Sponsored by..

Monday, 18 March 2019

"Central Intelligence Agency - Case #79238516" extortion spam

I've seen various extortion spams over the past 12 months or so, but this one has a particularly vicious twist.

If you haven't seen one of these before - it's just a spam, randomly sent to your email address. You can safely ignore it.

From:    Liza Guest [liza-guest@eosj.cia-gov-it.tk]
Reply-To:    liza-guest@eosj.cia-gov-it.tk
To:    [redacted]
Date:    18 Mar 2019, 06:33
Subject:    Central Intelligence Agency - Case #79238516

Case #79238516
Distribution and storage of pornographic electronic materials involving underage children.
   
   
My name is Liza Guest and I am a technical collection officer working for Central Intelligence Agency.
   
It has come to my attention that your personal details including your email address ([redacted]) are listed in case #79238516.
   
The following details are listed in the document's attachment:
   
  • Your personal details,
  • Home address,
  • Work address,
  • List of relatives and their contact information.
   
   
Case #79238516 is part of a large international operation set to arrest more than 2000 individuals suspected of paedophilia in 27 countries.
   
The data which could be used to acquire your personal information:
   
  • Your ISP web browsing history,
  • DNS queries history and connection logs,
  • Deep web .onion browsing and/or connection sharing,
  • Online chat-room logs,
  • Social media activity log.
   
The first arrests are scheduled for April 8, 2019.
   
Why am I contacting you ?
   
I read the documentation and I know you are a wealthy person who may be concerned about reputation.
   
I am one of several people who have access to those documents and I have enough security clearance to amend and remove your details from this case. Here is my proposition.
   
Transfer exactly $10,000 USD (ten thousand dollars - about 2.5 BTC) through Bitcoin network to this special bitcoin address:
   
3QTV16BBsaEBVuwZv8wCjEgWZTKVVQPJ3h
   
You can transfer funds with online bitcoin exchanges such as Coinbase, Bitstamp or Coinmama. The deadline is March 27, 2019 (I need few days to access and edit the files).
   
Upon confirming your transfer I will take care of all the files linked to you and you can rest assured no one will bother you.
   
Please do not contact me. I will contact you and confirm only when I see the valid transfer.
   
Regards,
Liza Guest
   
Technical Collection Officer
Directorate of Science and Technology
Central Intelligence Agency

Another version comes "from" tannerlynch@oiks.cia-gov-it.gq and solicits payments to 32ngJWq6YYGUfvCbj3Ji7MNSnqi3rdM5qa. There are probably others. At the time of writing, neither of these two Bitcoin wallets had received any payment.

Tuesday, 22 May 2018

Phishing and fraudulent sites hosted on 188.241.58.60 (Qhoster)

Nigerian registrants. Dodgy Eastern European  host offering bulletproof and anonymous hosting. Yup, I very much doubt there is anything legitimate at all hosted on 188.241.58.60.. or indeed any part of Qhoster's network.

237buzz.com
255page.ga
702mine.com
779999977.com
a1cargomovers.com
abtprinting.com
adassco.com
admincamac.co.uk
afazendaideal.ml
afflluenceindia.com
africheck.com
alamiranut.com
alexandrahospitals.com
alliarnce.org.uk
allseaship.com
amba-medias.com
amiicogroup.com
andrzejkupnopark.eu
anook.info
ansaexpress.com
antrackdiplomaticcs.com
apidexconstruction.com
aramexbe.com
arshland.com
artyschat.com
atlanticfforum.com
aughana.com
battlegrounds-arena.com
baugeruest-handel.com
bevadgmbh.com
billdiamondfinance.co.uk
binaryoptionsmonitor.com
binco-sale.com
bit-masters.com
bitcoincashold.com
bitcoinsdrugsrehab.com
bitmain-alliances.com
bitmamashop.com
blecoman.com
bmpro.info
bourseafrique.com
britannia-pharmaceutical.co.uk
btccap.biz
btctriplermachine.com
buycounterfeitmoneys.com
calvinscott.biz
cameroonianbeauties.com
candodvillahotel.com
carphonewarehouse-eu.com
centroculturadigital.com
certificatesshop.com
chainconnect.co
chaseoffshoreonline.tk
chondomonitor.com
citydiaryfarms.com
classicdeliverycourier.com
clickhereforgiveaway.site
clickhereforgiveaway.xyz
cloud-bigfile.com
cncoslight-zh.com
cnximgang.com
coca-colafinancedept.com
coflaxfluidhandling.com
coinminners.com
coinrxstore.com
compasseguip.com
confirmedsoft.us
cosm0-hk.com
cosmosport24.com
creditonfcu.com
crewlinked.com
criagent.com
crypto023.com
cryptominingtechnology.com
cryptoshifters.com
cs-oilfeild.com
cureonlinepharmacy.org
denverlaserhairremoval.co
divecastle.com
dlnamicatrade.com
double-bitcoins-legit.com
eastmanimpex.cam
ebid-tg.com
efceosaudi.com
elitecertifiedhack.com
emailtime.info
ethiopianairilines.com
eurocertificationcentre.eu
fabftifun.com
faircloths.co.uk
fastcoine.com
fastestfingersfirst.com
fidelity-investment.co.uk
findingthepropercode.com
firstsuorceinc.com
forvisitingthankyou.com
fotesale.com
front-dashboard.com
gdp-international.com
general-funds.com
generate-dcash.biz
gettinginonthelow.com
global-news.center
globalinkscobsult.com
globalinksconsult.com
gmb-trade.com
goimsa.info
grand-sale.com
grantersmultiservices.com
greetapex.com
guaranteecds.com
hackers-list.com.de
harpack-ulma.com
heraeu.com
hereweareonit.com
hlroyoung.com
horizonpartnerrsltd.com
houseofspells.com
hsbrands-int.ml
humer1adminka.com
hyip.co.in
hyipcave.com
idexpresscargo.com
inlinefornine.com
interseadrill.com
item-desc.com
jdfrencis.com
jonihoppershowcase.com
kcf-th.com
kececiprofile.com
kencanafishing.com
kiingsay.com
kindres.com
kindres.de
kippaskagit.com
kmsinfoservice.com
ks-prod.com
lane-pres.com
legitrxonline.club
lifegoalsdevelopmentschool.com
litbitcoinembassy.com
littlerockbitcoins.com
live-rx-store.com
loactrippleser.ga
loan-assistance.com
loan-dealer.com
loudiclear.com
lurnentum.com
luwiex.com
manarpso.com
mannhiem.in
maomanlodocs.cf
marshawoifesquire.com
mcmg-tech.com
meetcameroonians.com
meetup4real.com
megachemstoreonline.com
miamibeachcoin.com
microclicker.com
mile22-casting.com
miningcrux.com
mission4christministry.com
movimientorevolucionariodelpueblo.org
ms-fi.com
mst4sale.com
mysite111.com
neatwaytogettheninth.com
neusportltd.com
news-world.center
nexttys.com
nightcapdice.com
ninthinline.com
nlsteinweg.com
nomuta.com
noworri.com
obsgruop.com
offshoreseadrill.com
onehereisreservedforyou.com
online-citibankgroup.com
ontothenextgame.com
opcolage.com
orifiameglobal.com
ourskynet.com
oxfords-pay.com
parcelservicess.com
pharmas4plus.com
plccsolutions.com
psypharm.com
ptochart.com
quicktitletransfer.com
rashedal-wataniagroup.com
rawgarner.com
realbuyrx.com
recordspharm.com
researchchem4us.com
resumedatabase11.xyz
rnailb.com
rnarhaba.com
ro-noutati-mondene.ml
robnsaconsult.com
rock-sale.com
rosenbaumcontemporarygroup.com
royalstandard.ga
rumlt.in
rush-sale.com
seachiefs.com
seguradoravirtual.com
seosenior.com
service-infoo.com
she-afro.com
shippingdynamics.com
showbarghana.com
siglobal.org
simplyitaly.dk
simplyitaly.it
skillocademy.com
sms-red-online.ga
solid-sale.com
southchina-sea.net
srcoin.ca
srnec-cn.com
stacksign.ga
superenterprise.work
superwhiteningpills.org
svclnlk.com
tax-gov.com
tccholdng-th.com
tecebusiness.com
techfronst.com
thebinaryoptionmonitor.org
thecolumbiabanks.com
thefutureofkitchen.com
theninthisin.com
thewomoorsfestival.co.uk
thisistheninth.com
tienhongjs.com
timetorefillthestock.com
torromodel.de
trans-atlanticdrilling.com
trustedhackers.com
turkiyenews247.tk
turkiyenews27.tk
twhe48.online
uk-pharmcay.com
ulmaparkaging.com
ultronnews.com
unipharma.bz
urnalaxmi-organics.com
usr-acc-serv.com
vendadebitcoin.com
visteonogbonnagroup.com
vpox.ru
vwork.pw
walletsofcoolandhip.com
weather-livenews.com
webs-host.pro
xcesstel.com
xopen.cc
yahoomailservice.com
youngcompamies.com
yoyooo.xyz
zestcrypto.com

Thursday, 10 May 2018

Malware spam: "New documents available for download" / service@barclaysdownloads.co.uk / barclaysdownloads.com

This fake Barclays spam seems to lead to the Trickbot banking trojan.

From:    Barclays [service@barclaysdownloads.co.uk]
Date:    10 May 2018, 13:16
Subject:    New documents available for download
Signed by:    barclaysdownloads.co.uk
Security:    Standard encryption (TLS) Learn more

Barclays Bank PLC Has Sent You Important Account Documents to Sign

You can view the document in your Barclays Cloud account. For additional security, the sender has set an open password for this document.

Documents assigned to: jlines@[redacted]
Your unique download password: "CJ98oZOwye"

To view or download the document please click here.

The submission number is id: bc7729-272sec912-91navc.
Please quote this number in any communications with Barclays.

Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.

Email Security Powered by Barclays IBE.

Copyright 2018 Barclays PLC. All rights reserved. 

The download password and submission number are the same in all cases I have seen. Clicking the link leads to a landing page at barclaysdownloads.com.


Entering the password downloads a document AccountDocuments.doc with a VirusTotal detection rate of 14/58, and Hybrid Analysis indicates that this uses an Equation Editor flaw to run a Powershell that downloads an additional component from:

http://basedow-bilder.de/kporto.bin
http://crimefiles.net/logo.bin


The .bin file is saved as %TEMP%\lovemete.exe and this currently has a detection rate of 15/65. Hybrid Analysis indicates this is Trickbot.

barclaysdownloads.co.uk and barclaysdownloads.com have both been registered for this purpose, the latter of which is hosted at Cloudflare.

Friday, 4 May 2018

"Best porno ever" Necurs spam

This spam (apparently from the Necurs botnet) promises much, but seems not to deliver.

From:    Susanne@victimdomain.tld [Susanne@victimdomain.tld]
Date:    4 May 2018, 10:22
Subject:    Best porno ever

Hi [redacted],

Best gay,teen,animal porno ever
Please click the following link to activate your account.

hxxp:||46.161.40.145:3314

Regards,
Susanne
The sender's name varies, but is always in the same domain as the victim.

I only saw four different links in the body text:
Warning live links - do not click
http://46.161.40.145:3314/
http://37.1.211.221:1699/
http://31.207.47.125/3FgtbvCf
http://77.72.84.115/

None of these sites were working when I tested them. Hosting IPs are:

46.161.40.145 (Ankas Ltd, Moldova)
37.1.211.221 (3NT Solutions, UK)
31.207.47.125 (Hostkey, Netherlands)
77.72.84.115 (Netup, UK)

3NT Solutions are a well-known purveyor of badness and I recommend blocking everthing, What the payload is here is unclear, but you can guarantee that's it's nothing good. And probably not smut either.


Sunday, 1 April 2018

New Traffic Light Protocol (TLP) levels for 2018

The Traffic Light Protocol should be familiar to anyone working with sensitive data, with levels RED, AMBER, GREEN and WHITE being used to specify how far information can be shared. In recent years it has become clear that these four levels are not enough, so the United Nations International Committee on Responsible Naming (UN/ICoRN) has introduced nine new TLP levels for implementation from the first day of April 2018.

It seems to me that these new levels do offer a much more nuanced approach to sensitive data and are in alignment with real-world needs. What do you think?


TLP Level
Description
RED
Information cannot be disclosed to anyone other than the current participants.
AMBER
Information can be disclosed within participant’s organisations where appropriate.
GREEN
Information can be shared within the community but not published.
WHITE
Information can be published subject to copyright.
BLACK
Information can be retained by participants until the end of the meeting when their minds will be wiped with a Neuralyzer.
BROWN
Knowledge of this information may cause recipients to soil themselves.
PINK
Information is intended to be TLP:RED but someone will inevitably treat it as TLP:WHITE.
BLUE
Knowledge of this information entitles recipients to a free ride in a police car.
BEIGE
Information is so unmemorable that participants will not be able to recall it even if they try (cf. TLP:BLACK)
TARTAN
Information is a complex mix of different TLP levels that cannot be easily separated.
YELLOW
Knowledge of this information may cause recipients to wet themselves. (cf. TLP:BROWN)
GREY
It is not known if participants should have knowledge of this information or not.
RAINBOW
Information pertains to the existence of unicorns.


Thursday, 8 March 2018

"Faster payment" scam is not quite what it seems

I see a lot of "fake boss" fraud emails in my day job, but it's rare that I see them sent to my personal email address. These four emails all look like fake boss fraud emails, but there's something more going on here.

From:    Ravi [Redacted] <ravi@victimdomain.com>
Reply-To:    Ravi [Redacted] <ravi@victimdomain.com-3.eu>
To:    accounts@victimdomain.com
Date:    23 February 2018 at 12:02
Subject:    Arrange this payment

Pleаsе make а £9,627.00 faster раyment for thе nеw contrаctor.

Sort сode: 30-62-15
Acc. numbеr: 10255956
Paуeе: Olivia Hаrris

I will send the doсs as soon аs i'll sort out my stuff.
Lеаve a rерly oncе сomрlеted or in casе you get аnу рroblеm while sеtting it up.


Rеgards
Ravi [Redacted]

Sent from my iPhonе.

-----------------

From:    Andrea [Redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [Redacted] <andrea@victimdomain.com-0.eu>
To:    sarah@victimdomain.com
Date:    5 March 2018 at 10:31
Subject:    5 Mar. faster payment

Morning Sаrah

Plеаse sеtup a £9,736.00 fastеr рауmеnt in fаvour of the new bеnеfiсiаrу.

Sort code: 30-61-10
Acс. number: 10811231
Pауее: Thеa Smith

I will sеnd the doсs аs soon аs i'm lеss busу.
Leave a rерly once сomрletеd or if уou get аnу рroblеm whilе sеtting it uр.


Rеgаrds
Andreа [Redacted]

Sеnt from mу iPhone.

-----------------

From:    Andrea [Redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [Redacted] <andrea@victimdomain.com-v.eu>
To:    karen@victimdomain.com
Date:    7 March 2018 at 11:08
Subject:    Arrange this payment

Hi Karеn

I nеed you to аrrаnge а £8,643.00 fastеr рауmеnt for the nеw bеnеficiarу.

Sort code: 30-62-12
Acc. numbеr: 10240298
Benefiсiarу: Beatriсe Evans

I will sеnd thе doсumеnts as soon as i'm less busу.
Lеavе а rеply oncе donе or if you get аnу problem whilе sеtting it uр.


Regаrds
Andrеа [Redacted]

Sеnt from my iPhonе.

-----------------

From:    Andrea [Redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [Redacted] <andrea@victimdomain.com-v.eu>
To:    mary@victimdomain.com
Date:    8 March 2018 at 11:03
Subject:    8 Mar. faster payment

Hi Mаrу

I neеd уou to mаke a £8,839.00 faster раymеnt for the new supрlier.

Sort codе: 30-62-12
Acс. numbеr: 10738345
Benеficiаry: Emmа Brown

I will send the рapеrwork onсе i'll sort out mу stuff.
Lеаve а reрly once donе or if you gеt аny рroblem whilе setting it up.


Rеgards
Andrea [Redacted]

Sent from mу iPhone.

"Andrea" and "Ravi" are not random people, they are both directors of a legitimate company with a name very similar (but unconnected) with one I blogged about years ago. In $dayjob the sample email I saw was from that company's chief counsel, so I believe these are targeted but just incorrect.

Normally with this sort of scam, the "boss" is asking for payment to be wired to the bank details in the email. But in this case, the sort codes for the banks (30-62-12, 30-61-10 and 30-62-15) don't exist. If you tried to wire money to them, the transfer would fail.

So, presumably when the bank transfer fails, the victim emails back the "fake boss", but it isn't all it seems. Although the "From" address looks to be genuine, there's a "Reply-To" address which goes to something a but more subtle.

For example in one of the examples about the email appears to come from andrea@victimdomain.com (i.e. whatever the victim's genuine domain is) but replies go back to something similar but different, for example andrea@victimdomain.com-v.eu - at which point the fraudsters probably then come up with different bank account details.

At the moment the email replies go to a server at 185.235.131.65 (hostname uk-v.eu) in the Netherlands, but these domains and servers get shut down quickly.

All these following domains are linked to the scam (there are probably more):
uk-0.eu
uk-1.eu
uk-2.eu
uk-3.eu
uk-4.eu
uk-5.eu
uk-8.eu
uk-9.eu
uk-f.eu
uk-v.eu
com-0.eu
com-1.eu
com-2.eu
com-3.eu
com-4.eu
com-5.eu
com-6.eu
com-7.eu
com-8.eu
com-f.eu
com-v.eu

This variation of an old scam seems to be quite new. Remember, if your boss emails you out of the blue and asks you to set up a payment without giving much information, always check that the request is valid and don't simply reply to the email.

UPDATE 2018-03-12

Another version..

From:    Andrea [redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [redacted] <andrea@victimdomain.com-w.eu>
To:    helen@victimdomain.com
Date:    12 March 2018 at 12:57
Subject:    Handle this payment

Hi Hеlеn

Pleasе makе a £8,909.00 fastеr payment for the nеw vеndor.

Sort сodе: 30-64-15
Acс. number: 10576602
Pаyeе: Elizabeth Moore

I will send the paperwork oncе i'll sort out mу stuff.
Lеave a rерlу whеn thе oреration is сomplеtе or in cаsе уou gеt аnу problеm whilе setting it up.


Regаrds
Andrеа [redacted]

Sеnt from my iPhone.
This uses the domain com-w.eu and is hosted on 185.241.54.62 (hostname uk-w.eu) along with uk-b.eu.

UPDATE 2018-03-13

Two more examples with the same pattern:

From:    Ravi [redacted] <ravi@victimdomain.com>
Reply-To:    Ravi [redacted] <ravi@victimdomain.com-w.eu>
To:    keith@victimdomain.com
Date:    13 March 2018 at 09:52
Subject:    Payment due 13 mar.

Hi Keith

Plеase аrrange a £8,563.00 fаstеr paуment for the new benefiсiarу.

Sort code: 30-60-41
Acc. number: 10638574
Pауeе: Rosе Clarke

I will sеnd the pаperwork as soon аs i'm lеss busу.
Lеаvе а rеplу when the oрerаtion is сomрlеte or if уou gеt аny problem whilе setting it up.


Regаrds
Rаvi [redacted]

Sеnt from my iPhonе.

----------

From:    Andrea [redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [redacted] <andrea@victimdomain.com-w.eu>
To:    emma@victimdomain.com
Date:    13 March 2018 at 09:26
Subject:    Settle up this payment

Hi Emmа

Please mаkе a £8,999.00 fаstеr pаymеnt for the nеw benеfiсiаrу.

Sort codе: 30-60-41
Aсс. numbеr: 10167445
Bеnеficiаrу: Aisha Robinson

I will forward the docs onсe i'll sort out my stuff.
Lеаve a rеply once completed or in cаse уou get аny problеm while setting it uр.


Regаrds
Andreа [redacted]

Sеnt from mу iPhonе.

What I hadn't noticed before is that the spam is using homoglyphs in the text to avoid filters. For example, the word "pаymеnt" in the email above does not acutally say "payment", but it uses a couple of cyrillic (i.e. Russian) characters in place of the "a" and "e" that just look the same.


For the latest spam messages, the email relays through various hosts but always seems to originate from 91.243.80.176 (hostname: lmasko22.example.com). As with the other infrastructure this belongs to a company called MoreneHost in Russia.


Monday, 15 January 2018

Swisscoin [SIC] cryptocurrency spam

Swisscoin is a fairly low-volume self-styled cryptocurrency that has been the target of a Necurs-based spam run starting on Saturday 13th January, and increasing in volume to huge levels on Monday.

From:    Florine Fray [Fray.419@redacted.tld]
Date:    15 January 2018 at 10:51
Subject:    Could this digital currency actually make you a millionaire?

Every once in a while, an opportunity comes around. What divides winners from losers is those who seize it and those who don't. By now, you must have heard about all the people who made a killing with bitcoin over the last year. Some of them made more than ten million with just an initial purchase of a thousand bucks. What I want to ask you though is: Did you know that there are hundreds of other digital currencies that have had even bigger gains over the last twelve months? This includes Ripple, Ethereum and Raiblocks – you may have heard about some of them. What is the next big one for 2018? The answer in my opinion is simple. It's Swisscoin [SIC]. The reason for that is very straight forward. It's because it is supported by the Switzerland government. It is already considered as legal in the country and it is entirely shielded from any political instability. It's the type of coin that you can buy a thousand bucks of, and sit on for a few months or even years and that few thousand will likely be worth a few million. SIC has already doubled in value since Saturday and it will double or triple again by this Friday. So, what are you waiting for? For the time being it can only be purchased on /coinexchange [dot] io/ (that's the website address of the exchange). You can set up an account in about thirty seconds, then you send bitcoins to it and you can easily buy swiss coin. If you don't have any bitcoin already you can just google how to get some, it's super simple and will just take you 10 minutes at most, then transfer them to coinexchange's website and get the SIC

----------------

From:    Jeffry Looper [Looper63@redacted.tld]
Date:    13 January 2018 at 18:42
Subject:    This crypto coin could go up fifty thousand percent this year

Dear [redacted],

If you don't already own a few coins of something, then surely at the very least, you must have heard about cryptocurrencies.

Bitcoin, the most famous one, minted countless multimillionaires but did you know that altcoins (bitcoin alternatives) are responsible for even more riches?

Among the "big" ones, NEM went up almost 10,000 percent and Ethereum, more than 4,000 percent

Among the small and unknown ones several gained more than 50,000 percent.

To put this in perspective, a small 1,000-dollar coin purchase in one of these small ones could have turned into more than 50 million bucks.

It seems crazy, doesn't it? Well, it's the reality of the cryptocurrency market today.

Raiblocks, a relatively obscure coin at the time, went from 0.20 on December first to $20 by New Year's Eve. It is now in the top 20 largest coins in the world.

All that to say, the next big winner could be found anywhere, and today I believe I've identified the next one.

After spending hundreds of hours looking at hundreds of different coins, I locked down on one specific target.

Swisscoin.

As the name says, this is a coin created and headquartered in Switzerland. It is one of the only coins in the world recognized as legal tender by the government.

Swisscoin is allowed by the Swiss government and has the potential to climb more than 5,000% before the end of January and more than 50,000% before the end of this year.

This is one of those rare buy-and-hold coins which you WANT to own, and hang onto for the long term, much like those people who bought bitcoin at $1 and kept it for 3 years. FYI, bitcoin is trading at $14,000 now. That's an increase of over 1 million percent.

I recommend you consider putting at least a thousand bucks in Swisscoin immediately. This could quickly turn into enough money to buy a new house, or at the very least a new car.

For those of you who already have bitcoins, all you need to do is open an account at coinexchange.io (this is the url/website, and it takes 1 minute to get setup), transfer some btc to your new account and buy SIC (Swisscoin).

For those of you who are still clueless about Cryptos, the process will be a little bit longer but well worth it.

Open an account at a large exchange such as Coinbase dot com or Coinmama dot com, then add some fund using your credit/debit card or Paypal.

That's the fastest way, but you will be limited to a few hundred bucks at most. It should be enough to get you quickly started but consider adding more funds using a bank transfer so that you can really have skin in the game.

Remember, every thousand bucks of SIC you buy today could easily turn into 500,000 by this time next year.

----------------

From:    Justine Mcfall [Mcfall0748@redacted.tld]
Date:    14 January 2018 at 16:42
Subject:    Let me tell you about one crypto currency that could turn 1000 bucks into 1 million

If you took a chance on bitcoin early on, just a few years ago, your investment could have paid off in a big way.
According to digital-currency website CoinDesk the value of bitcoins was volatile at the beginning.

It was possible to purchase a single bitcoin for just a few cents. Had you bought just a thousand bucks' worth you would be sitting on millions right now.

Want to know what's even crazier? These types of returns have been replicated hundreds of times over so many different alternative coins and it continue happening all the time.

The trick is to buy into a coin very early on before the crowds notice it.

My research shows that Swisscoin (SIC) is going to be the next big one to blow up this year. It has already doubled since yesterday and as the trend continues it could be 10 times as high before the end of the coming week.

Swisscoin is one of the only coins approved by the government in Switzerland. It is 100% legal and useable in everyday life.

Switzerland's Swiss Franc has been one of the most stable and best performing currencies throughout history and Swisscoin aims to replicate this standard with the digital coin.

Could you turn a thousand bucks into a million before the end of 2018 with SIC? The answer is a clear yes.

For the time being SIC only trades on one exchange: coinexchange.io so you need to open an account there (takes about thirty seconds), and transfer bitcoin to it so you can make the purchase.

If you don't own any digital currency yet then you need to open an account at coinbase or coinmama and buy some btc (bitcoin) with your credit or debit card or bank account.

After you get bitcoins, just follow the instructions in the above paragraph.

One thing is for sure, you definitely don't want to miss out on Swisscoin.
Swisscoin trading was recently suspended and only started up again a few days ago. The chart at World Coin Index shows that this has been a real rollercoaster ride.



There are questions as to whether Swisscoin is actually a cryptocurrency or a Ponzi scheme. Honestly, I don't know and I'd advise you to do your own research. However, this has all the markings of a pump-and-dump scheme, so it's quite possible that someone who bought Swisscoins at their peak wants to pump the price up so they can sell off their holdings. Given that the spam is being sent out from a network of hacked machines and does not comply with anti-spam laws, you can pretty much guarantee that this is not legitimate and should be avoided.

UPDATE: a subsequent spam run looks like this:

From:    Trenton Manners [Manners.491@redacted.tld]
Date:    15 January 2018 at 18:42
Subject:    Forget about bitcoin, there's a way better coin you can buy.

It's probably not news to you at this point if I tell you that bitcoin has made tons of people tons of money. Something else you probably already know is that it will never go up like crazy again. Its time to shine is long gone. That's why we must look into what the next big thing is, and the truth is that there have been plenty over the last few months. Can you jump on the next huge one before it soars? Swiss coin {SIC} is the most likely candidate for a fifty thousand percent return this year. It has the support of the Switzerland government. It is already considered as legal in the country. It's the type of coin that you can buy a thousand bucks of right now, sit on for a small period of time and you could make out crazy wealthy when all is said and done. SIC has already doubled since Saturday. This long Martin Luther King weekend could bring you even more upside if you act quickly. For those of you who know what this means… you can get it for under 50 satoshi right now. And if you have no clue what this means, it basically means that you can get in on the ground floor How do you get some? You just need an account at coinexchange. Read the currency's official page to find out more info: https://swisscoin.eu/sic-deposits.html


Monday, 4 December 2017

Some random thoughts on Damian Green and those porn allegations

If you live in the UK then you might have noticed the somewhat bizarre furore over Damian Green MP and his alleged viewing of pornography on house his Parliament computer. Now, I don't know for certain if he did or didn't, but to put it in context his private email address also allegedly turned up in the Ashley Madison leak and on top of that there are sexual harassment allegations too. But let's stick to the porn for now.

Anybody who has been involved in forensic investigations of computers may well understand these comments:

Mr Lewis, who retired from the Metropolitan Police in 2014, said although "you can't put fingers on a keyboard", a number of factors meant that he was sure it was Mr Green, the MP for Ashford, Kent, who was accessing the pornographic material.

His analysis of the way the computer had been used left the former detective constable in "no doubt whatsoever" that it was Mr Green, who was then an opposition immigration spokesman but is now the first secretary of state.

"The computer was in Mr Green's office, on his desk, logged in, his account, his name," said Mr Lewis, who at the time was working as a computer forensics examiner for SO15, the counter-terrorism command.

"In between browsing pornography, he was sending emails from his account, his personal account, reading documents... it was ridiculous to suggest anybody else could have done it."  
To put this into context - the computer was seized in 2008 when Green was arrested over the suspected leaking of confidential material. Any investigation such as that will look at web browsing history, recently accessed or saved documents, cookies, bookmarks and stored documents and images. So, it is utterly credibly that the investigation would have found this type of activity if it had occurred.

Indeed, there seems to be no denial that this material had been accessed on the computer, but that Mr Green had not done so. But Mr Lewis's statement also says that things such as private email were accessed concurrently. If you were carrying out an investigation on behalf of a business, then this would indeed be enough to "place fingers on a keyboard".

But here is the surprise - why would this material be accessible at all? Nobody has claimed that it was not accessed, just that Mr Green himself did not access it. But any reasonably-sized business would usually have some sort of filter to stop this happening.

The House of Commons by itself employs over 2000 people. Add to that the staff of the House of Lords, the Lords themselves, MPs and other staff who are not directly employed by either House then you are looking at thousands of employees. That's quite a large organisation, and if there is no effective web filtering for any of them, then that introduces a serious security risk.

Anybody who works in IT in a relatively large organisation such as this will know that at least some of them will try to access pornography. My experience is that people who do this on their work computers are exclusively male, and there are 453 male MPs in the House of Commons. This is certainly a large enough group for some of them to be accessing porn, at least some of the time/


So we can surmise a couple of things - it certainly seems to be possible to access porn from a Parliament computer, and given the number of people working there it seems likely that somebody would try. The number of male MPs certainly seems enough for one of those to try to access porn. Given that it is likely that some of them try, there's no particular reason why it shouldn't be Damian Green. And if one MP is fired from his job because of porn, then you can bet there are other MPs who have done the same thing.

But why not implement some sort of filtering? The problem is that MPs are not employees - Parliament is the primary legislative body in the UK and it is essentially sovereign (despite there being a Queen). Imagine that you worked in an organisation where there were hundreds of C-level executives, and then try to police them from an IT point of view. MPs are probably amongst the worst users in the world to support.

As I said, most organisation of any size filter porn from corporate computers. Strategically, the main reason to do that is not to track down and fire errant employees, but to prevent embarrassment to that organisation. It's all very well to fire a low-level employee for viewing smut, but when it comes to the top of the food chain such terminations can also be damaging to the reputation of the organisation itself. If Parliament isn't filtering this sort of material then it is always likely to end up with this sort of scenario from time-to-time.

Mr Lewis's comments indicate that the material was found on the computer itself, not a proxy log or other external system. It's quite possible that whoever was accessing the material on Mr Green's computer could have saved themselves a lot of grief if they'd used private browsing (although a deep forensic investigation can often find artifacts even when this has happened).

Also, Nadine Dorries MP did state that she shared her password with staff who worked for her. This is terrible practice, and certainly in my organisation if you share your password and somebody abuses it, then you are liable for anything that they did.

Don't forget as well, the habit of porn sites infecting visitors with malware though malicious advertisements, and the habit of more "specialist" sites having been created specifically to infect visitor's computers. MPs might not think themselves to be important enough to hack, but they will have private correspondence with constituents and other parties that should remain private.. and not be leaked out.

Whatever the truth of Damian Green's surfing habits, it looks like Parliament is badly in need of proper regulation of its computer systems. But you really do have the nightmare users from hell in that job. I suspect it is going to take something more that one embarrassed MP to force a change.

Image credits:

Tuesday, 31 October 2017

Wednesday, 25 October 2017

Updated 3NT Solutions LLP / inferno.name / V3Servers.net IP ranges

 

[For the February 2021 version of this list, click here]

When I was investigating IOCs for the recent outbreak of BadRabbit ransomware I discovered that it downloaded from a domain 1dnscontrol.com hosted on 5.61.37.209. This IP belongs to a company called 3NT Solutions LLP that I have blogged about before.

It had been three-and-a-half years since I looked at their IP address ranges so I thought I would give them a refresh. My personal recommendation is that you block all of these, I have never seen anything of worth on any 3NT range. Note that inferno.name and V3Servers.net are the same outfit and I have included those too. If you know of any other ranges, please consider leaving a comment.

5.45.64.0/19
5.61.32.0/19
37.1.192.0/19
37.252.0.0/20
46.22.211.0/25
46.22.211.128/26
80.79.124.128/26
92.48.122.0/28
92.48.122.16/28
92.48.122.32/28
92.48.122.48/28
95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
130.0.232.0/21
184.154.38.40/29
185.4.64.0/22
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24


Tuesday, 24 October 2017

Malware spam: "Order acknowledgement for BEPO/N1/380006006(2)"

A change to the usual Necurs rubbish, this fake order has a malformed .z archive file which contains a malicious executable with an icon to make it look like an Office document.

Reply-To:    purchase@animalagriculture.org
To:    Recipients [DY]
Date:    24 October 2017 at 06:48
Subject:    FW: Order acknowledgement for BEPO/N1/380006006(2)

Dear All,
Kindly find the attached Purchase order# IT/IMP06/06-17 and arrange to send us the order acknowledgement by return mail.

Note: Please expedite
the delivery as this item is very urgently required.


Regards,  Raj Kiran

(SUDARSHAN SS)  NAVAL SYSTEMS (S&CS)
BHARAT ELECTRONICS LIMITED  BANGALORE  PH:9180-22195857  BEL Website : www.bel-india.com SRM PORTAL :https://hpcrmp.iscodom.com/irj/portal



Every Sheets of paper is made from a tree.. Save trees... Conserve Trees.... Go Green .... Don't print this email or any Files unless you really need to!!!!
Confidentiality Notice


The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Bharat Electronics or support@bel.co.in immediately and destroy all copies of this message and any attachments.

Attached is a file Purchase order comfirmation.doc.z which contains a malicious executable Purchase order comfirmation.exe which currently has a detection rate of 12/66. It looks like the archive type does not actually match the extension..


If the intended target hides file extensions then it is easy to see how they could be fooled..

Incidentally, VirusTotal shows this information about the file:


Copyright: (c)1998 by RicoSoft
Product: System Investigation
Description: System Investigation for NT/9x
Original Name: SysInv2.exe
Internal Name: SysInv2
File Version:2.3.1.37
Comments: Freeware / Careware from RicoSoft

Obviously that's fake, but a bit of Googling around shows SysInv2.exe being used in other similar attacks.

The Hybrid Analysis for is a little interesting (seemingly identifying it as Loki Bot), showing the malware phoning home to:

jerry.eft-dongle.ir/njet/five/fre.php   (188.165.162.201 / Mizban Web Paytakht Co. Ltd., Iran)

Actually, the IP is leaded from OVH and claims to belong to dedicatedland.com in Birmingham, UK:

organisation:   ORG-MWPM1-RIPE
org-name:       Mizban Web Paytakht Mizban Web Paytakht
org-type:       OTHER
address:        55 Orion Building, 90 Navigation Street
address:        B5 4AA Birmingham
address:        GB
e-mail:         info@dedicatedland.com
abuse-mailbox:  info@dedicatedland.com
phone:          +44.7455017803
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
created:        2015-01-22T22:12:03Z
last-modified:  2015-01-22T22:12:03Z
source:         RIPE


The small 188.165.162.200/29 range is marked as "failover IPs".  The WHOIS for dedicatedland.com comes up with a bogus looking address in Massachusetts:

Registrant Email: info@dedicatedland.com
Registry Admin ID: Not Available From Registry
Admin Name: Mizban Web Paytakht LLC
Admin Organization: irnameserver.com
Admin Street: Newton Center 
Admin City: Newton Center
Admin State/Province: Massachusetts
Admin Postal Code: 00000
Admin Country: US
Admin Phone: +1.00000000
Admin Phone Ext:
Admin Fax:
Admin Fax Ext: 


However RIPE show them as being in Tehran:
Mizban Web Paytakht Co. Ltd.

No.43, North Ekhtiyariyeh St, Ekhtiyariyeh Sqr
1958743611 Tehran
IRAN, ISLAMIC REPUBLIC OF

phone:   +98 2122587469
fax:  +98 2122761180
e-mail:  info (at) dedicatedland (dot) com
Anyway, if you are not interested in sending traffic to Iran, Mizban Web Paytakht own AS64428 which comprises of 185.165.40.0/22 as well. I'll make a guess that the 188.165.162.200/29 range
may be insecure and could be worth blocking.

The email itself originates from 104.171.114.204 which is allocated as follows:

CustName:       jason Richards
Address:        121 main street
City:           suffolk
StateProv:      VA
PostalCode:     23434
Country:        US
RegDate:        2017-01-16
Updated:        2017-01-16
Ref:            https://whois.arin.net/rest/customer/C06298370


You probably don't need to accept .z attachments at your mail perimeter, and any decent anti-spam tool should be able to look inside archives to determine was is in there.

Tuesday, 17 October 2017

Evil network: Fast Serv Inc / Qhoster.com

Checking these IOCs for this latest Flash 0-day came up with an interesting IP address of 89.45.67.107 which belongs to Fast Serv Inc aka Qhoster, probably of Bulgaria but masquerading themselves as a Belize outfit.

I came across Fast Serv / Qhoster a lot last year during the Angler EK epidemic, where they had entire ranges full of badness, often with no discernable legitimate sites at all. It turns out that I'd blocked the /24 a year ago as it was full of EK servers. The full analysis I did of Fast Serv / Qhoster Angler ranges can be found in these Pastebins: [1] [2] [3] [4] [5] [6] [7]

So, this Flash 0 day gave me a renewed impetus to identify these ranges and keep them the hell off my network. Luckily HE's BGP tool can identify most of the allocated IPs of a /24 size or larger [8] [9] plus a bit of infill from other sources.

I can't guarantee that these ranges are free of legitimate sites, but even a quick glance at some of the ranges (the BGP tool is quite good for this [10]) shows signs of obvious badness in almost all of them. Use at your own risk :)

Note that these ranges are across many different ASes and hosts, although AS201630 is allocated to Qhoster themselves.

5.104.105.192/26
37.157.253.64/26
46.102.152.0/24
46.102.252.0/23
85.204.74.0/24
86.104.15.0/24
86.105.1.0/24
86.105.5.0/24
86.105.18.0/24
86.105.227.0/24
86.106.93.0/24
86.106.102.0/24
86.106.131.0/24
89.32.40.0/24
89.33.64.0/24
89.34.111.0/24
89.35.178.0/24
89.37.226.0/24
89.42.212.0/24
89.43.60.0/24
89.43.202.0/23
89.44.103.0/24
89.45.67.0/24
92.114.35.0/24
92.114.92.0/24
93.113.45.0/24
93.115.38.0/24
93.115.201.0/24
93.117.137.0/24
93.119.123.0/24
94.177.12.0/24
94.177.123.0/24
103.197.160.0/22
138.204.168.0/22
141.255.160.48/28
146.0.43.64/26
168.227.36.0/24
168.227.37.0/24
168.227.38.0/24
168.227.39.0/24
176.223.111.0/24
176.223.112.0/24
176.223.113.0/24
176.223.165.0/24
185.77.128.0/24
185.77.129.0/24
185.77.130.0/24
185.77.131.0/24
188.213.204.0/24
188.215.92.0/24
188.241.39.0/24
188.241.68.0/24
220.158.216.0/22
2403:1480:1000::/36
2403:1480:9000::/36
2a05:6200::/32
2a05:6200:72::/48
2a05:6200:74::/48


Sunday, 8 October 2017

Scam: "Help Your Child To Be A Professional Footballer." / info@champ-footballacademyagency.co.uk

This spam email is a scam:

Subject:       Help Your Child To Be A Professional Footballer.
From:       "FC Academy" [csa@sargas-tm.eu]
Date:       Sun, October 8, 2017 10:30 am
To:       "Recipients" [fcsa@sargas-tm.eu]
Priority:       Normal

Hello,
Does your child desire to become a professional footballer?

Our football academy are currently scouting for young football player to participate in 3-6 months training and  our main purpose is to recruit young and talented footballers to help become a great football  player in Life and become a great star .  Our agent will train and linked your child up with big clubs in United Kingdom and Europe.

We will also help your child to get Visa and Work Permit once the admission into our football academy is approved.

Our aim is to provide a wide range of opportunities to complement a successful playing career. We will help your child to find the best route to fulfilling their ambitions of becoming a professional footballer in United Kingdom and Europe.

If you want to help your child achieve their soccer dream, reply us for more information.
Best Regards,
CFAA.

At the time of writing the domain sargas-tm.eu does not exist, but the Reply-To address is actually info@champ-footballacademyagency.co.uk which is a registered domain. The WHOIS details for this say:

Domain name:
        champ-footballacademyagency.co.uk

    Registrant:
        NELSON OZI

    Registrant type:
        Unknown

    Registrant's address:
        404 sapphire tower
        404 sapphire tower
        USA
        Kentucky
        97101
        United States

    Data validation:
        Nominet was not able to match the registrant's name and/or address against a 3rd party
source on 19-Sep-2017

    Registrar:
        Web4Africa Ltd. t/a Web4Africa [Tag = WEB4AFRICA-GH]
        URL: https://www.web4africa.net

    Relevant dates:
        Registered on: 19-Sep-2017
        Expiry date:  19-Sep-2018
        Last updated:  19-Sep-2017

    Registration status:
        Registered until expiry date.

    Name servers:
        dns1.yandex.net
        dns2.yandex.net

Disclaimer
WHOIS lookup made at 10:50:09 08-Oct-2017


There are lots of suspect things about this domain registration - the address is clearly fake, the registrar is based in South Africa and the nameservers are in Russia, and also it was registered just a few weeks ago. A quick bit of Googling around shows that "Nelson Ozi" is also linked to the following probably fraudulent domains:

svbfib.com
svbfibem.com
globalcreditsus.com

These all seem to be connected with an IP range 169.255.59.0/24 (Web4Africa again) which does seem to have a lot of scammy sites hosted on it. Blocking access to that range might be prudent.

The spam email itself comes via another Russian server mail.elmeh.ru but this particular email originated from 103.207.37.101 in Vietnam. Replies to the champ-footballacademyagency.co.uk email would be set to mx.yandex.net which is in Russia again.

It would probably be quite difficult to stuff any more dodgy indicators into this spam. What the scam actually is isn't 100% clear, it could be anything from a simple advanced fee fraud all the way up to child abduction. Avoid.

Thursday, 28 September 2017

Malware spam: "Emailing: Scan0xxx" from "Sales" delivers Locky or Trickbot

This fake document scan delivers different malware depending on the victim's location:

Subject:       Emailing: Scan0963
From:       "Sales" [sales@victimdomain.tld]
Date:       Thu, September 28, 2017 10:31 am


Your message is ready to be sent with the following file or link
attachments:

Scan0963


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
Attached is a .7z file with a name matching the "Scan" part in the header and body text. MD5s of those seen so far (there may be more):

58B76A9DC942AF73CFADFAF764637A48
627A8A6C3F73365161B94ABF5472E5C0
8927AE38D6F84DF1940D0E13491015F9
1CD93386F4FD7D5771A8119C5E9E6C98
A406E870D20A5913B17C4F9D6D52CDCD
EB087BB59BEED8039FC7B7E48F099E79
1D94DC6ECAED3D33D840E61DDAD7AC07
FDB76F480AF0A8D01DA2E4A3098A549F
320401A216CC7A3BA6B9C12163B3EB60
1AC6D2DA56FAA27C60A22CFD2099435F
1BD79C90F2CC8390170A4D6231282328

Inside is a malicious VBS script (example) which exhibits a curious feature:


If you are in the UK, Australia, Ireland, Belgium or Luxembourg you get one binary [VT 12/64], everyone else gets another [VT 20/64]. My Online Security describes this in more detail - the first group get the Trickbot banking trojan and everyone gets Locky ransomware.

In the samples I saw, the Trickbot download locations were:

autoecole-jeanpierre.com/9hciunery8g?
autoecoleathena.com/9hciunery8g?
conlin-boats.com/9hciunery8g?
flooringforyou.co.uk/9hciunery8g?
fls-portal.co.uk/9hciunery8g?
fmarson.com/9hciunery8g?
freevillemusic.com/9hciunery8g?
geeks-online.de/9hciunery8g?
jakuboweb.com/9hciunery8g?
jaysonmorrison.com/9hciunery8g?
melting-potes.com/9hciunery8g?
sherylbro.net/p66/LUYTbjnrf
camerawind.com/9hciunery8g?


The Locky download locations:

americanbulldogradio.com/LUYTbjnrf?
anarakdesert.com/LUYTbjnrf?
atlantarecyclingcenters.com/LUYTbjnrf?
augustinechua.com/LUYTbjnrf?
classactionlawsuitnewscenter.com/LUYTbjnrf?
davidstephensbanjo.com/LUYTbjnrf?
e-westchesterpropertytax.com/LUYTbjnrf?
felicesfiestas.com.mx/LUYTbjnrf?
financeforautos.com/LUYTbjnrf?
mtblanc-let.co.uk/LUYTbjnrf?
plumanns.com/LUYTbjnrf?
poemsan.info/p66/d8743fgh
asnsport-bg.com/LUYTbjnrf?


There may be other locations too.

The following legitimate services are used for geolocation. They might be worth monitoring:

https://ipinfo.io/json
http://www.geoplugin.net/json.gp
http://freegeoip.net/json/


All these recent attacks have used .7z archive files which would require 7zip or a compatible program to unarchive. Most decent mail filtering tools should be able to block or strip this extension, more clever ones would be able to determine that there is a .vbs script in there and block on that too.

UPDATE

A more complete list of download locations from a trusted source (thank you!)

ambrogiauto.com/9hciunery8g
autoecoleathena.com/9hciunery8g
autoecoleboisdesroches.com/9hciunery8g
autoecole-jeanpierre.com/9hciunery8g
camerawind.com/9hciunery8g
conlin-boats.com/9hciunery8g
feng-lian.com.tw/9hciunery8g
flooringforyou.co.uk/9hciunery8g
fls-portal.co.uk/9hciunery8g
fmarson.com/9hciunery8g
freevillemusic.com/9hciunery8g
geeks-online.de/9hciunery8g
givensplace.com/9hciunery8g
jakuboweb.com/9hciunery8g
jaysonmorrison.com/9hciunery8g
melting-potes.com/9hciunery8g
patrickreeves.com/9hciunery8g
sherylbro.net/p66/LUYTbjnrf

americanbulldogradio.com/LUYTbjnrf
anarakdesert.com/LUYTbjnrf
asnsport-bg.com/LUYTbjnrf
astilleroscotnsa.com/LUYTbjnrf
atlantarecyclingcenters.com/LUYTbjnrf
augustinechua.com/LUYTbjnrf
classactionlawsuitnewscenter.com/LUYTbjnrf
davidstephensbanjo.com/LUYTbjnrf
essenza.co.id/LUYTbjnrf
evlilikpsikolojisi.com/LUYTbjnrf
e-westchesterpropertytax.com/LUYTbjnrf
felicesfiestas.com.mx/LUYTbjnrf
financeforautos.com/LUYTbjnrf
fincasoroel.es/LUYTbjnrf
kailanisilks.com/LUYTbjnrf
mediatrendsistem.com/LUYTbjnrf
modaintensa.com/LUYTbjnrf
mtblanc-let.co.uk/LUYTbjnrf
plumanns.com/LUYTbjnrf
poemsan.info/p66/d8743fgh