The top legal canabis company is here

Everyone is jumping on shares of R:N:B:I at 15cents right now.
They have never been so cheap in the past. Imagine if you wanted to grab it two weeks ago it would've cost you 35 cents.
Analysts are saying that the company is about to soar again and that they recommend buying as much as possible in the 15 to 20cent range.
R:N:B:I is one of the few companies on the market that is involved in the legal canabis sector.

Grab shares now!

More Newsletters | Unsubscribe | Privacy Policy

©2014 BestOTC Network, LLC. All Rights Reserved.

BestOTC never sends unsolicited email. You received this email because you requested a subscription to Breaking Alerts from BestOTCOTC.  

UPDATE 14. Despite all this activity, the stock price is tanking hitting a low of $0.10 which is about half what they were going for when the spam started. That's still about ten cents more than this company is worth in my opinion. This new spam pretends to be from "ClayTrader".

From:     ClayTrader
Date:     26 June 2014 19:12
Subject:     Watch this one double quickly

First target: $.19
Second Target $.25
Stop $.50

Sell on the way up at your target prices

More Newsletters | Unsubscribe | Privacy Policy

©2014 ClayTrader Network, LLC. All Rights Reserved.

ClayTrader never sends unsolicited email. You received this email because you requested a subscription to Breaking Alerts from ClayTrader. 

"2014_06rechnung_0724300002_sign.zip" spam

I don't have a sample of the German-language spam spreading this attack, but it is similar to this one and it entices the victim to download a ZIP file  from [donotclick]officialdund.co.uk/wp-content/themes/officialdund/mobilfunktelekom/2014_06rechnung_0724300002_sign.zip

Inside the ZIP file is a malicious executable 2014_06rechnung_0724300002_pdf_sign_telekomag_deutschland_gmbh.exe which has a very low VirusTotal detection rate of just 1/54. The Malwr report shows that it downloads a further executable rqvupdate.exe [Malwr report] which phones home to (Server Central, US) and has a VT detection rate of just 2/52.

The Anubis report also shows connections to (Server Central, US), (OVH, France / QHoster Ltd, Bulgaria) and (Ransom IT Hosting, New Zealand)

Recommend blocklist:

bumerang.cc spam - possible Joe Job?

As with the writer of the excellent My Online Security blog I had a couple of odd-looking spams that looked like they might be malicious.

The first spam was a bit of a fail as it didn't have the link, the second spam contained a link the the bumerang.cc website.

From:     News
Date:     19 June 2014 21:40
subject:     World Political News

You can see all World Political News at our web site.Just click on link below



From:     Customer support
Date:     19 June 2014 13:43
Subject:     Your invoice for June 2014

See your invoice for June 2014 by click on link below


The link in the second email goes to the amusingly-named www.bumerang.cc/asdaa/sploit.php - amusing because "sploit" is of course slang for "exploit". Although I have seen exploit kits that contain obvious things like this as a sort of joke, it is also a bit obvious don't you think?

But there is no exploit kit at this "sploit.php" location.. it 404s. But in fact I can see no evidence that there has ever been an exploit in this location, this URLquery report from yesterday (the earliest I can find) also shows a 404. So perhaps the exploit has been deleted? Or perhaps it was never there in the first place..

As I mentioned, there are a pair of emails. The one with the working link looks like a fake invoice malspam, but the other one has the subject "World Political News" and the body "You can see all World Political News at our web site.Just click on link below".

It turns out that bumerang.cc is a news site, covering topics of interest in Moldova in the Romanian, English and Russian languages. Unlike most multilingual news sites, the content is different depending on the language.. and the default Russian language part of the site has a lot of articles on the rather corrupt breakaway region of Transnistria which is strongly pro-Russian and which seems to be getting drawn in to the godawful mess that is the Ukraine crisis.

Transnistria has a reputation for corruption and organised crime, so perhaps bumerang.cc has published something that somebody in Transnistria doesn't like. Joe Jobs against sites dealing in Russian politics are quite common, and the messages do bear several hallmarks of being fakes.

Given that there is no evidence of malware on this site, the fishy nature of the spam and the topic areas of the site itself then I am minded to think that this is a Joe Job and bumerang.cc are not behind this spam run.

UPDATE 1 2014-06-24. Another variant..

From:     Bumerang News
Date:     24 June 2014 21:24
Subject:     SENSATION NEWS!Ukraine Will Wage War With Russia

Russia's War Against Ukraine! All at our web site. Just click on link below


Wednesday, 18 June 2014

"Scanned Image from a Xerox WorkCentre" spam with a malicious PDF attachment

The PDF spammers are busy today - this is the third time this particular malicious PDF has been spammed out to victims, first as a fake HSBC message, then a fake Lloyds message, and now a fake Xerox WorkCentre spam.
From:     Xerox WorkCentre
Date:     18 June 2014 13:41
Subject:     Scanned Image from a Xerox WorkCentre

It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: [redacted]
Number of Images: 0
Attachment File Type: PDF

WorkCentre Pro Location: Machine location not set
Device Name: [redacted]

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/
The payload is a malicious PDF that is identical to the HSBC and Lloyds spams.

Lloyds Bank Commercial Finance "Customer Account Correspondence" spam

Sent to the same targets and the same victim as this HSBC spam, this fake Lloyds Bank message comes with a malicious payload:
From:     Lloyds Bank Commercial Finance [customermail@lloydsbankcf.co.uk]
Date:     18 June 2014 12:48
Subject:     Customer Account Correspondence

This attachment contains correspondence relating to your customer account with Lloyds Bank Commercial Finance Ltd.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.

If you have received this email in error please contact the individual or customer care team whose details appear on the statement.

This email message and its attachment has been swept for the presence of computer viruses.

Lloyds Bank Commercial Finance, No 1 Brookhill Way, Banbury, Oxfordshire OX16 3EL | www.lloydsbankcommercialfinance.co.uk
Ensuring that your PDF reader is up-to-date may help to mitigate against this attack.

HSBC "Unable to process your most recent Payment" spam

This convincing looking bank spam comes with a malicious PDF attachment:

From:     HSBC.co.uk [service@hsbc.co.uk]
Date:     18 June 2014 12:33
Subject:     Unable to process your most recent Payment


You have a new e-Message from HSBC.co.uk

This e-mail has been sent to you to inform you that we were unable to process your most recent payment.

Please check attached file for more detailed information on this transaction.

Pay To Account Number:   **********91
Due Date: 18/06/2014
Amount Due: £ 876.69

IMPORTANT: The actual delivery date may vary from the Delivery by date estimate. Please make sure that there are sufficient available funds in your account to cover your payment
beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.

If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.

Copyright HSBC 2014. All rights reserved. No endorsement or approval of any third parties or their advice, opinions, information, products or services is expressed or implied by any information on this Site or by any hyperlinks to or from any third party websites or pages. Your use of this website is subject to the terms and conditions governing it. Please read these terms and conditions before using the website..
Attached is a malicious PDF file HSBC_Payment_9854711.pdf which has a VirusTotal detection rate of just 6/53. The Malwr report does not add much but can be found here.

Tuesday, 17 June 2014

Wells Fargo "Important docs" spam has a malicious PDF file

This fake Wells Fargo spam comes with a malicious PDF attachment:

From:     Raul.Kelly@wellsfargo.com
Date:     17 June 2014 18:50
Subject:     Important docs

We have received this documents from your bank, please review attached documents.

Raul Kelly
Wells Fargo Accounting
817-713-1029 office
817-306-0627 cell Raul.Kelly@wellsfargo.com

Investments in securities and insurance products are:

Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you.
The attachment is account_doc~9345845757.pdf which has a VirusTotal detection rate of 5/51. The Malwr report doesn't say much but can be found here.

Personal misfortune is not an excuse for spam

"Mark" is having a hard time. Left with huge bills after being treated for prostate cancer, he feels let down by his employer at the time who did not cover the treatment with their health insurance.

How do I know this? He spammed me to tell me about it. Several times.

From:     Mark ******* [me@mail.*****]
Date:     17 June 2014 07:25
Subject:     Please donate to help support my recovery from Localised Prostate Cancer

        please consider donating to help fund my financial recovery since I was treated for Localised Prostate Cancer.


Mark *******

        © Mark ******* , All Rights Reserved.
                http://******* .net/
                http://******* .like.to/
                http://******* .like.to/
A web form is attached soliciting funds:

Because "Mark" has suffered enough, I am withholding his full name. I did the due diligence and checked that the originating IP links back to a mailserver on his own domain, so this isn't a Joe Job.

But personal misfortune is not an excuse to spam, and in this case "Mark" sent to the spam to some randomly generated recipients that don't actually exist. That sort of thing is very bad practice, and if you are trying to get donation sent to a PayPal account then it is a good way to get your account frozen.

"Ihre Festnetz-Rechnung für Juni 2014" Vodafone spam

Over the past few weeks I have seen a concerted attack on German language speakers with various fake invoices leading to a malicious ZIP download. Here is one example:

From: 1562404288-0002@rechnung.vodafone.de
Sent: 17 June 2014 09:00
Subject: Ihre Festnetz-Rechnung für Juni 2014 #3232853429
Importance: High

Ihre neue Rechnung ist online

Sehr geehrte Kundin, sehr geehrter Kunde,

Ihre Rechnung vom Juni 2014 ist jetzt für Sie zum Abruf bereit.
Ihre Festnetz-Rechnung für Juni 2014 #25-36-8114.zip.

Die Gesamtsumme beträgt 224,88 Euro.

Der Rechnungsbetrag wird frühestens 5 Tage nach Rechnungszustellung von Ihrem angegebenen Konto eingezogen.

Mit freundlichen Grüßen
Ihr Vodafone-Team 
Of course, this isn't from Vodafone at all. The link in the email goes to [donotclick]gabilevin.com/wp-includes/SimplePie/Net/vodafoneteam which downloads a ZIP file 2014_06rechnung_pdf_vodafone.zip which in turn contains the malicious executable 2014_06rechnungonline_pdf_vodafone_00930220374_53790190_82456.exe which has a low detection rate of 3/54 at VirusTotal.

The Malwr report shows that this performs a download from (Server Central, US) which in turn drops another malicious binary rqvupdate.exe which also has a detection rate of just 3/54. The Malwr report for that is here.

Friday, 13 June 2014

Something suspect on

This attack (assuming it is an attack) revolves around a bunch of domains hosted in (HostZealot, UK).

It starts when a visitor visits the website click-and-trip.com hosted on which purports to be some sort of hotel reservation system.

However, this URLquery report also shows a suspected Fiesta EK pattern and/or a TDS (Traffic Distribution System) URL. In the case of the report, the landing page is [donotclick]asasas.eu/yo416f8/counter.php?id=5 on but this is one of those cases where the landing page seems to change quickly.

Both the "gateway" domain and "payload" domain share similarities in the WHOIS details. For click-and-trip.com it is:

Registrant Name: BERNARDO MINES
Registrant Organization: LA SAGRADA
Registrant Street: CARRER DE MALLORCA, 401
Registrant City: BARCELONA
Registrant State/Province: NON
Registrant Postal Code: 08013
Registrant Country: DE
Registrant Phone: +34.932073031
Registrant Phone Ext: 
Registrant Fax: +1.5555555555
Registrant Fax Ext:

Well, Barcelona isn't in DE (Germany), so these contact details look awfully suspect. If we look at the WHOIS details for asasas.eu we see:

Name         Hans Bruse
Organisation hans inc
Language     German
Address      Am Forsthaus 9
             18209 Glashagen
Phone        +49.382037295
Email        hansbruse@yahoo.com

Both addresses use the "hansbruse@yahoo.com" email address, and those German contact details for "Hans Bruse" are more convicining than "Bernado Mines".

The click-and-trip.com domain has been around since January and interestingly a dig back in time six months turns up slightly different contact details:

Registry Registrant ID:
Registrant Name: BERNARDO MINES
Registrant Organization: LA SAGRADA
Registrant Street: CARRER DE MALLORCA, 401
Registrant City: BARCELONA
Registrant State/Province: NON
Registrant Postal Code: 08013
Registrant Country: ES
Registrant Phone: +34.932073031
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: GEFEST@ZMAIL.RU
Registry Admin ID: 

See the Russian email address? That gets some positive matches on Google linking it to a person called Aleksandr Filippovskiy (or Filippovskiy Aleksandr) who has been connected with malware sites before. So on balance, this thing looks rather suspicious.. even though those details could also be a smokescreen.

Reverse DNS on shows three suspect domains with a similar naming pattern:


We can also check the IP's reputation at VirusTotal and it doesn't look great. However, if we extend a look to neighbouring servers, we can see a similar pattern of domains all the way from to


Older domains seem to use lower IP addresses, the pattern seems to be that domains are hosted in the range for a short time, then they are parked on what appear to be Namecheap parking IPs. Once the reputation of the IP is tarnished, then the domains move on to the next IP address.

The IPs in question roughly correspond to, but looking at the sites hosted in that range there is a gap of unused IPs all the way to

Where these domains have identifiable WHOIS details, they conform to variants of the "Bernado Mines" persona, for example, acccaacccaaaa.pw:

Registrant Name:Bernardo Mines
Registrant Organization:La Sagrada
Registrant Street1:Carrer de Mallorca, 401
Registrant City:Barcelona
Registrant State/Province:non
Registrant Postal Code:08013
Registrant Country:ES
Registrant Phone:+34.932073031
Registrant Fax:+1.5555555555
Registrant Email:ilokios@gmail.com

But we know that "Bernado Mines" also operates other IPs in this range, including techno6.com on and a further examination of sites in the range shows aws-wireless.com on which is registered to..

Registry Registrant ID:
Registrant Organization: DOM
Registrant Street: KVARTIRA 106
Registrant City: YOSHKAR OLA
Registrant State/Province: YOSHKAR OLA
Registrant Postal Code: 42400
Registrant Country: RU
Registrant Phone: +7.79276827596
Registrant Phone Ext:
Registrant Fax: +7.79276827596
Registrant Fax Ext:

So we have Filippovskiy Aleksandr again

A look at all the hosts I can find in this range [csv] show nothing of value, and a load of cyberquatting and spam sites. On balance, I think that blocking the entire range may be prudent, even if it is hard to tell exactly what is going on here.

"Equity Investment Limited" lottery scam still around after more than a decade

Scammers can be really stupid. Take these guys who are running a non-existent UK National Lottery / FIFA Brazil 2014 World Cup scam..

The scam is purportedly from a "Mrs Hilda Adams" references a fake company:

Equity Investment Limited
132 Blackburn Road
Tel: 00447924556231
Email: uklclaims@mail.com

Some key parts of the email are:
Reference: EKS255125600304
Ticket number: 034-1416-4612750

But search for "Equity Investment Limited" on just about any search engine and the first hit you will get is an article I wrote way back in 2003 about a lottery scam using a company of exactly the same name.

The email address is a throwaway free email account, the telephone number looks like it is British but in fact it a forwarding number provided by Cloud9  which could potentially forward calls to anywhere in the world. This type of "follow me anywhere" number is often abused by scammers. As for the address.. well, it's unlikely that whoever lives at that address is anything to do with this at all.

Luckily, most people who run lottery scams have the intelligence of a box of rocks. And it seems that quite a few of their victims have heard of a thing called a search engine..

Something evil on and

This is one of those ephemeral traces of malware you sometimes see, like a will-o'-the-wisp. Something seems to be there, but on closer examination it has vanished. But this isn't an illusion, it seems to be a cleverly constructed way of distributing malware which pops up and then vanishes before anyone can analyse it.

The source of the infection seems to be a malvertisement on one of those sites with an immensely complicated set of scripts running on all sort of different sites, including those low-grade ad networks that have a reputation for not giving a damn about what their advertisers are doing.

In this case, the visitor gets directed to a page at 12ljeot1.wdelab.com/ijvdg2k/2 which got picked up with a generic malware detection.. but by the time anyone gets to investigate the domain it is mysteriously not resolving.

What appears to be happening is that the bad guys are publishing the malicious subdomains only for a very short time, then they stop it resolving and they publish another one. And one thing all these domains have in common is that they are using afraid.org for nameserver services.

A bit of investigation shows that this malware is hosted on a pair of servers at and (HostForWeb, US), and despite that bad guys efforts they do leave a trace on services such as VirusTotal [1] [2] and URLquery [3]. This particular URLquery report shows indications of the Fiesta EK.

The attackers are covering their traces by using legitimate hijacked domains, the owners of which may not even be aware of the problem. Despite there being a large number of subdomains, I can only spot sixdomains being abused:


A full list of the subdomains that I have found so far can be found here [pastebin].

A look at the block shows a mix of legitimate sites, plus some spammy ones and quite a lot that look malicious. If you are running a high-security environment then you might want to block this who range. Else, I would recommend the following minimum blocklist:

Thursday, 12 June 2014

pcwelt.de hacked, serving EK on

The forum of popular German IT news site pcwelt.de has been hacked and is sending visitors to the Angler exploit kit.

Visitors to the forum are loading up a compromised script hxxp://www[.]pcwelt[.]de/forum/map/vbulletin_sitemap_forum_13.xml.js which contains some Base64 obfuscated malicious code (see Pastebin here) which uses a date-based DGA (domain generation algorithm) to direct visitors to a URL with the following format:


The .pw domain contains Base64 encoded data which points to the payload kit, in this case [donotclick]exburge-deinothe.type2consulting.net:2980/meuu5z7b3w.php (Pastebin) which is hosted on (OVH, France). This appears to be the Angler EK.

It looks like the EK domains rotate regularly, but the following sites can be observed on this address:


It is worth noting that these domains appear to have been hijacked from a GoDaddy customer:

The following .pw sites are live right now, hiding behind Cloudflare:

Recommended blocklist:
(and if you can block all .pw domains then it is probably worth doing that too)

Thanks to the #MalwareMustDie crew and Steven Burn for help with this analysis.

Wednesday, 11 June 2014

Fake RBS spam spreads malware via Cubby.com

This fake bank spam downloads malware from file sharing site cubby.com:

From:     Sammie Aaron [Sammie@rbs.com]
Date:     11 June 2014 12:20
Subject:     Important Docs

Please review attached documents regarding your account.

To view/download your documents please click here

Tel:  01322 215660
Fax: 01322 796957
email: Sammie@rbs.com

This information is classified as Confidential unless otherwise stated. 

The download location is [donotclick]www.cubby.com/pl/Document-772976_829712.zip/_e97c36c260ed454d8962503b18e37e86 which downloads a file Document-772976_829712.zip which in turn contains a malicious executable Document-772976_829712.scr which has VirusTotal detection rate of just 1/54.

Automated analysis tools [1] [2] [3] [4] show that it creates a file with the disincentive name googleupdaterr.exe and attempts to communicate with the following IPs: (Intergenia AG, Germany) (OVH, Canada) (ITL Company, Ukraine)

(Plain list)

Tuesday, 10 June 2014

"You have received a voice mail" spam downloads malware from Dropbox

Another fake voice message spam, and another malware attack downloading from Dropbox.

From:     Microsoft Outlook [no-reply@victimdomain]
Date:     10 June 2014 15:05
Subject:     You have received a voice mail

You received a voice mail : VOICE437-349-3989.wav (29 KB)
Caller-Id: 437-349-3989
Message-Id: U7C7CI
Email-Id: [redacted]

Download and extract the attachment to listen the message.

We have uploaded fax report on dropbox, please use the following link to download your file:

Sent by Microsoft Exchange Server
The link downloads a file VOICE-864169741-28641.zip which in turn contains a malicious executable VOICE-864169741-28641.scr which has a VirusTotal detection rate of 4/52. Automated analysis [1] [2] [3] [4] indicates that it downloads files from the following domains:


Monday, 9 June 2014

"inovice 2110254 June" spam

This terse but badly-spelled spam has a malicious attachment:

Date:      Mon, 09 Jun 2014 18:03:10 +0530 [08:33:10 EDT]
From:      Ladonna Gray [wtgipagw@airtelbroadband.in]
Subject:      inovice 2110254 June

This email contains an invoice file attachment 
Attached is an archive file invoice_2110254.zip which in turn contains the malicious executable invoice_98372342598730_pdf.exe which has a VirusTotal detection rate of 4/52. Automated analysis tools are not able to determine exactly what the malware does.

UPDATE 1: A Malwr analysis of the malware can be found here. It makes the following HTTP connections:

It also drops a file KB05152056.exe which has a VirusTotal detection rate of 5/51. Analysis is pending.

UPDATE 2: the Malwr analysis of the second binary is here. This makes a connection to

All the IP addresses listed belong to Clodo-Cloud in Russia:

Although there are probably some legitimate sites in these ranges, you might want to consider blocking the following if you feel like it:

Saturday, 7 June 2014

Institute of Project Management America (instituteofprojectmanagementamerica.org). Is this a scam?

Three years ago I was spammed by an organisation called the North American Program Planning and Policy Academy (NAPPPA) which was attempting to get me to sign up for some seminars. It looked like a scam at the time, and it still looks like a scam now.

It took me a year of sporadic research to come up with the names of the people running the scam. Anthony Christopher Jones (known sometimes as "Tony Jones") and Patchree Patchrint (known as "Patty Patchrint"). After exposing them and detailing some of the evidence against them, NAPPPA, Jones and Patchrint dropped out of view. I assumed that this was the cockroach effect.. switch the lights on, and those roaches scurry for cover.

It looks like I was wrong.

A unexpected comment on my blog post opened up a new line of investigation.
Lem said...

I wish I would have found this blog prior to teaching a course for the Institute of Project Management America (IPMA). www.instituteofprojectmanagementamerica.org
The student certificates were signed by none other than Anthony C. Jones. Needless to say, I have not been paid nor the facility that hosted the training. I plan to sue them. In addition, there is a Patty Jones serving as the administrator/front person for IPMA. Perhaps his spouse. If anyone has any additional information about them, please share.
6 June 2014 22:25 
Could this be the same Anthony C Jones and Patty Jones (or Patchree Patchrint) that ran NAPPPA?

A look at instituteofprojectmanagementamerica.org shows an unremarkable site, but one which is carefully devoid of any contact details. The WHOIS records for the domain are hidden, and the only contact data that can be found are the telephone numbers  888-859-5659 and 866-959-3543.

The logo on the website has been recycled from elsewhere  and otherwise the template is bland, professional looking but completely anonymous.

A close look at the hosting history shows a number of related sites, either which are direct clones of instituteofprojectmanagementamerica.org or are previous versions. A full list is at the end of the post in Appendex 1, but principle domain names in use are:
The ones in the format projectmanagementusa3.org go all the way up to projectmanagementusa212.org. Who needs 212 copies of the same website? Well, spammers use these techniques to evade blacklisting.

The domains americanprojectmanagementusa.org  and projectmanagementusa.org are rather interesting as it is an older generation of the "Institute of Project Management America" spam site entitled "American Project Management" (you can see them at the Internet Archive).

A quick search against the phone number listed on that site (213-293-7410, 877-359-1110 and 888-739-0821) lead us to a BBB report with an alert to say the business has ceased trading.

The BBB indicates that this is a Colorado business, but a search of State records shows that there is no such business of that name registered in that state.

But a further Google search of the phone numbers also brings up this document at Scribd outlining the so-called American Project Management outfit and its activities [pdf copy here]. And who uploaded the document? A user called ppatchrint. That is undoubtedly Patchree Patchrint.

This document gives a California address rather than a Colorado one:
American Project Management
645 W. 9th Street
Unit 110-603
Los Angeles, CA 90015

So this gives us a clue to search the state records in California. An LLC search for "Institute of Project Management America" comes up blank, but a search for "American Project Management" comes up with a hit for "DDGLA AMERICAN PROJECT MANAGEMENT, LLC"

Now, I know that "DDGLA American Project Mangement LLC" is not quite the same thing  as "America Project Management", but the "645 WEST 9TH ST STE 110-603" address is the same as "645 W. 9th Street, Unit 110-603" as seen in the Scribd document. So there's a high likelihood that this is a match.. but there's no real contact information for this company.

But what does DDGLA actually stand for? I've been down this particular path with the NAPPPA investigation, so I know that DDGLA actually stands for "DOSS Development Group Los Angeles". A search for DOSS DEVELOPMENT GROUP at the California secretary of state reveals a name behind that company. And you've probably already guessed that it is Patchree Patchrint aka Patty Jones.

So, between the blog comments, the Scribd document and data held by the California Secretary of State, there are now three points of evidence linking the "Institute of Project Management America" and "American Project Management" with Patchree Patchrint aka Patty Jones and Anthony Christopher Jones.

So, is it a scam?

I haven't personally seen any spam promoting this so-called institute, but that was the basic approach with NAPPPA. Millions of credible-looking spam emails were sent out to universities and other organisations, that were published in good faith (such as this one).

Project Management Masters Certification Program

June 10-13, 2014
Association of Research and Enlightenment of New York
The PMMC is designed for those seeking professional project management certification.
PMMC program provides 36 hours of project management education, meeting education requirements for both PMI's Certified Associate in Project Management (CAPM) ® and Project Management Professional (PMP) certifications. The program meets the education requirement for all professional designations through the Project Management Institute and other professional agencies. Additionally, the program awards 3.6 Continuing Education Units (CEUs) upon request. Tuition for the four-day Project Management Masters Certification program is $995.00

Participants may reserve a seat online at the website, or by calling the Program Office toll-free at (888) 859-5659

Go to: http://www.instituteofprojectmanagementamerica.org/
What happened with NAPPPA is that these courses appeared to be booked at universities throughout the US, presumably to give them an air of authenticity. But at the last moment the venue for the course got moved to somewhere off-campus, people drafted in to teach the course never got paid and many students complained that the courses were of low quality. I don't doubt that the same is happening here.

In fact, this scam has been going on for a long time. Before the Institute of Project Management America, American Project Management and North American Program Planning and Policy Academy there were another similar scammy outfits.

The "Institute for Communication Improvement, LLC" (aka "The Grant Institute") seems to be the best known. For example:
The evidence seems to show that in one form or another the business has been running since 2005 or 2006, only now it is charging victims nearly a thousand dollars a pop for a course of questionable value.

Given the history of this pair, it is my personal opinion that the Institute of Project Management America is a scam. Indeed, DDGLA American Project Management LLC have already been successfully sued in California over their unethical operations.

Who are Anthony Christopher Jones and Patchree Patchrint (Patty Jones)?

I coverered this pair before, a California-based husband-and-wife team with links to Hacienda Heights and Los Angeles. In addition to the programs listed above, they have run a number of (mostly failed) LA based restaurants such as Mother Road, Mode, and the Royale on Wilshire.

DDGLA is also associated with the following (apparently defunct) websites:
  • ddglacommercial.com
  • pettycashadvance.com
  • bankddgla.com
  • ddglafinancial.com

What should you do if you are unhappy with the Institute of Project Management America?

I don't live in the US so I'm not 100% familiar with the processes that you can use. But if you think you have been ripped-off then complaining the the BBB, your local Attorney General, law enforcment or the courts seem to be a way to go. I don't have a current address for this pair however, if you manage to turn one up then I can share it if you send me an email.

Appendix 1:
These are a selection of the domains and IPs used. There are hundreds of other ones, especially in in the format projectmanagementusa111.org .


Thursday, 5 June 2014

dedicatedpool.com.. spam or Joe Job?

I received a number of spam emails mentioning a Bitcoin mining website dedicatedpool.com, subjects spotted are:

Subject: Bitcoins are around you - don't miss the train!
Subject: Dedicatedpool.com business proposal (Save up on taxes)
Subject: Make money with darkcoin and bitcoin now!
Body text:

Have you heard about bitcoins? I bet you did. Do you know how to make
money on it? Don.t worry, we are professionals in bitcoin and alternative
cryptocurrencies world and we will help you monetize your computing
hardware into bitcoins in no time. Come and joins us at
http://dedicatedpool.com and join our IRC chat at
Ryan, dedicatedpool.com support/admin


Don't want Government to steal your money?
Join us at http://dedicatedpool.com and learn how you can save up on
taxes by using bitcoin, darkcoin and other cryptocurrencies!
We will provide you with detailed instructions on how to set up all
hardware in your house and start keeping your money instead of paying
taxes. 100% legal!
Please register at http://dedicatedpool.com

Ryan, dedicatedpool.com support/admin


Do you have income but you don't want Obama to steal it from you? Come and
join us and turn your electricity cost into cash!
The only pool you can trust - come and mine bitcoins/altcoins with us. We
will provide you detailed guide on how to setup equipment in your house
that will turn electricity into bitcoins!
No taxes no problems: http://Dedicatedpool.com/
Ryan, dedicatedpool.com support/admin

However, the pattern of the spam looks like a Joe Job rather than some horribly misguided attempt to market the website. There are several signs that make it look like someone is trying to cause trouble for the site operators:
  1. The spam was sent repeatedly to a spamcop.net address, the type of address that would have a high probability of filing an abuse report. I call this a "reverse listwash".
  2. The spam mentions the established dedicatedpool.com website repeatedly (rather than using some sort of redirector) but the originating IPs appear to be from an illegal botnet (see note 1). The use of a botnet indicates a malicious intent.
  3. Spammers don't tend to include personal details of any sort in their messages, but the inclusion of "Ryan" (who does genuinely appear to be the administrator) seems suspicious.
 In my opinion, the balance of probabilities is that this is not sent out by dedicatedpool.com themselves, but is sent out by someone wanting to disrupt their business.

Note 1: I have seen the following IPs as originating the spam..

Wednesday, 4 June 2014

Amazon.com spam / order.zip

This fake Amazon spam has a malicious attachment:

Date:      Wed, 04 Jun 2014 11:55:10 +0200 [05:55:10 EDT]
From:      "Amazon.com"
Subject:      Shipping Confirmation : Order #002-1301707075-0206502025

Your Recommendations
     |      Your Orders      |      Amazon.com
Shipping Confirmation
Order #002-1660680038-7011611870
Hello ,
Thank you for shopping with us. We'd like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order report is attached here.
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.

Attached to the spam is an archive file order.zip which in turn contains a malicious executable order_id_26348273894729847239.exe which has a VirusTotal detection rate of 4/51.

Automated analysis tools [1] [2] [3] shows the malware altering system files and creating a fake csrss.exe and svhost.exe to run at startup.

The malware also attempts to phone home to two IP addresses at and hosted in Russia but controlled by a Ukranian person or entity PE Ivanov Vitaliy Sergeevich. These network blocks are well-known purveyors of crapware, and I recommend that you block the following: