Sponsored by..

Wednesday, 23 September 2015

Phish: "SHIPMENT LABEL" / "DHL Courier Services [roger@community.mile.org]"

This DHL-themed spam is actually a phishing email:

From:    DHL Courier Services [roger@community.mile.org]
Date:    23 September 2015 at 11:15
Signed by:    community.mile.org

Dear customer,

Your shipment arrived at the post office.Our courier was unable to deliver the shipment to your address.To receive the shipment,please visit the nearestDHL office and take your mailing label with you.

The mailing label is attached in this email.Please print and show at the nearest DHL office to receive the shipment.

Thank you for using DHL services.

Princess Court 11
Wapping Ln,London,
E1W2DA,United Kingdom
Toll Free:+442075532200
Office Hours:9:00am-7:00pm
Attached is a PDF file shipmentt_label.pdf which is not malicious in itself, but contains a hypertext link (as you can see in this Hybrid Analysis report).

If the potential victim clicks "Click here" then they are directed to ow.ly/Sq9to and from there to a phishing page at br1-update.be/wg/lhd.php on (Inetserver Inc, US) which belongs to a netblock which also looks highly suspect.

The phishing page itself is a complex script which is Base 64 encoded, then hex encoded (Pastebin here) which is presumably phishing for email accounts. The spam itself appears to have been sent from a compromised webmail account at community.mile.org

For the moment, I would suggest that the entire range is malicious and should be blocked.

Malware spam: "Bankline ROI - Password Re-activation Form" / "secure.message@rbs.co.uk"

This fake banking spam does not come from RBS, but is instead a simple forgery with a malicious attachment:

From     "RBS" [secure.message@rbs.co.uk]
Date     Wed, 23 Sep 2015 11:28:48 GMT
Subject     Bankline ROI - Password Re-activation Form

Please find the Re-activation form attached, send one per user ensuring only one
box is selected in section 3.  A signatory on the bank mandate must sign the form.

Fax to 1850 826978 or alternatively you may wish to email the completed document,
by attaching it to an email and sendinsg it to banklineadministration@rbs.co.uk

On receipt of the completed form we will respond to the request within 2 working
hours and communicate this to the user by email.


Please note - The life-span of an activation code is 21 days; after this time, the
activation code will expire and a new one must be ordered. 

Please be aware when choosing a new pin and password for the service, it is important
not to use pin/passwords that you have used before but to use completely different

If you are the sole Standard Administrator may I take this opportunity to suggest
when you are reinstated on the system, to set up another User in a Standard Administrator
role. This will prevent you being locked out completely and allow you to order a
new activation code from within the system and reset your security sooner.

If you require any further assistance then please do not hesitate to contact us on
1850 310269 and one of our associates will be happy to assist you.

Bankline Product Support

This e-mail message is confidential and for use by the intended recipient only. If
the message is received by anyone other than the intended recipient, please return
the message to the sender by replying to it and then delete the message from your
computer. Internet e-mails are not necessarily secure. Ulster Bank Limited and Ulster
Bank Ireland Limited (\"Bankline Bank Group\")/ Royal Bank of Scotland Group plc
does not accept responsibility for changes made to this message after it was sent.
Ulster Bank Group / Royal Bank of Scotland Group plc may monitor e-mails for business
and operational purposes. By replying to this message you give your consent to our
monitoring of your email communications with us. Whilst all reasonable care has been
taken to avoid the transmission of viruses, it is the responsibility of the recipient
to ensure that the onward transmission, opening or use of this message and any attachments
will not adversely affect its systems or data. No responsibility is accepted by any
member of Ulster Bank Group / Royal Bank of Scotland Group plc in this regard and
the recipient should carry out such virus and other checks as it considers appropriate.

In the sample I saw, the attached file was Bankline_Password_reset_3537684.zip containing a malicious exeucutable Bankline_Password_reset_8569474.scr which has a VirusTotal detection rate of 2/56. The Hybrid Analysis report shows behaviour consistent with Upatre / Dyre and shows that the malware communicates with a known bad IP of (Cobranet, Nigeria) which I definitely recommend blocking or monitoring.

Tuesday, 22 September 2015

(More) Domains and businesses associated with Michael Price of BizSummits

Following on from this post, here are some business and domains closely associated with Michael Price of BizSummits, presented without comment for research purposes only.

COO Summit

Hiring Spring

Exit Partners LLC

Exact Leads




Franchisee Funnel

Supply Chain Summit

Hospital Growth Summit

CFO Summit

Safety Management Summit

Project Management Summit

CMO Summit

PR Summit

Corp Summits

Quality Management Summit

Corporate Counsel Summit

Executive Summits


Marketing LeadFunnel

Meeting Setters

CEO Ventures

HR LeadFunnel

Survey Executives


IT LeadFunnel

Finance LeadFunnel



Documents.me / Nouvou, Inc.


Critical Fit

HR Summit

Corp Venturing




Pathfinder Careers

The Sales Management Association

Executive Angels


Packed Events



HR Management Association

Product Conception Group

Monday, 21 September 2015

Malware spam: "Your Sage subscription invoice is ready" / "noreply@sage.com"

This fake Sage email contains a malicious attachment.

From:    noreply@sage.com [noreply@sage.com]
Date:    21 September 2015 at 11:30
Subject:    Your Sage subscription invoice is ready

Dear Ralph Spivey

Account number: 45877254

Your Sage subscription invoice is now online and ready to view.

Sage One subscriptions

    Please follow the link bellow to view/download your account invoice: http://www.sageone.co.uk/

Got a question about your invoice?

Call us on 1890 88 5045

If you're an Accountant, please call 1890 92 21 06
If you're a Business Partner, please call 1890 94 53 85

Kind Regards

The Sage UK Subscription Team

Please note: There is no unsubscribe option on this email, as it is a service message, not a marketing communication. This email was sent from an address that cannot accept replies. Please use the contact details above if you need to get in touch with us.

The link in the email actually goes to a download location at Cubby rather than sageone.co.uk, this downloads a file invoice.zip which in turn contains a malicious executable invoice.scr which has a VirusTotal detection rate of 1/56. The Hybrid Analysis report shows that this is Upatre dropping the Dyre banking trojan, and one key indication of infection is traffic to the IP in Nigeria.

Tainted Network: "kfc.i.illuminationes.com/snitch" and VPS Hosting of Latvia (

I've been seeing some injection attacks since last week utilising hosting services of VPS Hosting in Latvia. These are continuing today, with attacks like this one [URLquery] which sends traffic to:


This is hosted on The exploit is not clear at this point, but some sources say that this is some sort of TDS kit. The URLquery transaction flowchart shows the attack in action.

The injected script sends the keywords and referring site upstream, for example:

Although the attacks in the past few days only seem to have utilised, an analysis of the netblock [pastebin] shows several bad or spammy sites in, so my recommendation is that you banish this range from your network.

ZScaler are also tracking their infection, an analysis of what it does can be found here.

Friday, 18 September 2015

Malware spam: "Transaction confirmation" / "donotreply@lloydsbank.co.uk"

This fake banking spam comes with a malicious attachment:

From     donotreply@lloydsbank.co.uk
Date     Fri, 18 Sep 2015 11:52:36 +0100
Subject     Transaction confirmation

Dear Customer,

Please see attached the confirmation of transaction conducted from Your
account. Kindly sign and forward the copy to us for approval.

Best regards,
Your personal Manager

Thora Blanda

tel: 0345 300 0000

Attached is a file Notice.zip which contains a malicious executable Value mortgage policy .exe (note the rogue space) which has a VirusTotal detection rate of 3/55. The Hybrid Analysis report shows activity consistent with Upatre/Dridex including a key indicator of traffic to in Nigeria.

E.ON "You've got mail" spam

I haven't used E.ON for a couple of years, and I no longer have an account with them. So I was surprised to get this E.ON-themed spam. Is it malware? No, it really is E.ON spamming me..

From:    E.ON Energy [eon@eonenergy.com]
Reply-To:    "E.ON Energy" [eon@eonenergy.com]
Date:    17 September 2015 at 19:02
Subject:    You've got mail

You've got mail.
If you are having trouble viewing this email, you can view it here.


You've got mail

Dear Conrad Longmore

Thanks for letting us know you'd like us to send you information by email.

What does this mean for me?
You'll receive contact from us by email instead of through the post. We're introducing our emails gradually, so you'll still get a few things through the post until we're all up and running.
What kind of things will you send me?
We'll only send you important information that you need to know about your account, including:

  • Changes to Direct Debit payments, if you've chosen to pay this way.

  • Asking for meter readings

  • Reminding you about any appointments you have  with us.

  • Reminding you about paying for the energy you've used, if you haven't already told us when
  • you're going to pay.

  • Anything else we think you'll need to know about your service from us.
  • Don't worry, we won't send you information to sell you anything, unless you've already told us we can.
    What if I change my mind?
    Visit our website and let us know.
    If you change your mind, we'll still send you reminders by email if you've not paid us what you owe.
    As you're an online customer, we'll also still send you an email when your bill is ready to view and other emails related to your online account you automatically get when you've signed up online.
    If you've got questions about your account or anything else, click here. You won't get through to us by replying to this email.
    Yours sincerely

    E.ON Customer Services

    Helping our customers. We're on it. E.ON

    Follow us on Facebook and Twitter and keep up to date.

    Disclaimer Notice
    This email has been sent by E.ON Energy Solutions Limited. While we have checked this email and any attachments for viruses, we cannot guarantee that they are virus-free. You must therefore take full responsibility for virus checking.

    This message and attachments are confidential and should only be read by those to whom they are addressed.
    If you are not the intended recipient, please contact us, delete the message from your computer and destroy any copies. Any distribution or copying without prior permission is prohibited.

    Internet communications are not always secure and therefore E.ON does not accept legal responsibility for this message. The recipient is responsible for verifying its authenticity before acting on the contents. Any views or opinions presented are solely those of the author and do not necessarily represent those of E.ON.

    Registered Address
    E.ON Energy Solutions Limited. Registered office: Westwood Way, Westwood Business Park, Coventry, CV4 8LG. Registered in England and Wales No. 3407430.


    Ooookay. So it's a phish or malware, right? Well, in this case floating over the links clearly shows an eonenergy.com domain, rather than something malicious. And at least E.ON have shown good practice by using their own domain rather than some random tracking domain that others do.

    It's been a long time since I logged onto E.ON because these days I generate all my electricity from a secondhand Russian nuclear reactor plucked from a rusty submarine that I have buried under the lawn.

    Logging on to my account gives this message..

    And from that point onwards there is nothing at all that I can do. I can't turn off the E.ON spam because I don't have an account with them!

    It's probably 15 years or so since I registered on E.ON.. when I registered it was part of TXU, then PowerGen which then became E.ON. So if you have registered an account with any of those companies in the past decade and a half, then you might get this spam from E.ON, even if you closed your account a long time ago..

    E.ON have posted some information about the cock-up and an apology here.

    Thursday, 17 September 2015

    Malware spam: hrwfmailerprod@lancashire.gov.uk / REFURBISHMENT

    This fake financial spam (presumably) comes in several different variants (I saw two):

    From     "Workflow Mailer" [hrwfmailerprod@lancashire.gov.uk]
    To     hp_printer@victimdomain.com
    Date     Thu, 17 Sep 2015 12:16:26 GMT
    Subject     FYI: Sent: Online Discussion Message for RFQ 6767609,1 (LCDC - NF014378 R.R. Donnelley & Sons Company - REFURBISHMENT)

    From             Mabel Winter
    To             hp_printer@victimdomain.com
    Sent             Thu, 17 Sep 2015 12:12:26 GMT
    ID             7216378
    Number             6767609,1
    Title             Q3EX - 1C995408 R.R. Donnelley & Sons Company - REFURBISHMENT

    Negotiation Preview Immediately upon publishing
    Negotiation Open Immediately upon publishing
    Negotiation Close September 21, 2015 10:00 am GMT
    Company R.R. Donnelley & Sons Company
    Subject ITT Clarifications
    To view the message, please open attachment. 
    The other version I had mentioned "QMDM - 5J673827 CDW Computer Centers Inc. - REFURBISHMENT" instead. The attachment appears to have a randomly-generated name e.g. REFURBISHMENT 7216378.zip and REFURBISHMENT 4435708.zip which contain a malicious executable REFURBISHMENT 7015295.scr which has a VirusTotal detection rate of 3/55.

    The payload appears to be Upatre/Dyre as seen earlier today.

    Malware spam: "Shell E-Bill for Week 38 2015"

    This fake financial spam comes with a malicious attachment:

    From     [invoices@ebillinvoice.com]
    To     administrator@victimdomain.com
    Date     Thu, 17 Sep 2015 11:10:15 GMT
    Subject     Shell E-Bill for Week 38 2015

    Customer No         : 28834
    Email address       : administrator@victimdomain.com
    Attached file name  : 28834_wk38_2015.PDF

    Dear Customer,

    Please find attached your invoice for Week 38 2015.

    In order to open the attached PDF file you will need
    the software Adobe Acrobat Reader.

    For instructions of how to download and install this
    software onto your computer please visit

    If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com.

    Yours sincerely

    Customer Services

    This email, its content and any files transmitted with
    it are confidential and intended solely for the use of
    the individual(s) to whom it is addressed.
    If you are not the intended recipient, be advised that
    you have received this email in error and that any use,
    dissemination, forwarding, printing or copying of
    this email is strictly prohibited.

    Attached is a file 28834_wk38_2015.zip containing a malicious executable 67482_wk38_2015.scr which has a detection rate of 2/56. Automated analysis is pending, but the payload is almost definitely Upatre/Dyre which has been consistently sending traffic to (Cobranet, Nigeria) for some time now, so I suggest that you block or monitor that IP.


    Wednesday, 16 September 2015

    Malware spam: "Lloyds Bank - Pendeford Securities - Please Read Action Required/PI Documents/ Region code East 2/ 8715811/"

    This fake Lloyds Bank spam comes with a malicious payload:

    From:    RSTNAME} Crabtree [Chang.Crabtree@lloydsbankcommercial.com]
    Date:    15 September 2015 at 13:18
    Subject:    Lloyds Bank - Pendeford Securities - Please Read Action Required/PI Documents/ Region code East 2/ 8715811/

    Please find attached our document pack for the above customer. Once completed please return via email to the below address.

    If you have any queries relating to the above feel free to contact us at

    Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 7117152. Telephone: 0845 603 1637

    Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.

    Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.

    Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.

    HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC453043.

    This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded.

    In the sample I saw, there was a Word document ReportonTitle7117152.1Final.doc attached (detection rate 4/56), containing this malicious macro. The macro attempts to download components from the following locations:


    A further download  then takes place from:


    This has a detection rate of 3/56. The general characteristics of this file make it a close match to the Upatre/Dyre payload of this concurrent spam run (automated analysis is pending).

    Recommended blocklist:


    Malware spam: "HSBC SecureMail" / "You have received a secure message"

    This fake HSBC email message has a malicious payload:

    From:    HSBC SecureMail [HSBCRepresentative_WilliamsBlankenship@hsbc.co.uk]
    Date:    16 September 2015 at 13:13
    Subject:    You have received a secure message

    You have received a secure message
    Read your secure message by opening the attachment. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the HSBC Secure Mail Help Desk.
    First time users - will need to register after opening the attachment.
    About Email Encryption - http://www.hsbc.co.uk/secureemail

    Attacked is a file HSBC_Payment_87441653.zip which in turn contains a malicious executable HSBC_Payment_87441653.exe, this has a VirusTotal detection rate of 4/56.

    UPDATE: The Hybrid Analysis report shows network traffic to a familiar Nigerian IP of which I strongly recommend you block. The traffic pattern is indicative of Upatre dropping the Dyre banking trojan.


    Monday, 14 September 2015

    Spam from "Vanessa Reynolds" / vanessa.reynolds@breedandco.com

    This spam does not seem to have a malicious payload, but is likely sent out by the same people who send out Upatre/Dyre malware spam (or possible Dridex):
    From     "Vanessa Reynolds" [vanessa.reynolds@breedandco.com]
    Date     Fri, 14 Sep 2015 10:34:32 GMT
    Subject     Hello, how are you?

    Hello, Calvin  how are you?
    The name after "Hello" varies in each version, for example:

    Hello, Sheldon  how are you?
    Hello, Lawanda  how are you?
    Hello, Thurman  how are you?
    Hello, Darlene  how are you?
    Hello, Rhea  how are you?

    The email is always "from" Vanessa Reynolds / vanessa.reynolds@breedandco.com although this is in fact just a simple forgery and Breed & Co (who are are a hardware store in Texas) are nothing to do with this.

    The purpose of this spam is unknown. One possibility is that the spammers are probing mail servers for responses (to enumerate valid mailboxes). The other is that this could be a targeted attack on Breed & Co by disrupting email and other means of communication.

    Some sending IPs for the record:

    Friday, 11 September 2015

    Malware spam: "Sales Order Acknowledgement - Order No: EF150085 - Your Reference: 14 /Geneva" / reports@officeteam.co.uk

    This fake financial spam comes with a malicious payload:
    From     "reports@officeteam.co.uk" [reports@officeteam.co.uk]
    Date     Fri, 11 Sep 2015 10:39:32 GMT
    Subject     Sales Order Acknowledgement - Order No: EF150085 - Your Reference: 14 /Geneva

    Please find attached your sales order acknowledgement

    Order No: EF150085
    Account: PFM895
    Your Reference: 14 /Geneva
    Web Reference:
    Kind Regards
    Office Team
    In the only sample I have seen there was an attachment SalesOrderAcknowledgement_EF150085.zip which in turn contained a malicious executable SalesOrderAcknowledgement.scr which has a VirusTotal detection rate of 3/55. The Hybrid Analysis report shows that amongst other traffic, it communicates with a familiar Nigerian IP of (Cobranet).

    In this case, the payload is Upatre downloading the Dyre banking trojan.


    Thursday, 10 September 2015

    Malware spam: "New Fax - 3901535011" / "UK2Fax" [fax2@fax1.uk2fax.co.uk]

    This fake fax spam comes with a malicious attachment:

    From     "UK2Fax" [fax2@fax1.uk2fax.co.uk]
    Date     Thu, 10 Sep 2015 14:07:11 +0100
    Subject     New Fax - 3901535011

    UK2Fax Fax2Email : New fax attached, received at 10/09/2015 10:26:29 GMT
    Attached is a file Fax-3901535011.zip which in turn contains a malicious executable Fax-800312316.scr which is exactly the same Upatre/Dyre payload as seen it this attack also seen today.

    Malware spam: "Payroll Received by Intuit" / "Intuit Payroll Services" [IntuitPayrollServices@payrollservices.intuit.com]

    This fake payroll spam does not come from Intuit, but instead contains a malicious attachment:

    From     "Intuit Payroll Services" [IntuitPayrollServices@payrollservices.intuit.com]
    Date     Thu, 10 Sep 2015 06:32:37 -0500
    Subject     Payroll Received by Intuit

    Dear, petrol
    We received your payroll on Sep 10, 2015 at 09:01.

    Attached is a copy of your Remittance. Please click on the attachment in order to
    view it.

    Please note the deadlines and status instructions below:

    If your payroll is received BEFORE 5 p.m., your Direct Deposit employees will be
    paid two (2) banking days from the date received or on your paycheck date, whichever
    is later. 

    If your payroll is received AFTER 5 p.m., your employees will be paid three (3) banking
    days from the date received or on your paycheck date, whichever is later. 


    Funds are typically withdrawn before normal banking hours so please make sure you
    have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.

    Intuit must receive your payroll by 5 p.m., two banking days before your paycheck
    date or your employees will not be paid on time. 

    Intuit does not process payrolls on weekends or federal banking holidays. A list
    of federal banking holidays can be viewed at the Federal Reserve website.

    Thank you for your business.


    Intuit Payroll Services

    IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter
    concerning your current service, software, or billing. Please note that if you previously
    opted out of receiving marketing materials from Intuit, you may continue to receive
    notifications similar to this communication that affect your service or software.

    If you have any questions or comments about this email, please DO NOT REPLY to this
    email. If you need additional information please contact us.

    If you receive an email message that appears to come from Intuit but that you suspect
    is a phishing email, please forward it to immediately to spoof@intuit.com.

    © 2014 Intuit Inc. All rights reserved. Intuit and the Intuit Logo are registered
    trademarks and/or registered service marks of Intuit Inc. in the United States and
    other countries. All other marks are the property of their respective owners, should
    be treated as such, and may be registered in various jurisdictions.

    Intuit Inc. Customer Communications
    2800 E. Commerce Center Place, Tucson, AZ 85706 
    Attached is a file payroll_report.zip which in turn contains a malicious executable payroll_report.scr which has a VirusTotal detection rate of 3/56. The Hybrid Analysis report shows traffic patterns that are consistent with the Upatre downloader and Dyre banking trojan.

    In particular, the malware contacts a familiar server at (Cobranet, Nigeria) which you should definitely block traffic to.


    Tuesday, 8 September 2015

    ipserver.su, and

    A follow-up to this post, I took a look at the netblocks and suballocated to:

    person:         Oleg Nikol'skiy
    address:        British Virgin Islands, Road Town, Tortola, Drake Chambers
    phone:          +18552100465
    e-mail:         abuse@ipserver.su
    nic-hdl:        ON929-RIPE
    mnt-by:         IPSERVER-MNT
    changed:        abuse@ipserver.su 20150528
    created:        2015-05-28T11:11:09Z
    last-modified:  2015-05-28T11:11:09Z
    source:         RIPE

    I'm going to say straight away that my methodology is flawed, but I will share what I have. Very many IPs in this range have hosted badness in the past year-and-a-bit (e.g., mostly using subdomains.. to the extent that there are too many sites to analyse easily if I take the data from a passive DNS service.

    Instead, I elected to use the DomainTools reverse DNS which limits the results to domains only (not subdomains) and these are mostly active sites. Running the list through my analyser checks that the IPs are valid, and would normally tell me things such as the Google Safebrowsing Diagnostics and SURBL rating.

    Here's what is odd. None of the sites that I found [pastebin] have a negative reputation, I would expect to see about 1% in a normal sample, and out of 399 sites it comes back with zero. In fact, none of these sites seem to have any web presence at all, and all the ones that I have tried come back with almost no references on Google at all.

    I am going to suggest that there is nothing of value in these IP ranges, and given that historically .SU domains have a bad reputation, then my suggestion is that you block traffic to:

    In the meantime I will continue digging..

    Evil network: / spoofing Echo Romeo LLP (AS199762)

    This post at malware.kiwi caught my eye after a sort-of challenge by Techhelplist. Well, the bottom line is that these get-rich-quick schemes are run by serious organised criminals who tend not to leave too many traces behind.

    This appears to be a binary options scam that is using illegally hacked sites as redirectors, and I suspect that it is using a botnet to send the spam in the first place, although this is not clear. Eventually, victims are sent via an affiliate link to a site searchingprofit.me, more of which in another post.

    It turns out that dailybusinessdirect.com is hosted alongside a cluster of related domains on a set of IPs apparently belonging to a firm called Echo Romeo LLP in the UK. From the research I have done, it appears that Echo Romeo are a legitimate small business doing web design and hosting. However, they are listed as the owner which seems to be almost completely full of spam, scam and malware sites.

    UPDATE: there is evidence that Echo Romeo are the victim of a type of corporate identity theft. Scroll to the bottom for me.

    Here's an oddity - Echo Romeo have a portfolio on their site of designs they have done for customers. As far as I can tell, none of those customer sites are actually hosted in this IP address range.

    The first thing I noticed was a cluster of sites and IPs that appear to be closely related to dailybusinessdirect.com:

    Some of these domains have anonymous WHOIS details, some have details that look fake. I have not found any way to trace ownership of these domains.. after all, these are not amateurs, these are professional fraudsters who tend not to make silly mistakes.

    I checked all the active sites in the range against SURBL which came up with these results [csv]. Out of 56 sites identified, 13 are identified by SURBL as being spamming and/or phishing. But what of the rest?

    A look at the Google Safe Browsing Diagnostic for AS199762 gave some interesting results:

    Safe Browsing

    Diagnostic page for AS199762 (ECHOROMEO-AS)

    What happened when Google visited sites hosted on this network?
    Of the 13 site(s) we tested on this network over the past 90 days, 1 site(s), including, for example,, served content that resulted in malicious software being downloaded and installed without user consent.
    The last time Google tested a site on this network was on 2015-09-07, and the last time suspicious content was found was on 2015-08-24.
    Has this network hosted sites acting as intermediaries for further malware distribution?
    Over the past 90 days, this network has not hosted any sites that appeared to function as intermediaries for the infection of any other sites.
    Has this network hosted sites that have distributed malware?
    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 2 site(s), including, for example, t9e.net/,, that infected 7 other site(s), including, for example, kgdbase.com/, kgdbase.eu/, softbase.xyz/.
    Drilling down to the Google diagnostic for t9e.net is surprising:

    Safe Browsing

    Diagnostic page for t9e.net

    What is the current listing status for t9e.net?
    This site is not currently listed as suspicious.
    Part of this site was listed for suspicious activity 150 time(s) over the past 90 days.
    What happened when Google visited this site?
    Of the 22277 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2015-09-07, and the last time suspicious content was found on this site was on 2015-08-24.Malicious software includes 25596 trojan(s), 61 exploit(s).
    This site was hosted on 2 network(s) including AS199762 (ECHOROMEO-AS), AS35042 (ISP4P).
    Has this site acted as an intermediary resulting in further distribution of malware?
    Over the past 90 days, t9e.net did not appear to function as an intermediary for the infection of any sites.
    Has this site hosted malware?
    Yes, this site has hosted malicious software over the past 90 days. It infected 3 domain(s), including kgdbase.com/, kgdbase.eu/, softbase.xyz/.
    25,596 trojans and 61 exploits? I think that's a site to avoid, and as you might guess t9e.net has anonymous WHOIS details.

    Also in this range:
    • The domains travsolut.com and travsolut.org on are associated with suspect-looking job offers and claim to have been founded in 2002 in Australia, yet the domains were only created in 2015 with the .org being registered to an address in Spain.
    • On, the domains weksrubaz.ru, linturefa.ru and xablopefgr.ru are all associated with with the POSeidon malware.  On the same IP, srachechno.com is associated with a later version of the same malware.
    • Meanwhile on, dornegromant.com is also associated with POSeidon [pdf]
    • On another POSeidon domain lurks, repherfeted.com.
    • And on there is litramoloka.com which is again POSeidon, as is cawasuse.ru on
    • On is the domain ranferolto.com tagged as Infostealer.Posfind by Symantec. 
    • On the domains gowasstalpa.com and nasedrontit.com are associated with the Pony Downloader
    • On the website clarkgrp.org has been accused of being fake. If that is the case, then marlin-staff.com on the same IP will probably be too.
    Overall, the evil-ness factor of seems very high indeed (for example, this Damballa report on POSeidon shows how the bad guys moved to this netblock), and yet Echo Romeo LLP seems to be completely legitimate. I even went to the effort of checking them out at Companies House, and all seems OK. I wonder if perhaps the bad guys have either gained control of the IP block or have popped a large number of their servers?

    I asked Echo Romeo about this and their response was very quick..

    Echo Romeo had pointed out something that I had missed. The registrant details for the IP block were very similar to their real details..

    organisation:   ORG-ERL2-RIPE
    org-name:       ECHO ROMEO LLP
    org-type:       OTHER
    admin-c:        JL7999-RIPE
    phone:          +44 1202872908
    e-mail:         info@echoromeonet.co.uk
    abuse-mailbox:  abuse@echoromeonet.co.uk
    mnt-ref:        echoromeo-mnt
    mnt-by:         echoromeo-mnt
    changed:        info@echoromeonet.co.uk 20140128
    created:        2014-01-28T17:28:45Z
    last-modified:  2014-02-17T12:18:41Z
    source:         RIPE

    But in fact, their domain name is just echoromeo.co.uk and not echoromeonet.co.uk at all. The WHOIS details for the fake domain are:

    Domain name:

            ECHO ROMEO LLP

        Registrant type:

        Registrant's address:
            47 GLENMOOR ROAD
            WEST PARLEY
            BH22 8QE
            United Kingdom

        Data validation:
            Nominet was able to match the registrant's name and address against a 3rd party data
    source on 25-Jan-2014

            101Domain, Inc. [Tag = 101INC-US]
            URL: https://101domain.com

        Relevant dates:
            Registered on: 25-Jan-2014
            Expiry date:  25-Jan-2016
            Last updated:  03-Nov-2014

        Registration status:
            Registered until expiry date.

        Name servers:

    These closely match the real contact details of Echo Romeo. The fake website itself is hosted on (one of the nameservers). It looks very different from the real website.

    But all the contact details on the FAKE website point to the REAL Echo Romeo. The whole site looks like a fake created just to get hold of a range of IP address.

    Let's go back to these IPs..

    The range with the fake registration details is carved out of an IP block belonging to isp4p.net (IP Interactive UG, Germany). Presumably the bad guys used the fake Echo Romeo domain and name to persuade IP Interactive to lease them a set of IP addresses.

    Although the nameservers of and appear to be on very different blocks, they are actually allocated to the same person:

    inetnum: -
    netname:        IPSERVER
    descr:          IPSERVER WORLD LTD
    remarks:        abuse-mailbox: abuse@ipserver.su
    country:        GB
    admin-c:        ON929-RIPE
    tech-c:         ON929-RIPE
    status:         ASSIGNED PA
    mnt-by:         RAPIDSWITCH-MNT
    changed:        abuse@rapidswitch.com 20120918
    created:        2012-09-18T09:09:38Z
    last-modified:  2015-08-12T07:25:02Z
    source:         RIPE

    person:         Oleg Nikol'skiy
    address:        British Virgin Islands, Road Town, Tortola, Drake Chambers
    phone:          +18552100465
    e-mail:         abuse@ipserver.su
    nic-hdl:        ON929-RIPE
    mnt-by:         IPSERVER-MNT
    changed:        abuse@ipserver.su 20150528
    created:        2015-05-28T11:11:09Z
    last-modified:  2015-05-28T11:11:09Z
    source:         RIPE

    descr:          RapidSwitch
    origin:         AS20860
    mnt-by:         RAPIDSWITCH-MNT
    mnt-routes:     GB10488-RIPE-MNT
    changed:        richard@iomart.com 20120712
    created:        2012-07-12T15:08:31Z
    last-modified:  2012-07-12T15:08:31Z
    source:         RIPE

    Both have been leased from Iomart in the UK. .SU domains such as ipserver.su are such a strong indicator of badness that I even have a little graphic for them.

    A quick look at the and ranges indicates they are full of crap. There may be legitimate sites hosted there, but I would recommend blocking them.

    The evidence that I can find does seem to point toward this spoof IP range being set up by organised criminals in Russia, and my opinion is that Echo Romeo LLP have nothing to do with this at all and are the good guys.

    Recommended blocklist:

    Monday, 7 September 2015

    Something evil on / White Falcon Communications / Dmitry Glazyrin

    So.. I spotted some Nuclear EK (or some other Flash exploit) traffic on our network which attracted my interest. The IP in question was hosted on what appears to be a Hurricane Electric IP. Personally, I don't tend to see a lot of bad stuff on HE so I looked more closely at the IP WHOIS and saw it was part of a range suballocated to:

    contact:Name:Dmitry Glazyrin
    contact:Company:White Falcon Communications
    contact:Street-Address:3-758 Riverside Dr
    contact:City:Port Coquitlam
    contact:Postal-Code:V3B 7V8

    The next step was to query the range using DNSDB to see what has been hosted there. This came back with several thousand sites that have been hosted there in the past, the following of which are still hosted in the range now..



    Sites that are flagged as malware by Google are highlighted and these are all hosted on But what was interesting was what White Falcon Communications have been hosting in the past. When I ran the entirety of all the sites from DNSDB through my checker, I got some interesting results* [csv].

    Out of 2867 sites analysed, 1973 (69%) sites had either hosted malware or were spammy. Some of the unrated sites are clearly phishing sites (e.g. usabanksecurity.com). Although these sites are not hosted on White Falcon Communications IPs now, they all have been at some point in the past.

    So, who is this outfit? Well, it didn't take to come up with a couple of news stories, firstly this one where White Falcon had been raided by police in Canada in connection with C2 infrastructure for the Citadel botnet. That was followed by this story where White Falcon was allegedly suing law enforcement back, due to alleged "negligence".

    However, given the sheer volume of crap that White Falcon has hosted in the past and its current problem with exploit kits, I would definitely recommend blocking traffic to to be on the safe side.

    * fields are domain name, current IP address, MyWOT ratings, Google Safebrowsing rating, SURBL status.

    Malware spam: "Credit Note CN-60938 from Stilwell Financial Inc" / "message-service@post.xero.com"

    This fake financial spam comes with a malicious payload.
    From:    Accounts [message-service@post.xero.com]
    To:    hp_printer@victimdomain.com
    Date:    7 September 2015 at 11:55
    Subject:    Credit Note CN-60938 from Stilwell Financial Inc for victimdomain.com (0178)

    Hi Boris,

    To download your credit note CN-60938 for 401.04 GBP please follow the link below : https://get.xerofiles.com/[snip]

    This has been allocated against invoice number

    If you have any questions, please let us know.

    Stilwell Financial Inc

    In the only sample I saw, the download location for a file at xerofiles.com which came up with a 403 error. This domain belongs to an accounting service called Xero, it is unclear if they were actually hosting the malware or if there is some error in the spam email itself.

    Somewhat interestingly, the bad guys have attempted to forge the mail headers to make it looks like it comes from Xero itself.
    Received: from (unknown [])
        by [redacted] (Postfix) with ESMTP id 74F50400BE;
        Mon,  7 Sep 2015 11:59:12 +0100 (BST)
    Received: from mail2.go.xero.com ( by
     GCN5B9ZDBKTFX.mail.protection.outlook.com (10.997.33.92) with Microsoft SMTP

     Server id 05.9.975.7 via Frontend Transport; Mon, 7 Sep 2015 12:55:16 +0200
    From: Accounts <message-service@post.xero.com>
    To:  hp_printer@[redacted]
    Date: Mon, 7 Sep 2015 12:55:16 +0200
    Subject: Credit Note CN-60938 from Stilwell Financial Inc for [redacted] (0178)
    MIME-Version: 1.0
    Content-Type: text/plain; charset=ISO-8859-1; format=flowed
    Content-Transfer-Encoding: 7bit
    X-Mailer: aspNetEmail ver
    Message-ID: <504359-L45H474JYDT96LCSOCCGF9O9R1IXJTQ2949EW0C2@xero.com>
    The fake parts of the headers are highlighted. The actual sending IP is in Turkey. I don't know what the payload is in this case as the download location doesn't work, it will most likely be some sort of banking trojan.

    Malware spam: "Companies House" [WebFiling@companieshouse.gov.uk]

    This spam does not come from Companies House, but is instead a simple forgery with a malicious attachment:

    From     "Companies House" [WebFiling@companieshouse.gov.uk]
    Date     Mon, 7 Sep 2015 12:40:01 +0100
    Subject     RE: Case 0676414

    The submission number is: 0676414

    For more details please check attached file.

    Please quote this number in any communications with Companies House.

    All Web Filed documents are available to view / download for 10 days after their
    original submission. However it is not possible to view copies of accounts that
    were downloaded as templates.

    Companies House Executive Agency may use information it holds to prevent
    and detect fraud. We may also share such information, for the same purpose,
    with other Organizations that handle public funds.

    If you have any queries please contact the Companies House Contact Centre
    on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

    Note: This email was sent from a notification-only email address which cannot
    accept incoming email. Please do not reply directly to this message.

    Companies House
    4 Abbey Orchard Street
    SW1P 2HT
    Tel +44 (0)303 1234 500  

    The "case number" is random, and is reflected in the name of the attachment (in this case Case_0676414.zip) which in turn contains a malicious executable Case_0043258.scr which has an icon to make it look like a PDF file.

    This executable has a detection rate of 4/56. The Hybrid Analysis report shows that it communicates with (Cobranet, Nigeria) which has been seen handling malicious traffic for the past couple of weeks. The payload is Upatre/Dyre.


    Friday, 4 September 2015

    Malware spam: "RE:resume" aka "What happened to your files?" / Cryptowall 3.0

    This fake résumé spam leads to ransomware:

    From:     fredrickkroncke@yahoo.com
    Date:    5 September 2015 at 03:50
    Subject:    RE:resume
    Signed by:    yahoo.com

    Hi my name is Teresa Alexander attach is my resume
    Awaiting your prompt reply

    Kind regards

    Teresa Alexander
    The attached document in this case is Teresa_Alexander_resume.doc, which upon opening asks you to enable active content:

    Protected Document
    This document is protected by Microsoft Office.
    Please enable Editing and Content to see this document.

    Can’t view? Follow the steps below.
    Open the document in Microsoft Office. Previewing online does not work for protected documents.
    If you downloaded this document from your email, please click “Enable Editing” from the yellow bar above.
    Once you have enabled editing, please hit “Enable Content” on the yellow bar above.
    Following these steps would be a Very Bad Idea as the malware would encrypt all your files on the disk. This malicious DOC file itself has a VirusTotal detection rate of 4/56.

    The Hybrid Analysis report shows pretty clearly what is going on. An infection sequence begins, with the following domains and IPs contacted: [Eurobyte LLC, Russia) (gaiga.net) (satisgoswamicollege.org) (entriflex.com) (eliasgreencondo.com)

    Blocking those domains and IPs may be enough to stop the ransomware working. The malicious macro in the document drops a file carved_0.exe which has a detection rate of 4/56.

    Once the machine is infected, various "What happened to your files?" messages pop up, such as this one (from the Hybrid Analysis report)

    This further references another bunch of domains that you might want to block, especially in a corporate environment:


    This further Hybrid Analysis report on the dropped binary also identifies the following malicious site: (erointernet.com)

    Incidentally, it is worth noting that the malware attempts to identify the IP address of the infected system by visiting ip-addr.es - although this is not a malcious site, you can consider it to be a potential indicator of compromise.

    The payload here is Cryptowall 3.0 and as is typical, removing the malware is easy.. but decrypting the files without paying the ransom is fearsomely difficult.

    Recommended blocklist:



    DYNAMOO® is a registered trade mark :)

    Tuesday, 1 September 2015

    Malware spam: "Complaint of your Internet activity"

    This spam comes with a malicious attachment:

    From:    Margret Kuhic
    Date:    1 September 2015 at 16:10
    Subject:    Complaint of your Internet activity

    This is a complaint notification. Full details attached. Please notify us within 24 hours with taken actions.

    Margret Kuhic
    Dynamic Communications Agent
    T: 1-679-732-5379
    F: 100.173.9045
    All the sames I have seen have a corrupt attachment which is Base 64 encoded, it is possible that other people might receive a valid attachment though. The attachment was meant to be 723296788_Marquardt-Bailey_Margret Kuhic.zip containing the malicious executable june_stiedemannmolestiae.et.exe which has a VirusTotal detection rate of 2/56.

    This Hybrid Analysis report shows it to be just another variant of Update / Dyre with the same characteristics as the malspam seen earlier today, sending traffic to an IP that I suggest you block or monitor: (Cobranet, Nigeria)

    Some other subjects spotted include:
    Complaint notification 50646
    Infringement of your Internet activity
    Infringement notification 51494

    Malware spam: "Private message notification 41447" / "Adrien Abbott"

    This spam comes with a malicious attachment:
    From:    Adrien Abbott
    Date:    1 September 2015 at 12:34
    Subject:    Private message notification 41447

    You've received a private message. Please open the attached to view it.

    Adrien Abbott
    Chief Tactics Executive
    home: 1-583-761-3793
    work: 380.022.2492
    twitter: @nicole
    skype: nicole
    messenger: nicole
    I have only seen a single sample of this spam, and the attachment was not formatted properly making it harmless, however other variants could be more dangerous. If properly decoded, the attachment should have been named 89867740_Torphy and Sons_Adrien Abbott.zip containing a malicious executable jodie_okonofficia-quo.exe. This executable has a VirusTotal detection rate of just 2/56, the Hybrid Analysis report shows network activity consistent with this being Upatre dropping the Dyre banking trojan, with communications made to: (Cobranet, Nigeria)

    ..which is an IP that has been used several time for this sort of attack recently and is worth blocking. The report details other IP addresses too, but this seems to be the key one to block or monitor.