Sponsored by..

Thursday, 24 August 2017

Multiple badness on metoristrontgui.info / 119.28.100.249

Two massive fake "Bill" spam runs seem to be under way, one claiming to be from BT and the other being more generic.

Subject:       New BT Bill
From:       "BT Business" [btbusiness@bttconnect.com]
Date:       Thu, August 24, 2017 6:08 pm
Priority:       Normal

From BT
New BT Bill

Your bill amount is: $106.84
This doesn't include any amounts brought forward from any other bills.

We've put your latest BT bill for you to view. See your bill here


We'll take your payment from your account as usual by Direct Debit.

Reduce paper waste
You're still getting paper bills by post. Why not go paper-free, and stop storing and shredding them once and for all?


Need some help?
Go to www.bt.com/business/support.

Thanks for choosing BT.

Robena Morath
CEO, BT Business

Payment processing fee: BT Payment Services Ltd, a BT Group Company, charges this fee.
This or confidential. It's meant only for the individual(s) email contains BT information, which may be privileged or entity named above. If you're not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. If you've received this email in error, please let me know immediately on the email address above. Thank you. We monitor our email system, and may record your emails.

And a simpler one..

From:    Dianna Mcgrew
Date:    24 August 2017 at 14:50
Subject:    Bill-9835

Hi,

Here is a copy of your bill.

Thank you & have a great weekend!
Most (but not all) of the samples I  have seen then lead to a single website to download the malicious payload, for example:

http://metoristrontgui.info/af/download.php
http://metoristrontgui.info/af/bill-201708.rar
http://metoristrontgui.info/af/bill-201708.7z

metoristrontgui.info is hosted on 119.28.100.249 (Tencent, China) which is an IP we've seen a few times recently [1] [2]. Let's check out that WHOIS:

Domain Name: METORISTRONTGUI.INFO
Registry Domain ID: D503300000042955753-LRMS
Registrar WHOIS Server:
Registrar URL: http://www.eranet.com
Updated Date: 2017-08-24T14:02:07Z
Creation Date: 2017-08-24T13:24:23Z
Registry Expiry Date: 2018-08-24T13:24:23Z
Registrar Registration Expiration Date:
Registrar: Eranet International Limited
Registrar IANA ID: 1868
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registry Registrant ID: C208152073-LRMS
Registrant Name: Robert Ruthven
Registrant Organization: Gamblin Artists Colors
Registrant Street: 323 SE Division Pl
Registrant City: Portland
Registrant State/Province: OR
Registrant Postal Code: 97202
Registrant Country: US
Registrant Phone: +1.5034359411
Registrant Phone Ext:
Registrant Fax: +1.5034359411
Registrant Fax Ext:
Registrant Email: jenniemarc@mail.com
Registry Admin ID: C208152073-LRMS
Admin Name: Robert Ruthven
Admin Organization: Gamblin Artists Colors
Admin Street: 323 SE Division Pl
Admin City: Portland
Admin State/Province: OR
Admin Postal Code: 97202
Admin Country: US
Admin Phone: +1.5034359411
Admin Phone Ext:
Admin Fax: +1.5034359411
Admin Fax Ext:
Admin Email: jenniemarc@mail.com
Registry Tech ID: C208152073-LRMS
Tech Name: Robert Ruthven
Tech Organization: Gamblin Artists Colors
Tech Street: 323 SE Division Pl
Tech City: Portland
Tech State/Province: OR
Tech Postal Code: 97202
Tech Country: US
Tech Phone: +1.5034359411
Tech Phone Ext:
Tech Fax: +1.5034359411
Tech Fax Ext:
Tech Email: jenniemarc@mail.com
Registry Billing ID: C208152073-LRMS
Billing Name: Robert Ruthven
Billing Organization: Gamblin Artists Colors
Billing Street: 323 SE Division Pl
Billing City: Portland
Billing State/Province: OR
Billing Postal Code: 97202
Billing Country: US
Billing Phone: +1.5034359411
Billing Phone Ext:
Billing Fax: +1.5034359411
Billing Fax Ext:
Billing Email: jenniemarc@mail.com
Name Server: A.DNSPOD.COM
Name Server: B.DNSPOD.COM
Name Server: C.DNSPOD.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/


VirusTotal confirms a lot of badness here, with all of these evil domains on the same server:

drommazxitnnd7gsl.com
74jhdrommdtyis.net
rtozottosdossder.net
kabbionionsesions.net
ttytreffdrorseder.net
tyytrddofjrntions.net
mjhsdgc872bf432rdf.net
yrns7sg3kdn94hskxhbf.net
trmbobodortyuoiyrt.org
metoristrontgui.info
fsroosionsoulsda.info
aldirommestorr887.info
droohsdronfhystgfh.info

Downloads from this site can be a bit slow, unsurprisingly. The dropped EXE seems to be Locky ransomware with a detection rate of 19/65. Hybrid Analysis shows the sample POSTing to 185.179.190.31/imageload.cgi (Webhost LLC, Russia)

Recommended minimum blocklist:
185.179.190.31
119.28.100.249




Wednesday, 23 August 2017

Malware spam: "Customer Service" / "Copy of Invoice xxxx"

This fairly generic spam leads to the Locky ransomware:

Subject:       Copy of Invoice 3206
From:       "Customer Service"
Date:       Wed, August 23, 2017 9:12 pm


Please download file containing your order information.

If you have any further questions regarding your invoice, please call Customer Service.


Please do not reply directly to this automatically generated e-mail message.

Thank you.
Customer Service Department
A link in the email downloads a malicious VBS script, and because it's quite late I'll just say that Hybrid Analysis has seen it all before. The download EXE (VT 21/64) script POSTS to 5.196.99.239/imageload.cgi (Just Hosting, Russia) which is in a network block that also had a fair bit of Angler last year, so I would recommend blocking all traffic to 5.196.99.0/24.

Malware spam: "Voice Message Attached from 0xxxxxxxxxxx - name unavailable"

This fake voice mail message leads to malware. It comes in two slightly different versions, one with a RAR file download and the other with a ZIP.

Subject:       Voice Message Attached from 001396445685 - name unavailable
From:       "Voice Message" <vmservice@victimdomain.tld>
Date:       Wed, August 23, 2017 10:22 am

Time: Wed, 23 Aug 2017 14:52:12 +0530
Download <http://tyytrddofjrntions.net/af/VM20170823_193908.zip> file to listen
Voice Message

Subject:       Voice Message Attached from 055237805419 - name unavailable
From:       "Voice Message" <vmservice@victimdomain.tld>
Date:       Wed, August 23, 2017 10:21 am

Time: Wed, 23 Aug 2017 14:51:13 +0530
Download <http://mjhsdgc872bf432rdf.net/af/VM20170823_193908.rar> file to listen
Voice Message
Both download locations of tyytrddofjrntions.net and mjhsdgc872bf432rdf.net are hosted on 119.28.100.249 (Tencent, CN). This same IP was seen in this other recent spam run. Both the RAR and ZIP downloads (detection rate about 18/59 [1] [2]) contain the same malicious VBS script [pastebin]. The script tries to download an additional component from one of the following locations:

grlarquitectura.com/Mvgjh67?
grundschulmarkt.com/Mvgjh67?
aldirommestorr887.info/af/Mvgjh67?
grupoegeria.net/Mvgjh67?
gestionale-orbit.it/Mvgjh67?
gdrural.com.au/Mvgjh67?
geocean.co.id/Mvgjh67?
grupoajedrecisticoaleph.com/Mvgjh67?
grupofergus.com.bo/Mvgjh67?
gruppostolfaedilizia.it/Mvgjh67?

You'll note that most of those download locations start with "gr" which indicates that this is just a small subset of hacked servers under the control of the bad guys.

Automated analysis [3] [4] shows a dropped file with a VirusTotal detection rate of 14/64 (probably Locky). Those same analyses show traffic being sent to:

62.109.16.214/imageload.cgi (TheFirst-RU, RU - hostname: gpodlinov.letohost.com)
5.196.99.239/imageload.cgi (Just Hosting, RU - hostname: noproblem.one)

UPDATE:  Several other IPs in the 5.196.99.0/24 range have been used to host malware in the past. I would recommend blocking the entire /24.

Recommended blocklist:
119.28.100.249
62.109.16.214
5.196.99.0/24


Tuesday, 22 August 2017

Malware spam from "Voicemail Service" [pbx@local]

This fake voicemail leads to malware:

Subject:       [PBX]: New message 46 in mailbox 461 from "460GOFEDEX" <8476446077>
From:       "Voicemail Service" [pbx@local]
Date:       Tue, August 22, 2017 10:37 am
To:       "Evelyn Medina"
Priority:       Normal

Dear user:

        just wanted to let you know you were just left a 0:53 long message (number 46)
in mailbox 461 from "460GOFEDEX" <8476446077>, on Tue, 22 Aug 2017 17:37:58 +0800
so you might want to check it when you get a chance.  Thanks!

                                --Voicemail Service

The numbers and details vary from message to message, however the format is always the same. Attached is a RAR file with a name similar to msg0631.rar which contains a malicious script named msg6355.js that looks like this [pastebin]. The script has a VirusTotal detection rate of 14/59.

According to automated analysis [1] [2] the script reaches out to the following URLs:

5.196.99.239/imageload.cgi [5.196.99.239 - OVH, Ireland / Just Hosting, Russia. Hostname: noproblem.one]
garage-fiat.be/jbfr387??qycOuKnvn=qycOuKnvn [91.234.195.48 - Ligne Web Services, France]

A ransomware component is dropped (probably Locky) with a detection rate of 16/64.




Monday, 21 August 2017

Cerber spam: "please print", "images etc"

I only have a couple of samples of this spam, but I suspect it comes in many different flavours..

Subject:       images
From:       "Sophia Passmore" [Sophia5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm

--

*Sophia Passmore*


Subject:       please print
From:       "Roberta Pethick" [Roberta5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm

--
*Roberta Pethick*

In these two samples there is an attached .7z archive (MD5 31c144629bfdc6c8011c492e06fe914d) with a VirusTotal detection rate of 18/58. Both samples contained a malicious Javascript named 20170821_08914700.js that looks like this [pastebin].

Automated analysis [1] [2] shows a download from the following locations:

gel-batterien-agm-batterien.de/65JKjbh??TqCRhOAQ=TqCRhOAQ [46.4.91.144 - Hetzner, Germany]
droohsdronfhystgfh.info/af/65JKjbh?TqCRhOAQ=TqCRhOAQ [119.28.100.249 - Tencent, China]

The Hybrid Analysis report shows an executable being dropped which is Ceber Ransomware (MD5 c7d79f5d830b1b67c5eb11de40a721b4), with a VT detection of 22/64.

Recommended blocklist:
46.4.91.144
119.28.100.249

Wednesday, 19 July 2017

Necurs oddity II: avto111222@bigmir.net

Yesterday I saw a series spam emails from Necurs apparently attempting to collect replies to super.testtesttest2018@yahoo.com. Although that campaign is continuing today, a new spam run with similar characteristics has started this morning. For example:

From:    jKX Soto [ingmanz@redacted]
Reply-To:    jKX Soto [avto111222@bigmir.net]
Date:    19 July 2017 at 06:43
Subject:    CQJP

hDYNOX

TC
Subject, body text and vendor seem to be randomly generated. But in all cases, the Reply-To address is avto111222@bigmir.net (Bigmir is basically a Ukrainian version of Yahoo from what I can tell).

The purpose of this spam run is unclear, but spammers do sometimes launch probing attacks to see what kind of response they get from servers. This could be an attempt to clean up the Necurs email address database perhaps, perhaps for resale.

Tuesday, 18 July 2017

Necurs oddity: super.testtesttest2018@yahoo.com / "hi test"

This email is sent from the Necurs botnet and appears to be collecting automatic replies, using a Reply-To email address of super.testtesttest2018@yahoo.com.

From:    Randi Collier [zegrtocbjez@hometelco.net]
Reply-To:    Randi Collier [super.testtesttest2018@yahoo.com]
Date:    18 July 2017 at 10:08
Subject:    hi

hi test 

The name of the sender and the "From" email vary, however the "Reply-To" email is consistent, as is the subject and body text. The sending IP varies, but this does look like Necurs from the patterns I can see.

I can't see any particular purpose in harvesting bounce messages in this way. From Necurs samples I see, the bulk of the recipient addresses are invalid in any case.

Malware spam: UK Fuels Collection / "invoices@ebillinvoice.com"

This fake invoice comes with a malicious attachment:

From:    invoices@ebillinvoice.com
Date:    18 July 2017 at 09:37
Subject:    UK Fuels Collection

Velocity
   
   
ACCOUNT NO
******969    
   
Dear CUSTOMER,
Your latest invoice for your fuel card account is now available for you to view online, download or print through our Velocity online management system.

How to view your invoices

Viewing your invoice is easy
1. Log into Velocity at velocityfleet.com
2. Select 'Invoices' from the menu option
3. Select the invoice you wish to view. You can also print or download a copy

We want to ensure we are protecting your information and providing you with a simple, straightforward and secure way to access your account information. Velocity could not be simpler to use, you will not only have access to download all of your invoices, you will also be able to order cards, run reports on transactions and get to view your PIN reminder online.

       
    Your safety is our priority

Please do not reply to this email, it has been sent from an email address that does not accept incoming emails. Velocity will never ask you to supply personal information such as passwords or other security information via email.
   
       
If you are experiencing difficulties in accessing Velocity, please do not hesitate to call us on 0344 880 2468 or email us at admin@groupcustomerservices.com

Thank you for using this service.
Yours sincerely,

UK Fuels Limited Customer Services

   
Spam Policy   |  Customer Services: 0344 880 2468

This email does not come from UK Fuels or Velocity, but is in fact a simple forgery sent from the Necurs botnet.


In the sample I saw there were two attachments, one was a simple text file that looked like this:

Filetype: Microsoft Office Word
Filename: 11969_201727.doc
Creation date: Tue, 18 Jul 2017 14:07:26 +0530
Modification date: Tue, 18 Jul 2017 14:07:26 +0530
To: [redacted]
The secondis a malicious Word document, in this case named 11969_201727.doc. Opening it comes up with a screen asking you to enable active content (not a good idea!). The VirusTotal detection rate is 10/59.

Automated analysis [1] [2] shows that the malicious document downloads a binary from dielandy-garage.de/56evcxv (although there are probably other locations), downloading a file proshuto8.exe which itself has a detection rate of 11/63. Additional automated analysis [3] [4] with the others shows potentialy malicious traffic to:

37.120.182.208 (Netcup, Germany)
186.103.161.204 (Telefonica , Chile)
194.87.235.155 (Mediasoft Ekspert, Russia)
195.2.253.95 (Sphere Ltd, Russia)


Malware delivered in this was is usually ransomware or a banking trojan. UPDATE: this is the Trickbot trojan.

Recommended blocklist:
37.120.182.208
186.103.161.204
194.87.235.155
195.2.253.95




Tuesday, 13 June 2017

Bellatora Inc (ECGR) pump-and-dump spam

It's been a little while since we've since an illegal pump-and-dump spam from the Necurs botnet, but here is a new one pushing a company called Bellatora Inc (stock ticker ECGR)
From:    Lillie Maynard
Date:    13 June 2017 at 09:37
Subject:    Here's why this company's shares are about to go up tenfold next week.

Yes, it's been some time since I reached out to you with something good but trust me… the wait will have been worth it.

I promised you that I'd only give you a tip if I had something spectacular, and today I do.

Remember my buddy in California who works at Accel? I had lunch with him yesterday and he told me that he firm is about to invest 50 million bucks into a small Marijuana company.

Basically they make weed vaporizers and their stuff is flying off the shelf because both weed, and vaporizers are all the craze right now.

Anyway, long story short, they're putting all that cash in the company at a price of $1.17 per share and yes you guessed it… it's way higher than where the stock price is as we speak.

The price is at just over 10 cents right now. This means that when they announce their involvement in a few days it should go up about tenfold overnight.

In fact, if you look at the chart, the price was at a little over 2 dollars a few weeks ago. My buddy tells me that his firm ‘crashed' it artificially so that they'd have more bargaining power at the table and it makes sense... They're coming in at just $1.17 instead of over 2 dollars.

Nonetheless this is a really rare chance for us to get in. I'll pick up at least 50,000 shares today and I think you should do the same.

The name of the company is Bellatora Inc. and its ticker is ECGR. If you do decide to tell a couple of your friends, please do me a favor and don't mention me by name.

Thanks,
Lillie Maynard
Bellatora seems to be involved in the vaping market, including medical marijuana vaping. I've seen a couple of other P&D spam runs in the past pushing stocks in this industry [1] [2].

Over the past month, the price of ECGR stock has cratered from over $2 per share to just 10 cents today. Yesterday someone traded 455,000 shares of that stock.


According to MarketWired this company has changed names several times over the years:

Company History
- Formerly=Oncology Medical, Inc. until 9-2016
- Formerly=Vianet Technology Group, Ltd. until 4-07
- Formerly=UTTI Corp. until 2-07
- Formerly=Unitech Industries, Inc. until 1-99
- Note=12-96 state of incorporation California changed to Delaware upon emergence from Chapter XI bankruptcy under Federal Bankruptcy Code
A quick look at the financials for this company turns up.. nothing. Which is kind of odd.

Anyway, stock being pushed through illegal pump-and-dump operations such as this is not being done for YOUR benefit, but for some party who holds a lot of stock. Avoid.

The spam run has been going on for about six hours, but has slowed down in the past few hours.


Version 2 - 13th June

It didn't take long for the second version to come out.. and there could be a lot more to come.

From:    Alisa Rich
Date:    13 June 2017 at 15:39
Subject:    Let me tell you why this stock will go up 10x by next week.

Haven't heard from me in a while right? That's because I'm not one to waste your time.

Whenever I do email you, it's because I've got something good. Really good.

My good friend who works at the big VC out in NY invited me for a bite yesterday. Nothing unusual, we always eat lunch together right?

However yesterday he gave me a really amazing piece of information and I want to share that with you.

The place he works at is basically injecting more or less 50 mill into this small American company that's in the cannabis business. Apparently, they've got some really amazing distribution and even better technologies.

Anyway... to make a long story longer he said the value they are coming in at is right around 1.20 a share and that this announcement will be made public some time in the next few days.

Given that the shares are at just 12 cents right now, do you have any idea what's going to happen when the announcement is out?

Yep, you guessed right... It's going to jump up 10 times, literally overnight.

The cannabis company is: Bella tora Inc.

You can buy it if you type E C G R in your brokerage account.

Feel free to tell only your closest friends about this. I really have no clue when the next time I get a tip will be.

Take care,
Alisa Rich




Monday, 5 June 2017

Malware spam: "John Miller Limited" / "Invoice"

This spam pretends to come from John Miller Ltd (but doesn't) and comes with a malicious payload. The domain mentioned in the email does not match the company being spoofed, and varies from message to message.

From:    Felix Holmes
Date:    5 June 2017 at 10:20
Subject:    Invoice


Regards



Felix Holmes

cid:image001.jpg@01D00F00.660A92D0
Kirkburn Ind. Estate
Lockerbie
Dumfries and Galloway
DG11 2FF

Tel – 01576 208 741 (Accounts) 01576 208 747 (Main line)
Fax – 01576 208 748
Ext – 1008/1006
‘’New Website launched 30.05.2014 – visit www.[redacted].uk’’


Attached is a PDF file with a name similar to A4 Inv_Crd 914605.pdf - opening it up (NOT recommended) displays something fairly minimal.

The attachment currently has a detection rate of about 9/56. As is common with some recent attacks, the PDF actually contains an embedded Microsoft Office document. Hybrid Analysis shows the malicious file downloading a component from cartus-imprimanta.ro/8yfh4gfff (176.126.200.56 - HostVision SRL, Romania) although other variants possibly exist.


A file is dropped (in the HA report called miniramon8.exe) at detection rate of 11/61. According to the Hybrid Analysis report, that attempts tom communicate with the following IPs:

192.48.88.167 (Tocici LLC, US)
89.110.157.78 (netclusive GmbH, Germany)
85.214.126.182 (Strato AG, Germany)
46.101.154.177 (Digital Ocean, Germany)


The payload is not clear at this time, but it will be nothing good.

Recommended blocklist:
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177



Thursday, 11 May 2017

Malware spam with "nm.pdf" attachment

Currently underway is a malicious spam run with various subjects, for example:

Scan_5902
Document_10354
File_43359


Senders are random, and there is no body text. In all cases there is a PDF attached named nm.pdf with an MD5 of D4690177C76B5E86FBD9D6B8E8EE23ED or 6B305C5B59C235122FD8049B1C4C794D (and possibly more). Detection rates at VirusTotal are moderate [1] [2].

The PDF file contains an embedded Word .docm macro document. Hybrid Analysis [3] [4] is partly successful, but it shows a run-time error for the malicious code, but it does demonstrate that malicious .docm file is dropped with a detection rate of 15/58.

Putting the .docm file back into Hybrid Analysis and Malwr [5] [6] shows the same sort of results, namely a download from:

easysupport.us/f87346b

Given that this seems to be coming from the Necurs botnet, this is probably Locky or Dridex.

UPDATE

A contact pointed out this Hybrid Analysis which looks like basically the same thing, only in this sample the download seems to work. Note the references to "jaff" in the report, which matches this Tweet about something called "Jaff ransomware".

That report also gives two other locations to look out for:

trialinsider.com/f87346b
fkksjobnn43.org/a5/


This currently gives a recommended blocklist of:
47.91.107.213
trialinsider.com
easysupport.us

Tuesday, 2 May 2017

Malware spam: DHL Shipment 458878382814 Delivered

Another day and another fake DHL message leading to an evil .js script.

From: DHL Parcel UK [redacted]
Sent: 02 May 2017 09:30
To: [redacted]
Subject: DHL Shipment 458878382814 Delivered

You can track this order by clicking on the following link:
https://www.dhl.com/apps/dhltrack/?action=track&tracknumbers=458878382814&language=en&opco=FDEG&clientype=ivother

Please do not respond to this message. This email was sent from an unattended mailbox. This report was generated at approximately 08:15 am CDT on 02/05/2017.

All weights are estimated.

The shipment is scheduled for delivery on or before the scheduled delivery displayed above. DHL does not determine money-back guarantee or delay claim requests based on the scheduled delivery. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL customer support representative.

This tracking update has been sent to you by DHL on behalf of the Requestor [redacted]. DHL does not validate the authenticity of the requestor and does not validate, guarantee or warrant the authenticity of the request, the requestor's message, or the accuracy of this tracking update.

Standard transit is the date the package should be delivered by, based on the selected service, destination, and ship date. Limitations and exceptions may apply. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL Customer Support representative.

In this case the link goes to parkpaladium.com/DHL24/18218056431/  and downloads a file DHL-134843-May-02-2017-55038-8327373-1339347112.js which looks like this.

According to Malwr and Hybrid Analysis the script downloads a binary from micromatrices.com/qwh7zxijifxsnxg20mlwa/ (77.92.78.38  - UK2, UK) and then subsequently attempts communication with

75.25.153.57 (AT&T, US)
79.170.95.202 (XL Internet Services, Netherlands)
87.106.148.126 (1&1, Germany)
78.47.56.162 (Mediaforge, Germany)
81.88.24.211 (dogado GmbH, Germany)
92.51.129.235 (Host Europe, Germany)
74.50.57.220 (RimuHosting, US)


The dropped binary has a VirusTotal detection rate of 10/60.

Recommended blocklist:
77.92.78.38
75.25.153.57
79.170.95.202
87.106.148.126
78.47.56.162
81.88.24.211
92.51.129.235
74.50.57.220

Thursday, 27 April 2017

Malware spam: Scotiabank / "Secure email communication" / Secure.Mail@scotiabankmail.com

This fake financial spam leads to malware:

From:    ScotiaBank [Secure.Mail@scotiabankmail.com]
Date:    27 April 2017 at 14:13
Subject:    Secure email communication
Signed by:    scotiabankmail.com


Scotia Secure Email Logo
Secure mail waiting: (Secure)
Scotiabank has sent you a secure, encrypted e-mail message. To view this e-mail, please visit "Scotiabank Secure Email Service" or check attach file. For further information on how to use this service please reffer to "the Secure Email User Guide".
The email you receive from Scotiabank, including any attachments, may contain confidential and/or privileged information for the intended recipient(s) only and the sender does not waive any related legal rights or privilege. Any use or disclosure of the information by an unintended recipient is unauthorized and prohibited. If you have received an email message in error, please delete the entire message, including attachments if any, and inform us by return email. 

Opening the attached document SecureMail.doc leads to a simple page that tries to get you to enable Active Content (not recommended!).

Hybrid Analysis shows a download from elevationstairs.ca/fonts/dde60c5776c175c54d23d2b0c.png [70.33.246.140 - Host Papa, US] leading to a dropped file Pscou.exe which has a detection rate of 11/61 and appears to be Upatre.

Malwr Analysis of the downloaded file shows attempted communications to:

82.146.94.86 (Ringnett, Norway)
8.254.243.46 (Level 3, US)
217.31.111.153 (Ringnett, Norway)


scotiabankmail.com has been registered specifically for this attack, or you can block the sending IP of 89.40.216.186 (City Network Hosting AB, Sweden)

Recommended blocklist:
scotiabankmail.com [email]
89.40.216.186 [email]
70.33.246.140
82.146.94.86
8.254.243.46
217.31.111.153

Malware spam: Royal Mail Grоup / "Delivery attempt fail notice"

This fake Royal Mail email leads to malware.

From: Aretha Stickles [mailto:support@360modshop.com]
Sent: 27 April 2017 12:31
Subject: Delivery attempt fail notice

Dеаr customеr [redacted]

Your pаrcel has been in the post office for a very long time.
You must to receive it it within five days.

TRACKING: RB379949016UK
Expeсted Delivery Dаte: April 21, 2017
Class: Packagе Servicеs
Sеrvicе: Delivery Confirmatiоn
Stаtus: eNote Sent
Tо downloаd thе shipping invоicе, visit the link:

http://www.rоyalmail.cоm/business/services/sending/parcels-uk/3463434535

If you do not take it within the specified time, we will have to return it to the sender.
Please print out an order for your pack and take it at the post office.

Kind Regards,

© Royal Mail Grоup Ltd. 2017. All rights rеsеrved

Despite the link appearing to be from "royalmail.com" it's actually a Google redirector..

https://www.google.com/url?hl=ru&q=http://centregold.org&source=gmail&ust=1493375994142000&usg=AFQjCNHEBmT_B17AS-dHem213ejXdbjNAg#bkfhzzat

This bounces to centregold.org [185.133.40.23 - Krek Ltd, Russia] then a load balancer at rns.tobeylabs.com/tracking/delivery/tracking.php?id=554 [31.148.219.65 - KingServers, Netherlands] then either http://booniff.com/delivery/Pack_9356667UK.zip [216.24.167.58 - Amino Communications, US] or https://purolator.topatlantanursinghomelawyer.com/tracking/parcel/Notification_37352742UK.zip [185.159.80.100 - KingServers, Netherlands].

Note that the name of the .ZIP is generated dynamically, so there is some variation in filenames.

Inside the ZIP files is a malicious script (e.g. Pack_9356667UK.js) which according to Hybrid Analysis then communicates with a website at 31.148.219.208 [the same KingServers /24 as before!] and it drops a file mstsc.exe with VirusTotal detection rate of 11/57.

Recommended blocklist:
31.148.219.0/24
185.133.40.0/24
185.159.80.0/24
216.24.167.58



Wednesday, 19 April 2017

Malware spam: "Copy of your 123-reg invoice" / no-reply@123-reg.co.uk

This fake financial spam does not come from 123-Reg (nor is it sent to 123-Reg customers). It has a malicious attachment.

From     no-reply@123-reg.co.uk
Date     Wed, 19 Apr 2017 17:19:51 +0500
Subject     Copy of your 123-reg invoice ( 123-093702027 )

Hi [redacted],

Thank you for your order.

Please find attached to this email a receipt for this payment.

Help and support

If you are still stuck why not contact our support team? Simply visit our 123-reg
Support Centre and click on the Ask a Question tab.

Thank you for choosing 123-reg.

The 123-reg team.
https://www.123-reg.co.uk
The invoice number is randomly generated. The attachment is a PDF file with a name matching the invoice number (e.g. 123-093702027-reg-invoice.pdf).

This PDF file appears to drop an Office document according to VirusTotal results.

Hybrid Analysis shows the document dropping a malicious executable with a detection rate of 15/61. It appears to contact the following IPs (some of which contain legitimate sites):

216.87.186.15 (Affinity Internet, US)
216.177.132.93 (Alentus Corporation, US)
152.66.249.132 (Budapest University of Technology and Economics, Budapest)
85.214.113.207 (Strato AG, Germany)
192.184.84.119 (RamNode LLC, US)

The general prognosis seems to be that this is dropping the Dridex banking trojan.

Recommended blocklist:
216.87.186.15
216.177.132.93
152.66.249.132
85.214.113.207
192.184.84.119



Monday, 17 April 2017

Malware spam: "RE: RE: ftc refund" / secretary@ftccomplaintassistant.com

This fake FTC email leads to malware. Curiously, it was sent to a company that received a multimillion dollar FTC fine, but this is almost definitely a coincidence.

From:    Federal Trade Commission [secretary@ftccomplaintassistant.com]
Date:    17 April 2017 at 15:25
Subject:    RE: RE: ftc refund


It seems we can claim a refund from the FTC.
Check this out and give me a call.
https://www.ftc.gov/refunds/company/companyname.com/FTC_refund_recipientname.doc
Thank you
James Newman
Senior Accountant
secretary@ftccomplaintassistant.com
212-0061570

The link in the email actually goes to a URL beginning http://thecomplete180.com/view.php?id= followed by a Base 64 encoded string that appears to be 6281 + recipient email address + 5434 (so for president@whitehouse.gov it would be http://thecomplete180.com/view.php?id=NjI4MXByZXNpZGVudEB3aGl0ZWhvdXNlLmdvdjU0MzQ=)

Obviously this downloaded document is up to no good, but the VirusTotal detection rates are only 5/56. The Word document itself tries to persuade victims to enable macros, which would be a bad idea.


Automated analysis [1] [2] shows network traffic to:

wasstalwihis.com/bdk/gate.php
littperevengpa.com/ls5/forum.php
littperevengpa.com/mlu/forum.php
littperevengpa.com/d1/about.php
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/a1
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/1
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/2


It also appears to start sending traffic via Tor, which is a good reason to monitor Tor on your network. All sorts of files are dropped, most of which don't seem to be particularly malicious. "Gate.php" indicates a Pony downloader, but this does look like a tricky bugger.

Out of the domains contacted, littperevengpa.com and wasstalwihis.com shared the same registrant details and look fairly evil. We can associate the same registrant with the following domains:

soinwarep.com
ronwronsednot.com
withwasnothar.com
dingandrinfe.com
troverylit.com
derby-au.com
utonerutoft.com
situghlacsof.com
tinjecofsand.com
fortotrolhec.com
fydoratot.com
redwronwassdo.com
ronkeddari.com
littperevengpa.com
suranfortrep.com
newbillingplace.com
usps-daily-delivery.com
ringcentral-fax-inbox.com
wassheckgehan.com
wasstalwihis.com
meredondidn.com
satertdiut.com
vernothesled.com
veuntedund.com
ranwithtorsdo.com
notwipaar.com
dintrogela.com
adp-monthly-billling.com
rigakeddo.com
random-billing.com
hetoftinbut.com
hemlittratdidn.com

Perhaps more usefully, we can associate that registrant with the following IPs:

178.170.189.254 [hostname: nejokexulag.example.com] (Servachok Ltd, Russia)
185.146.1.4 (PS Internet Company LLC, Kazakhstan)
185.48.56.63 (Sinarohost, Netherlands)
185.80.53.76 (HZ Hosting, Bulgaria)
188.127.237.232 (SmartApe, Russia)
193.105.240.2 (Sia Vps Hosting, Latvia)
194.1.239.63 [hostname: nejokexulag.example.com] (Internet Hosting Ltd, Russia)
195.54.163.94 (PE Dobrogivskiy Muroslav Petrovich, Ukraine)
212.116.113.108 (Prometey Ltd, Russia)
46.148.26.87 [hostname: nejokexulag.infium.net] (Infium UAB, Ukraine)
47.90.202.88 (Alibaba.com, China)
77.246.149.100 [hostname: nejokexulag.e-vds.ru] (E-planet Ltd, Russia)
87.118.126.207 (Keyweb AG, Germany)
88.214.236.158 (Overoptic Systems, Russia)
91.230.211.67 [hostname: nejokexulag.freeopti.ru] (Optibit LLC, Russia)
93.189.43.36 (NTCOM, Russia)

This gives us a pretty useful minimum blocklist:

178.170.189.254
185.146.1.4
185.48.56.63
185.80.53.76
188.127.237.232
193.105.240.2
194.1.239.63
195.54.163.94
212.116.113.108
46.148.26.87
47.90.202.88
77.246.149.100
87.118.126.207
88.214.236.158
91.230.211.67
93.189.43.36




Thursday, 13 April 2017

Malware spam: "Company Documents" / WebFilling@companieshousemail.co.uk and companieshouseemail.co.uk plus others

This spam email does not come from Companies House, but is instead a simple forgery with a malicious attachment:

From:    Companies House [WebFilling@companieshousemail.co.uk]
Date:    13 April 2017 at 11:10
Subject:    Company Documents
Signed by:    companieshousemail.co.uk



CH Logo

Company Documents

This message has been generated in response to the company complaint submitted to Companies House WebFiling service.

Please note: all forms must be answered or the form will be returned.

Service Desk tel +44 (0)303 8097 432 or email enquiries@companieshouse.gov.uk

Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.
 
Companies House 
Crown way
Maindy
Cardiff
CF14 3UZ
Crown Logo



Documents.doc
48K



---

I observed the email coming from the fake domains companieshousemail.co.uk and companieshouseemail.co.uk  but it looks like there may be more. Email is being send from servers in the 94.237.36.0/24 range (Upcloud Ltd, Finland) and I can see other servers set up to do the same thing:

companieshouseemail.co.uk  94.237.36.104
companieshouseemail.co.uk  94.237.36.145
companieshousemail.co.uk  94.237.36.146
companieshousemail.co.uk  94.237.36.147
companieshousesecure.co.uk  94.237.36.150
companieshousesecure.co.uk  94.237.36.151


Blocking email from the entire 94.237.36.0/24 range at least temporarily might be prudent.

The WHOIS details for these indicate they were registered today with presumably fake details, but that the registrar Nominet have somehow "verified".

Registrant:
Charlene hogg

Registrant type:
Unknown

Registrant's address:
37 Maberley Road
London
SE19 2JA
United Kingdom

Data validation:
Nominet was able to match the registrant's name and address against a 3rd party data source on 13-Apr-2017

Registrar:
GoDaddy.com, LLP. [Tag = GODADDY]
URL: http://uk.godaddy.com

Relevant dates:
Registered on: 13-Apr-2017
Expiry date:  13-Apr-2019
Last updated:  13-Apr-2017

Registration status:
Registered until expiry date.

Name servers:
ns29.domaincontrol.com
ns30.domaincontrol.com
All the attachments I have seen are the same with a current detection rate of 6/55. Hybrid Analysis of the document shows it downloading a component from shuswapcomputer.ca/images/banners/bannerlogo.png and a malicious executable %APPDATA%\pnwshqr.exe is dropped with a detection rate of 14/62.

Automated analysis of the binary [1] [2] show potentially malicious traffic going to:

107.181.161.221 (Total Server Solutions, US)
185.25.51.118 (Informacines sistemos ir technologijos UAB aka bacloud,com, Lithuania)


There are probably other destinations too. The payload appears to be Dyre / Dyreza.

Recommended blocklist:
94.237.36.0/24 (temporary email block only)
shuswapcomputer.ca
185.25.51.118
107.181.161.221





Tuesday, 11 April 2017

Pump and dump spam: Quest Management Inc (QSMG) stock

Following on from last month's INCT pump and dump spam the Necurs botnet is now promoting a Latvian company Quest Management Inc (QSMG) instead.

From:    Jenna Goff
Date:    11 April 2017 at 13:37
Subject:    FDA approval is about to send this stock up fifty fold

Why is Quest Management (Symbol: QSMG) guaranteed to jump 5,000% this month?

They have a cure for cancer.

This biotech is run by some of the most prolific scientists in America. Together, they have more than 400 years of experience in the field and have more diplomas than we can even imagine.

Cancer kills 1 out of 4 people in our country and we have all been affected by it either directly or indirectly.

Who doesn't know someone who's died from it?

The company's scientists are targeting cancer using stem cells. They are able to identify the bad cells and destroy them without radiating the entire body (like is common with chemo).

Apart from saving millions of lives, their treatment will surely become the No1 selling drug on earth.

The company has already made serious headway thanks to nearly two decades of research.

This cutting edge biotech company has completed animal trials successfully and just wrapped up FDA-approved human trials last week.

The next step is the public announcement of those results, which we hear through the grapevine have beat all expectations and will change the world of medicine forever.

The results will be announced this month, and once they are out the stock will jump to $25 a share overnight and will continue up to $50 or more quickly after.

"Quest"'s biotech arm could have a cancer cure that can be totally effective in killing tumors in more than 40% of patients worldwide available in hospitals throughout the globe by the end of the year.

Once that happens, we're talking about a $1000 a share stock.

We're literally coming in at the last mile, out of no where, and grabbing profits from their last 2 decades of hard work.

Consider buying QSMG right now while it's still at under 5 dollars and make sure to tell all your friends to do the same before the price explodes.
You can guarantee that the promise of a future big payout is a lie. For comparison, the INCT stock promoted last month crashed from 13 cents to 3 cents now and the promised buy-out of that company never happened.

But surely this is different? QSMG stock went up 60% yesterday..

Well, as you can see from the chart.. it took a sudden dive and then shot up again. It looks like someone sold 26,000 shares and maybe more (maybe at a discount last week), followed by a small purchase of just 100 shares at apparently a higher price. A casual passer-by might think that that was someone trying to manipulate the stock price.


Financials indicate that QSMG has never really done much in the way of business, and the stock price nosedived from an epic $2000 a share a year ago to less than $2 today.


Market cap is currently quoted at $119m with 70 million shares outstanding, which is a lot for a company with a turnover of a few thousand dollars a quarter. There's a 1000:1 reverse split in there from October. So a year ago, the company appears to have been valued at an even more insane amount.

Probably utterly coincidentally, an agreement was recently made for a legitimate US investment company to acquire 46 million shares of QSMG. Perhaps someone else holding QSMG stock is looking for a payday?

Anyway.. most stocks promoted by pump and dump spam crash and burn. Buying stocks based on a tip from an illegal spam run would be extremely unwise in my personal opinion.

UPDATE 1

We'll probably see several different versions of this illegal botnet-driven spam. Here is the second one..

From:    Lottie Nash
Date:    11 April 2017 at 19:31
Subject:    This biotech has developed a cure for cancer and its shares are soaring.

One of my friends at Goldman told me to buy QSMG this morning.

He is an expert at this stuff and has never let me down before. After researching the company, it seems that he may be right.

I am going to buy 5,000 shares now because it's all I can afford, but you should buy as little or as many as you possibly can...

Their biotech arm, Stemvax has developed a cure for cancer and just completed successful human trials under the FDA's supervision.

The stock has jumped 3X already since last week and is guaranteed to go to at least 20 dollars this month based on his research.

Once QSMG's official announcements for the cure become public, there's no saying how high their share price will go.

I expect some very serious stuff to be announced in the coming 2 weeks. Act quickly so you don't miss out.

UPDATE 2

Another one. Incidentally, the email address used for some of these illegal spam emails appears to have been obtained from CompareTheMarket.com. Nice.

From:    Fay Vinson
Date:    12 April 2017 at 09:19
Subject:    An imminent green light from the fda will send this drug maker soaring.

There are very few times in life when we truly get the chance to be part of something big, and profitable at the same time.

The doctors at QSMG have been working nonstop for more than 20 years to get to this moment a cure for cancer.

They completed animal trials last year which were very positive, and completed human trials just a few days ago with the fda's blessing.

The results are not out yet but according to my sources, the human trials were very successful as well and cancer cells were successfully killed in 40% of all cases.

40% might not seem like a passing grade, but it is above and beyond what everyone was expecting. This makes it the most successful cancer drug on earth, and best of all it is non-invasive.

The results will be announced this month, and once they are out the stock will jump to $25 a share overnight and will continue up to $50 or more quickly after.

Want to feel like a genius? Buy QSMG right now while it's still at just 2 dollars, and wait it out 2 weeks. You will be rewarded handsomely.

UPDATE 3

Another version of this spam is attached below. This "Stemvax" company is not actually part of QSMG, but according to a press release yesterday it's an intended acquistion. I wonder how they're paying for that company? Cash? Stocks? More after this spam..

From:    Araceli Rutledge
Date:    12 April 2017 at 15:34
Subject:    This company found a cure for cancer. Their stock is flying.

This is a super rare opportunity that may never come again. This biotech company has finally found a cure for cancer after more than 20 years of stem cells and immunotherapy research.

They had very positive trials both on animals and humans (according to my sources) where tumors got killed at a rate of 41%

Their medicine is going to change the world once it gets rolled out in a few months. We are awaiting an official announcement form the company in the next couple of weeks, but it seems I am not the only one in the know because their stock has quadrupled since last week.

QSMG is guaranteed to hit 25 bucks a share overnight once they release their announcement to the public. You really need to think about buying shares right now before it shoots up higher.
So.. I was researching this whole takeover thing and also found a similar but rather promotional commentary on a site oracledispatch.com which attributes the bump in QSMG shares to the Stemvax acquisition rather than the spam run.
Quest Management Inc (OTCMKTS:QSMG) had a nice day yesterday moving higher by 15% adding some needed liquidity. The driver for this move came from a Letter of Intent to acquire immunotherapy Biotech company Stemvax, Inc., from Dr. Dwain Morris-Irvin PhD. Upon Closing, Dr. Morris-Irvin will simultaneously become CEO of the newly formed Biotech division of Quest.
 Wait a minute. Let's look at that logo on this "news" site.



 My goodness, that looks very much like the logo of the entirely unrelated Oracle Corporation.

Anyway, every stock on that mentioned on that site looks like it could be a part of a paid promotion. That's not illegal per se. Spamming out millions of emails from a botnet of hacked machines is.

UPDATE 4

Another spam.. this time it's a "friend at the FDA" rather than "One of my friends at Goldman". Yead right.

From:    Teri Dunn
Date:    13 April 2017 at 08:58
Subject:    An imminent event is sending this stock price through the roof.

What if I told you that I know of a company that has actually found a cure for cancer.

They have proven its efficacy in animal tests and have recently just completed their testing on humans.

The results of the tests on the human subjects are not out yet, we are expecting them to become public some time in the next two to three weeks,
but a friend of mine who works at the FDA told me that they are life changing.

It seems that in around forty percent of cases, tumors were successfully destroyed. This number is absolutely huge!
It means that more than a third of the people with cancer can be cured with this therapy.

This is going to change the world, and once the announcement becomes public,
it is guaranteed that their stock price will go to more than 24 to 30 bucks in a matter of hours.

This is why I highly, highly recommend that you buy QSMG as soon as you can today. Get in ahead of the herd.
UPDATE 5

Another one. Perhaps the "I have a good friend who works at the fda" part should read "I have a good friend who is going to jail for securities fraud"?

From:    Socorro Conrad
Date:    13 April 2017 at 18:48
Subject:    Here is a tip that could change your life

I have a good friend who works at the fda, and from time to time he tells me about things before they happen.

This is why I am sending you this message today. Earlier this week he told me about a
company that has found a way to kill cancer tumors in 40% of all breast and prostate cases.

While this isn't a one hundred percent method, it works good enough to save over 50 million lives a year.
The company just completed human trials a couple of weeks ago and have yet to release the results.

Once those positive results hit the public, the company's shares are going to go nuts.

QSMG is currently at under 3 bucks a share. I can guarantee that it will pass 25 to 30 before the end of the
month when those results are out.

Act quickly by getting in now and securing yourself a position ahead of the herd.
UPDATE 6

Surprisingly, the US stock markets are open on Easter Monday so yet another version of this illegal pump-and-dump spam is coming out to prime people. In this case the P&D spam has driven the stock price up.. expect a sharp drop when people realise that it is bullshit.

From:    Milagros Galloway
Date:    17 April 2017 at 09:47
Subject:    This trading idea could tenfold your portfolio this month

In case you missed my email last week, timing is getting very tight now.

You must read on to understand why you must act quickly for your benefit, and the benefit of your friends and family.

If you recall, I told you that I have a friend who works at the food and drug administration who told me about a small company that has just completed human trials for a life-saving cancer therapy.

It seems that in about forty percent in instances, cancer receded. This is an enormous number.

There is nothing else on the market at the moment that can save 40% of patients with breast or prostate cancer.

This drug does.

The small company’s stock is going to go up from 2 dollars to over 30 dollars the moment that this announcement is made public within the next two weeks.

Your window opportunity to buy shares of QSMG is quickly closing. You must act quickly before you miss out.
UPDATE 7

It looks like the bubble has burst on this P&D spam, as there is a note of desperation here..

From:    Alta Stewart
Date:    17 April 2017 at 17:15
Subject:    Do not miss on this chance to triple your money in the market

There is a rare opportunity in the market right now, so rare that it may only happen once in a lifetime.

I have it on good information that a small biotech company is about to receive approval from the f d a for a life-saving medicine.

This medicine is poised to become the next biggest seller in the world as it has just been shown to kill cancer.

This is why there has been a lot of activity surrounding the stock. People are trading it on wrong information, and it's in the red today because of that.

I highly suggest that you buy in right now while fools are getting out, and the stock is cheap because it's going to go up twenty fold in the next 2 weeks

when the public announcement comes out, and the medicine is officially approved. Move quickly though, because otherwise you will miss out.

The opportunity to buy QSMG at these discounts will not last long, and you will regret you didn't jump in when you had the chance.
Yup.. the stock has crashed and burned today. Hardly surprising..


(Even as I am writing this the stock has just crashed below the $1 barrier). Ah well, anyone fooling enough to pay over the odds for this stock has just been burned. But who is actually making money from this stock manipulation?


UPDATE 8

QSMG stock continues to crater, but it hasn't stopped the spammers trying again..

From:    Jesus Cote
Date:    18 April 2017 at 09:39
Subject:    This stock tip is for your eyes only. The chance may never come again

I know of a cutting edge company that has just completed the development of a new life saving medicine. A friend who works at a high position, at a secretive place told me about it.

This medicine has been proven in both lab tests, and human tests to destroy tumors in almost 50% of of instances.

For all practical purposes, I would call it a cure for one of the most deadly diseases of our times.

Being the type of person that I am, I asked myself how we can profit from this information.

The answer is very simple. Within the next week or two, QSMG will make the announcement public and once they do, their stock will go up to over 20 bucks overnight.

So the trick is to grab shares right now, while their price is still dirt cheap and while nobody knows what's about to come.

This is how you get your big break. This is how your life will finally change. Take the leap forward.


---
Best Regards,
Jesus Cote

Yesterday it dropped 73%. It will be interesting to see if it continues its race to the bottom today.

UPDATE 9

After a few days off, the pump and dump spammers are trying again at the share price sticks at 72 cents. It says "This is probably the last time that I will contact you  with this information".. we can only hope. Perhaps coincidentally, QSMG announced they are in negotiations to buy another company.

From:    Arlene Sanders
Date:    24 April 2017 at 09:27
Subject:    This time sensitive information could make you very wealthy

If you missed my heads up over this last week and a half, this is finally your time to act because in just 48 hours something big is going to happen.

This is probably the last time that I will contact you  with this information.

My friend at goldman gave me a call over the weekend and told me that the big acquisition we’ve been waiting for is going to occur on Wednesday. The day after tomorrow.

Pfizer is going to complete the purchase of QSMG (a small, public company) at a price of 23.79 dollars a share. For those of you doing the math out there, that's approximately 30 times higher than where the stock is at now.

If you're wondering why it's happening at such a high price, that’s because these guys just completed human trials on a cancer drug which has proved to be effective in around 40% of cases, and big pharma wants this for itself.

I suspect that I am not the only one who might have heard of this news so the stock may start climbing today and tomorrow before the big announcement becomes public on Wednesday evening.

This is quite literally the chance of a lifetime. If you miss out, you'll probably never be able to make 30x on your money so fast again.

Ten grand into QSMG today will turn into a quarter million bucks by Thursday.


***
King Regards,
Arlene Sanders

UPDATE 10

It turns out that the last one wasn't the last one! You might even think that they are lying. And wait.. QSMG doesn't stand for Quest Science Management Gate at all, does it?

From:    Jeanne David
Date:    24 April 2017 at 16:30
Subject:    I have a tip to share with you

In less than 2 days, this stock will go up 20 times overnight.


I've done a lot for you over the years and you've made an insane amount of profits listening to me.

Today and tomorrow is your last chance to seize the opportunity before it disappears.

My good friend who works at a firm I will not mention in upstate NY told me that a big takeover is about to happen.

A little American biopharma company discovered a new treatment for cancerous tumors and one of the biggest companies (starts with a P) is going to announce the official takeover on Wednesday (in 2 days).

The price at which this will happen more than 20 times what their stock is trading at now. Literally at 23 bucks a share from a current 80 cents.

Write this symbol down, it's the first letter of each word: Quest Science Management Gate that's q followed by s then m and g

This is the 4 letter symbol you need to tell your broker you want to buy, or just type it in yourself in your brokerage.

I hope you're ready to make it big. I expect a big thank you and an invite for steak this weekend.




---
Best Regards,
Jeanne David

UPDATE 11

This spam mentions "Wednesday night" as being when this nonexistant takeover of this crappy stock will take place. Will the spam stop then?

From:    Patsy Sandoval
Date:    25 April 2017 at 09:24
Subject:    By tomorrow evening this stock will be twenty times higher

Did you read my urgent email yesterday?

I outlined very specifically a game plan for you to make more than 20 times on your principle within the next 48 hours.

Let me hit you with the gravy and leave out all the boring details… there's a friend of mine who works at a top 50 firm upstate and he was privy to details of a take over.

In a nutshell there is a very large pharmaceutical company (its name starts with a P) who is finalizing the acquisition of a small public corporation that is currently trading at around 80 cents.

The take over price will be a little over 20 bucks and the official announcement is coming tomorrow night (wed night).

They're paying this much for it because of a novel stem cell treatment which eradicates cancer.

I don't need to tell you what will happen to the share price when this announcement hits the news outlets.

The company's trading symbol is Q as in Quest, S as in Sam, M as in Mother, G as in Great.

These are the 4 letters you need to type into your brokerage account to buy the stock or give to your broker over the phone.

Just ten thousand bucks into this will turn into over two hundred grand by Thursday morning.

You need to act quickly though because it seems I may not be the only one with this information, as I am seeing the price creep up a little already since Monday.



-----
Best Regards,
Patsy Sandoval 
UPDATE 12

This one claims QSMG's "share price is going through the stratosphere". Umm no, it's just bouncing around in the somewhat volatile pumped range that it has been in all week. In my opinion the true value is probably rather closer to $0.00.



From:    Dante Odonnell
Date:    25 April 2017 at 15:54
Subject:    This company's being acquired tomorrow

Its share price is going through the stratosphere.



The cat might be out of the bag now but there is still a massive opportunity to benefit.

I say that the secret is out because the stock price has gone up two days in a row but the reality is that it must be very few people who know information otherwise it would've gone ten times higher.

In case you missed my message yesterday, here is what is happening.. A big pharma corp is acquiring a minuscule public co and this is happening at a price that is 20 times greater than where it currently is.

This means that if you can put 10 thousand in right now, you will take out 200 grand by Thursday morning.

This info is solid. It comes from an attorney who's a long time friend of mine and who literally saw the acquisition documents with his own eyes.

You must be wondering what the company's trading symbol is, and I will not tease you any longer… it's Q like in Quality, S like in Straight, M like Mary and G like Gold

These four letters together make up the company's ticker and that's what you will need to give to your broker, or type into your online account to purchase the stock.

I highly recommend you do this as quickly as possible because there is no guarantee that the price will remain this low much longer.

I expect it'll continue to rise and rise as the insider information spreads. Nonetheless the potential to benefit is absolutely gigantic here.




-----
Best Regards,
Dante Odonnell
UPDATE 13

If you believe the lies this spam is pushing, QSMG are going to be the subject of a takeover bid by Pfizer today. Obviously this is crap, but the spam still keeps trying to pump the share price up nevertheless.

From:    Reba Sykes
Date:    26 April 2017 at 07:28
Subject:    Your chance to make an amazing move is quickly slipping away

There is reason for excitement. A good friend of mine who works at a high place which I will not name told me about a crazy opportunity...

There is an acquisition about to be completed by a very large company.

They're buying out a small medical firm at more than 20 times what it's currently trading at.

This means that every ten thousand bucks you put in will turn into two hundred grand the moment the announcement becomes public.

The symbol for this company is the first letter of each of the following words: Quick, Should, Must, Get.

These 4 letters are what you must type in to your brokerage account or tell your broker in order to get the shares.

I really, really recommend you move on it quickly because the announcement will become public at any day now and this may be your last chance to get in before it's too late.


-------
Best Wishes,
Reba Sykes
UPDATE 15

This one (the 16th version) says (amongst other crap) "This guy has always been right so far. In fact if you remember, the tip I gave you last year… the one on which you made 15x in 2 weeks was from him. Yes, that's right." Funny I don't remember that particular investment. 'Cos it didn't happen.

From:    Jeromy Humphrey
Date:    26 April 2017 at 14:42
Subject:    This is your opportunity to get a 20 bagger in the market very fast

One of my closest buddies, who happens to be a banker, let me in on a little tip earlier on.

There's this really awesome small bio technology firm which has discovered something ground breaking,

and because of this unprecedented discovery they're about to be bought out for a little over 20 times their current value.

One of the most prominent large firms in America is about to make this news public.

When that happens, the small company's stock is going to virtually go up more than twenty three fold overnight.

Let me put this in perspective for you. It means that every 10 thousand bucks you put in this will turn into almost a quarter million when the news is out.

This guy has always been right so far. In fact if you remember, the tip I gave you last year… the one on which you made 15x in 2 weeks was from him. Yes, that's right.

So before I forget, here is the stock symbol.. It's the 1st letter of each of the following words: Quickly Super Mouse Green

I'm giving it to you in “code” in order to avoid potentially prying eyes, in case you are at the office, a cafe or something.

So with the first letter of each of these words, you've got your four letter symbol.

Input this in your online account to buy the stock or call your broker and give it to him and he will make the purchase for you.

One last thing, I don't know if I am the only one who knows this information so it's possible that the price will go up on other people buying,

but nonetheless if you can get in at under a buck twenty, I really recommend you jump on it as soon as physically possible.



--
Best Wishes,
Jeromy Humphrey

UPDATE 16

After a week or so of being quiet, the QSMG spam has started again. No mention of course of the non-existant takeover last week, but somebody somewhere must feel the need to pump up that stock price once more. The stock value has almost halved in a week. Oddly, QSMG's latest press release makes no mention of this stock manipulation.. now would be a good time to do so.



From: Ron Manning
Subject: Here's a life changing tip that will guide you through trump's America
Date: Tue, 02 May 2017 13:12:49 +0530

Given the current political climate, there are very few certain things in this world.

I can tell you first hand that I've had a hard time profiting in the market since Trump's administration came in a few months ago.

So I've looked long and hard for opportunities to leverage this unusual situation we find ourselves in here in America, and I have found the way.

Special circumstances call for special measures, and a friend of mine reached out to me over the weekend telling me that there's a small company on the verge of being bought out by a top 500 firm.

The price at which this will happen? 21 bucks a share from a current paltry 60 cents.

This means that every ten thousand of stock you buy, you'll make around 350k when the announcement comes out to the public in a few days.

Why am I telling you this? I want like-minded people to benefit as well and I'm tired of all the big shots making the big bucks.

Take it the way you will, but watch symbol : Quick Sure Mary Garage (use the first letters of each word to make up your 4 letter symbol which you'll use to buy the stock)

One way or another, whether you get in or not, this buy out is going to happen and people are going to make 35x on their principle.

Why not get a piece of the action?


***
Best Wishes,
Ron Manning
UPDATE 17

Amazingly, after a month and a half the pump-and-dump spam for QSMG has started again..

From:    Quentin Johnson
Date:    16 June 2017 at 07:33
Subject:    You can make more than ten times your principle with just this 1 stock


It's been at least a few months since the last time I had the chance to share something amazing with you but if you recall you really made a mint on that last company.

Earlier today I got lucky because as I was having a bite with one of my good friends who works at a top banking firm, he let me in on a little "secret".

Basically they're working on closing a deal for a forbes 100 pharmaceutical company to purchase the entirety of a small drug maker that's just completed a cure for prostate tumors.

The company that's being acquired is trading at just a few pennies right now but the big pharma is paying around a buck a share for it.

This means if you grab shares today you'll be able to make at least ten times what you put in.

The symbol which you need to give your broker or put into your brokerage is the first letter of each of these words:

Quick
Sun
Main
Goal


Together they make up the 4 letter symbol which you need. Act quickly before other people get wind of this.
Since the spam run started weeks ago, the share price has dropped from $1.70 to just 7.5 cents today.


Basically, the shares have lost 95% of their value since then (and I suspect they are actually worth nothing at all). That's pretty typical for a pump-and-dump promoted stock, but what is unusual with this one is the sheer length of time it has been going on.

UPDATE 18

Yet another stupid pump and dump spam. Funnily enough I don't remember quadrupling my money on an apps company.

From:    Marva Gilliam
Date:    16 June 2017 at 15:20
Subject:    This biotech stock is guaranteed to jump 10x next week

This is going to sound crazy, but you remember last year when I told you to buy the mobile apps company before Sony acquired it and you quadrupled your money in just a few days?

I've got another one of those situations, and the information is just as reliable as last time...

It's from my same friend who works at Goldman up in new york.

This time around though it's a biotechnology company that finally completed human trials on an amazing life saving cancer medicine.

The results are not out yet but this guy told me that a large pharma is already aware of the success of the medicine and they are going to buy them out at a buck a share next week.

The current price of Q S M G (this is the symbol you need to enter in your account to buy)

is just around 10 cents so if you get in quickly you can make a really fast 10x in just a few days.

Thank me later.
UPDATE 19

This spam mentions an upcoming acquisition. It is perhaps just a coincidence that a press release from QSMG claims that some medical company called sanavida.online is being eyed for a takeover. Apropos of nothing, I wonder if that's a cash or stock acquisition?

From:    Alice Bowman
Date:    19 June 2017 at 11:39
Subject:    In less than 5 days this company could yield you a ten bagger

Good morning!

I've been involved in the markets for a few decades now and I'll be the first to tell you that things have never been as uncertain as they are today.

With a new administration heading our country, it's becoming increasingly difficult to get the edge in the markets.

At least, we can always count on lady luck to come in handy when we need her.

A friend of mine founded a small medical company a few years ago and he has been researching a novel way of using the immune system to kill tumors.

After extensive tests and lengthy approval processes, he finally got the green light on this life changing new therapy.

Because of that, a big pharma has put in an offer to buy out the entire company. At essentially 10 times the current trading value.

This guarantees that if you get shares today at under 20 cents each, you will cash out ten times that amount by Friday.

The ticker which you need to use to buy is the first letter of each of these words:

Quest, Start, Mega, Great

Together they make up the 4 letter symbol which you need. Get in as fast as you can before the price jumps.
UPDATE 20

And another one.. what's the betting that the stock won't shoot up tenfold on Friday?

From:    Loretta Head
Date:    19 June 2017 at 17:35
Subject:    Can you really make ten fold on your principal in just a few days?

With today's political climate, it is becoming increasing difficult to find winning stocks.

It's even more difficult to find that once in a blue moon company that you can get in and get a big hit with real quick.

Trump's policies are changing every day and there's no way to know what tomorrow brings to the markets.

That's why I am very fortunate to have stumbled upon a sure bet...

There's a small company that has just discovered a ground breaking medicine for tumors.

Without boring you with details, it's essentially the most effective treatment for cancer right now.

That caught the attention of the big boys and they're buying out this small company for about ten times its current market price.

This is set to occur by Friday. When the news is made public, the price will jump overnight. It's now at just around 0.20.

You do the math. Your upside is big.

The symbol is q.s.m.g

This is what you need to use in order to get shares. Move quick before others find out.

UPDATE 21

I think this passed the ridiculousness threshold some time ago.

From: "Hallie Robles"
Subject: Not sure where to invest? Here's a sure bet.
Date: Tue, 20 Jun 2017 17:33:16 +0600

Our country is going through a strange era. Recent political changes have oddly affected the markets and pretty much most stocks are on over drive right now.

If you have just a few thousand bucks to put into something, picking a winning company is not very easy since everything is so inflated.

I do however know of one that could be life changing. You know, it's a situation like one of those that you only read in the newspaper.

How a guy got really lucky when he put a few thousand in some small company and he made out like a bandit.

Is it just luck though? Or is there more to it than meets the eye?

I have it on good authority that a small medical research company has made a giant breakthrough in getting approval for a rare form of cancer.

Their shares were at over 2 bucks a couple of months ago, but sank to just a few cents when rumors spread that the treatment was ineffective in people.

Those rumors were not false, but they were based on segmented information.

The truth is that the treatment works and the company just got it past government approval.

The news is not public yet, though. At just a few cents a share, you have no downside. You can get in right now at rock bottom and watch it go right back to where it was a few months ago (to over 2 bucks) in a matter of hours once the announcement is out.

The symbol you need to use for the stock is q-s-m-g without the hyphens of course. You just give that to your broker or put it in yourself online in your portal and get in.

Maybe, you too, can make the newspapers for being a "lucky" person but you and I both know the real story.

UPDATE 22

This one tried to make excuses for the fact that QSMG stock has cratered. It's all bullshit of course.

From:    Ben Cain
Date:    20 June 2017 at 15:59
Subject:    This company just found a huge cure and no one knows about it yet!

Did you ever read an article online, or in a magazine praising some so called guru for making a few hundred grand out of just a few thousand by buying just one stock?

These articles are very common and they always make it seem like the guy (or gal) was an expert at this stuff.

I know for a fact that the only way to win in this is to have information that others don't. It's that simple.

If you know that something is going to happen before everyone else does, then you've got the edge.

Just in May, this company I've been watching was trading at a little over 2 bucks alright?

Within days, it got pummeled to just pennies. Apparently, on the incorrect rumor that their new immune  medicine wasn't working.

Now that the dust has settled, it's clear that the information was completely wrong. It just caused a panic, and herd mentality prevailed.

I have an “in” at the company and I know for a fact that not only does this new ground breaking treatment work, but that it just got approved by the f d a.

While this info isn't public yet, once it does become so, you can expect the share price to go right back up to over two dollars. Quite literally overnight. And I am expecting this announcement to come in the next few days.

The symbol you need to buy the stock is q/s/m/g without the / of course. You just give that to your broker or go to your online account and get at least twenty thousand shares.

If you act quickly and get in right now, maybe you'll be one of those cool winner stories people write about in magazines and articles.
UPDATE 23

Another one making excuses for the plumetting share price - "For some odd reasons though, their share price crashed through the floor" - which is nothing to do with them being virtually worthless. Oh no.
From:    Herbert Donovan
Date:    21 June 2017 at 08:18
Subject:    Here's an idea that could make you a small fortune...

Hi [redacted],

I'm not one to just go around and tell my friends random things… If you know me, then you know that I always like to make sure that I know what I'm talking about first.

This is why I waited so long before telling you what is in this email.

One of my closest friends works at a high tech medical firm. They discovered a very successful cure for a certain type of tumor.

For some odd reasons though, their share price crashed through the floor. It went from 2 bucks to like 10 cents over the last few weeks.

My buddy believes that this is due to people being misinformed regarding a new trump policy.

The reality is, the company I'm telling you about right now is about to get f d a approval in the next few weeks and their price is guaranteed to go up more than 15 times its current price.

This is why I think you should take a very close look at q's'm'g (without the apostrophes of course). This is the ticker of the company in question.

If you want something that's practically a sure bet, I recommend you get in this stock today. Even if it's for a modest amount.

You'll be in for a good ride.


Best Regards,
Herbert Donovan
UPDATE 24

More excuses.. and a nice little formatting error at the end.

From:    Ruth Slater
Date:    21 June 2017 at 15:32
Subject:    Let me share with you something that could make you big bucks

I have been around the block. I'm a veteran in this market. I was making my subscribers profits through both Bush, Obama and now Trump.

Back in the Bush Sr. days, I was just an article writer. I wrote for the WS in the Analyst column.

The internet has really changed everything.

Information now travels really fast and is much more accessible to everyone.

I had a lunch meeting with an old colleague a few days ago and he let me in on a little secret.

There's a tiny drug maker that's discovered a spectacular immune medicine. It will change the world and save millions of lives.

The information isn't public yet. In fact, that company was actually about to go bankrupt when the discovery happened. That's why their price dropped from a little over 2 bucks to just 0.10 now.

Long story short, when the news comes out publicly, this thing is going to shoot through the roof.

Based on my decades of experience, I expect it to at least go up 15 to 30 fold in a matter of hours.

The information will be public some time by next week. I recommend you grab shares quickly today if you can.

The symbol you need to use to get the shares is q>s>m>g obviously without the > I put that in there just to make it clearer.

If you miss out, this is on you. It's a rare chance that may never come again.
</html
UPDATE 25

After more that a month, this stupid pump and dump spam starts again. This is the twenty-sixth spam run that I have seen for this stock, although there could be more..

From:    Trina Guerra
Date:    31 July 2017 at 10:20
Subject:    I guarantee that this company will quadruple before Friday. Check it out

Did you know that markets are at an all time high?

Even non traditional places to stash some savings like bitcoin are out of control at an all time high.

Given that, it's so hard to make any serious scratch these days. Most things are overinflated and offer very little upside.

That's why I was super relieved when I stumbled upon a small medical company that's so undervalued I couldn't believe my eyes.

They just announced the results of trials which were extremely positive and I believe that the share value is poised to quadruple by this Friday.

At this time it's trading at an all time low of just five cents... It literally has no where to go but up.

I am going to grab a nice position this morning, and in your place, I'd seriously consider getting in today before the masses find out what's happening and the price shoots up.

The ticker is.  q s m g

Check it out now, you'll be glad you got in at under ten cents. You should also tell all your friends about this. I am expecting it to double today.

UPDATE 26

"I won't waste your time with nonsense" it says..

From:    Dominique Pugh
Date:    31 July 2017 at 15:22
Subject:    This stock is gonna go up 4 fold before the end of the week.

I won't waste your time with nonsense. I'll get right to it...

One of my best friends who happens to be employed at the largest firm in new york told me that I should really consider buying a specific stock today.

Without going into specifics he told me that it's going to at least quadruple in price this week.

It's a small company that's basically trading at rock bottom prices, and after digging a bit more into it I think that they are about to make a really massive announcement any day now.

If you can get in at between 7 and 10 cents in the next few minutes I really recommend you jump on it quickly. It's trading under the symbol q,s,m,g (just the letters without the commas). Type this in your account to buy it.

Don't waste any more time because before the day is over I think it will be much, much higher so now is your chance.


Best Wishes,
Dominique Pugh
UPDATE 27

After another loooong break, the QSMG stock is back yet again. Seems that someone still hasn't quite screwed enough money out of this virtually worthless stock.

Subject:       Seriously... What if this company went tenfold by tomorrow?
From:       "Antone Skinner"
Date:       Thu, October 19, 2017 8:39 am

Everyone knows me as a no bullshit analyst and I always give it to my friends just
the way it is, whether it's good or bad.

Today though I've only got goodness to share with you because I've come across
something so rare it only happens once or twice a year.

I found a stock that's going to jump tenfold by tomorrow due to negotiations for an
acquisition that values it at much higher than where it is now.

The information I have is a hundred percent reliable and if you miss out, I
guarantee you'll be regretting the decision in a few hours when this thing is up to
8 or 9 cents.

The symbol is qsmg this is all you need to grab it.

If you do miss out, it's ok... I will probably have another one to tell you about in
a few months but at the very least you should watch this one closely.

Have a good one.

Best Regards,

Antone Skinner