Registered Express Corporation (RGTX) pump and dump spam

It's taken me a few days to get around to this due to moving house, but here's a new pump-and-dump spam run promoting a stock Registered Express Corporation (OTC:RGTX).

As ever, there are a massive number of different subjects and random body-texts, for example:

Subject: This Bottom Bouncer has taken off!Subject: Our analysis right on the MONEY!Subject: Seven Reasons To Love This

Read More

"ADP - Reference #274135902580" spam / Transaction.exe

Is it Salesforce or ADP? Of course.. it is neither.


Date:      Wed, 27 Nov 2013 11:50:07 +0100 [05:50:07 EST]From:      "support@salesforce.com" [support@salesforce.com]Subject:      ADP - Reference #274135902580We were unable to process your recent transaction. Please verify your details and try again.If the problem persists, contact us to complete your order.Transaction details are shown in

Read More

Something evil on 46.19.139.236

46.19.139.236 (Private Layer Inc, Switzerland) seems to be serving up some sort of Java exploit kit via injection attacks which is utilising hijacked legitimate domains, but the domains in use seem to rotate pretty quickly and I haven't got a copy of the payload, but VirusTotal has some examples. These are the domains that I can find running from this IP:

ihavefound.boostprep.com

Read More

"You requested a new Facebook password!" spam / Recoverypassword.zip and Facebook-SecureMessage.exe

This fake Facebook message comes with a malicious attachment:


Date:      Tue, 26 Nov 2013 04:58:18 +0300 [11/25/13 20:58:18 EST]From:      Facebook [update+hiehdzge@facebookmail.com]Subject:      You requested a new Facebook password!facebookHello,You have received a secure message. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save

Read More

0844 number scam (08445715179)

This is a particularly insidious scam that relies on mobile phone users in the UK not knowing that an 0844 number is much, much more expensive than a normal phone call. The scam SMS goes something like this:


ATTENTION! We have tried to contact you, It is important we speak to you today. Please call 08445715179 quoting your reference 121190. Thank You.

In this case the sender's number was +

Read More

RingCentral "Bank of America" fax message spam / 442074293440-1116-084755-242.zip

This fake fax message email has a malicious attachment:


Date:      Fri, 15 Nov 2013 12:05:36 -0500 [12:05:36 EST]
From:      RingCentral [notify-us@ringcentral.com]
Subject:      New Fax Message on 11/15/2013 at 09:51:51 CST

You Have a New Fax Message

From
Bank of America

Received:
11/15/2013 at 09:51:51 CST

Pages:
5
   
To view this message, please open the attachment.

Thank you for

Read More

Malware sites to block 15/11/2013 (Caphaw)

Thanks to a tip to investigate 199.68.199.178 I discovered that the Caphaw network I looked at yesterday is much bigger than I thought. The following IPs and domains can all be regarded as malicious (.SU domains are normally a dead giveaway for evil activity).

The recommended blocklist is at the end of the post (highlighted). These are the hosts involved either now or recently with hosting

Read More

Malware sites to block 14/11/2013 (Caphaw)

These domains and IPs appear to be involved in a Caphaw malware attack, such as this one. All the IPs involved belong to Hetzner in Germany, and although some also host legitimate sites I would strongly recommend blocking them.

Recommended blocklist:
141.8.225.5
46.4.47.20
46.4.47.22
88.198.57.178

Read More

The EXE-in-ZIP spam storm continues

Two more EXE-in-ZIP spams.. the first is a terse one with a subject "Voice Message from Unknown Caller" or "Voicemail Message from unknown number" not much else with a malicious EXE-in-ZIP (VoiceMessage.zip) attachment with VirusTotal score of 7/46 which calls home [1] [2] [3] to amandas-designs.com on 80.179.141.8 (012 Smile Communications Ltd., Israel)

The second one is a fake Wells Fargo

Read More

PayPal "Identity Issue" spam / Identity_Form_04182013.zip

This fake PayPal (or is it Quickbooks?) spam has a malicious attachment:


Date:      Wed, 13 Nov 2013 02:27:39 -0800 [05:27:39 EST]
From:      Payroll Reports [payroll@quickbooks.com]
Subject:      Identity Issue #PP-679-223-724-838

We are writing you this email in regards to your PayPal account. In accordance with our
"Terms and Conditions", article 3.2., we would like to kindly ask you to

Read More

"Rodrigo Sawyer and Associates" fake job offer

This laughable primitive fake job offer is recruiting for money mules, package reshipping or some other scam.


From:     RSA-CAREER! [anthonykather1@gmail.com]Reply-To:     anthonykather1@gmail.comDate:     12 November 2013 20:43Subject:     please readHi...  We Have a PT/job. we pay $250 per job and we want you to participate.Your job is only to act as a regular customer and conduct normal

Read More

"2012 and 2013 Tax Documents; Accountant's Letter" spam / tax 2012-2013.exe

This fake tax spam comes with a malicious attachment:


Date:      Wed, 13 Nov 2013 00:44:46 +0800 [11:44:46 EST]From:      "support@salesforce.com" [support@salesforce.com]Subject:      FW: 2012 and 2013 Tax Documents; Accountant's LetterI forward this file to you for review. Please open and view it.Attached are Individual Income Tax Returns and W-2s for 2012 and 2013, plus an accountant's

Read More

"Important - New Outlook Settings" spam / Outlook.zip

This spam email has a malicious attachment:


Date:      Tue, 12 Nov 2013 16:22:38 +0100 [10:22:38 EST]
From:      Undisclosed Recipients
Subject:      Important - New Outlook Settings

Please carefully read the attached instructions before updating settings.

This file either contains encrypted master password, used to encrypt other files. Key archival has been implemented, in order to decrypt

Read More

"You have received new messages from HMRC" spam, HMRC_Message.zip and qualitysolicitors.com

This fake HMRC spam comes with a malicious attachment. Because the spammers have copied-and-pasted the footer from somewhere random it also effectively joe jobs an innocent site called qualitysolicitors.com:


Date:      Tue, 12 Nov 2013 05:29:28 -0500 [05:29:28 EST]From:      "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]Subject:      You have received new messages from HMRCPlease be advised

Read More

Dynamic DNS sites you might want to block, 12/11/13

These domains are used for dynamic DNS and are operated by a company called Dyn who offer a legitimate service, but unfortunately it is abuse by malware writers. If you are the sort of organisation that blocks dynamic DNS IPs then I recommend that you consider blocking the following.

Dyn are pretty good at dealing with abuse complaints (you can contact them here). Blocking these domains will

Read More

"Identity Issue #PP-716-097-521-587" spam / Identity_Form_04182013.zip

For some reason EXE-in-ZIP attacks are all the rage at the moment, here is a fake spam pretending to be from PayPal with a malicious attachment:


Date:      Mon, 11 Nov 2013 19:14:10 +0330 [10:44:10 EST]From:      Payroll Reports [payroll@quickbooks.com]Subject:      Identity Issue #PP-716-097-521-587We are writing you this email in regards to your PayPal account. In accordance with our"Terms

Read More

"To all Employees - Confidential Message" spam / To All Employees 2013.zip.exe

This fake "all employees" email comes with a malicious attachment:


Date:      Mon, 11 Nov 2013 11:28:29 +0000 [06:28:29 EST]From:      DocuSign Service [dse@docusign.net]Subject:      To all Employees - Confidential Message                                                                                                                                          Your document has been completed

Read More

"Consumer Benefit Ltd" adware sites to block

A couple of network blocks came to my attention after investigating some adware ntlanmbn.exe (VirusTotal report) and GFilterSvc.exe (report) both in C:\WINDOWS\SYSTEM32.

The blocks are 212.19.36.192/27 and 82.98.97.192/28 and are allocated to:

netname:        Consumer-Benefit-AV-NETdescr:          Consumer Benefit LTDdescr:          Suite F 1st floor, New City Chambersdescr:          36 Wood 

Read More

"African Development Humanitarian Council" (adhcouncil.org) scam

This spam promotes the non-existent African Development Humanitarian Council purportedly with a web address of adhcouncil.org:


From:     camara amadu [camaraamadu9@gmail.com]To:     davisaentltd@rediffmail.comDate:     10 November 2013 14:23Subject:     FOOD STUFF NEEDED URGENTLYSigned by:     gmail.comAfrican Development Humanitarian Councilhttp://www.rediffmail.com/cgi-bin/red.cgi?

Read More

"Voicemail Message" spam / MSG00049.zip and MSG00090.exe

Another day, yet another fake voicemail message spam with a malicious attachment:

Date:      Fri, 8 Nov 2013 15:15:20 +0000 [10:15:20 EST]From:      Voicemail [user@victimdomain.com]Subject:      Voicemail MessageIP Office Voicemail redirected message 
Attached is a file MSG00049.zip which in turn contains a malicious executable MSG00090.exe. Virus detection on VirusTotal is a so-so 12/47.

Read More

Malware sites to block 8/11/2013 (Nuclear EK)

The IPs and domains listed below are currently in use to distribute the Nuclear exploit kit (example). I strongly recommend blocking them or the 142.4.194.0/30 range in which these reside. Many (but not all) of them are already flagged as being malicious by SURBL and Google.

The domains are being used with subdomains, so they don't resolve directly. I have identified 3768 domains in this OVH

Read More

Fake "Financial Times Survey Team" spam / ft-survey.com and AlfainHost

This fake Financial Times spam is a bit of a mystery:


From: The Financial Times [mailto:ft448516@surveymonkey.com]
Sent: Thu 07/11/2013 18:58
Subject: We value your opinion and we need your help


Dear British businessman,

We at the Financial Times are doing a survey among British business owners and managers regarding Euroscepticism.

As you are currently aware David Cameron on Monday

Read More

"You received a voice mail" spam / Voice_Mail.exe

This fake voice mail spam has a malicious attachment:


Date:      Thu, 7 Nov 2013 15:58:15 +0100 [09:58:15 EST]
From:      Microsoft Outlook [no-reply@victimdomain.net]
Subject:      You received a voice mail

You received a voice mail : N_58Q-ILM-94XZ.WAV (182 KB)
   
Caller-Id:
   
698-333-5643
   
Message-Id:
   
80956-84B-12XGU
   
Email-Id:
   
[redacted]

This e-mail contains a

Read More

"Voice Message from Unknown" spam / VoiceMail.zip

This fake voice mail spam comes with a malicious attachment:


Date:      Wed, 6 Nov 2013 22:22:28 +0800 [09:22:28 EST]From:      Administrator [voice9@victimdomain]Subject:      Voice Message from Unknown (886-966-4698)- - -Original Message- - -From: 886-966-4698Sent: Wed, 6 Nov 2013 22:22:28 +0800To: recipients@victimdomainSubject:  Private Message 
The email appears to come from an email

Read More

"Invoice 17731 from Victoria Commercial Ltd" spam leads to DOC exploit

This fake invoice email leads to a malicious Word document:


From: Dave Porter [mailto:dave.porter@blueyonder.co.uk] Sent: 06 November 2013 12:06To: [redacted]Subject: Invoice 17731 from Victoria Commercial LtdDear Customer :Your invoice is attached to the link below:[donotclick]http://www.vantageone.co.uk/invoice17731.docPlease remit payment at your earliest convenience.Thank you for your

Read More

USPS spam / Label_442493822628.zip

This fake USPS spam has a malicious attachment:


Date:      Tue, 5 Nov 2013 14:24:45 +0000 [09:24:45 EST]
From:      USPS Express Services [service-notification@usps.gov]
Subject:      USPS - Missed package delivery

The courier company was not able to deliver your parcel by your address.

Cause: Error in shipping address.

Label: 442493822628

Print this label to get this package at our post

Read More

"ACH Notification : ACH Process End of Day Report" spam / ACAS1104201336289204PARA7747.zip

This fake ACH (or is it Paychex?) email has a malicious attachment:


Date:      Tue, 5 Nov 2013 08:28:30 -0500 [08:28:30 EST]From:      "Paychex, Inc" [paychexemail@paychex.com]Subject:      ACH Notification : ACH Process End of Day ReportAttached is a summary of Origination activity for 11/04/2013 If you need assistanceplease contact us via e-mail at paychexemail@paychex.com during regular

Read More

"Payment Overdue - Please respond" spam / Payroll_Report-PaymentOverdue.exe

This fake SAGE spam has a malicious attachment:


Date:      Mon, 4 Nov 2013 21:00:59 +0600 [10:00:59 EST]From:      Payroll Reports [payroll@sage.co.uk]Please find attached payroll reports for the past months. Remit the new payment by 11/10/2013 as outlines under our payment agreement.Sincerely,Bernice SwansonThis e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.CONFIDENTIAL

Read More

CCDCOE.org "Information Security Audit" spam

Here's a weird spam email..


From: CCDCOE [mailto:ccdcoe@ccdcoe.org] Sent: Monday, November 04, 2013 12:16 PMSubject: Information Security AuditDear Sir,I am writing to inform you that NATO Cooperative Cyber Defence Centre of Excellence conducted an information security audit of the network infrastructureof your organization. It was carried out as part of exercise Steadfast Jazz 2013.Our

Read More

"Corporate eFax message" spam / bulkbacklinks[.]com and Xeex.com

Oh my, do people really fall for this "Corporate eFax message" spam? Apparently people do because the spammers keep sending it out.


Date:      Wed, 30 Oct 2013 23:33:23 +0900 [10:33:23 EDT]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Corporate eFax message from "673-776-6455" - 2 pages

Fax Message [Caller-ID: 673-776-6455] You have received a 2 pages fax at 2013-30-10

Read More

Something evil on 144.76.207.224/28

The network block 144.76.207.224/28 is currently hosting the Magnitude exploit kit (example report) [hat tip to Malekal.com judging from the report].

This is a Hetzner IP range suballocated to:
inetnum:        144.76.207.224 - 144.76.207.239netname:        SPHERE-LTDdescr:          Sphere LTD.country:        DEadmin-c:        AR10715-RIPEtech-c:         AR10715-RIPEstatus:         ASSIGNED

Read More

Suspect network: 69.26.171.176/28

69.26.171.176/28 is a small network range is suballocated from Xeex to the following person or company which appears to have been compromised.

%rwhois V-1.5:0000a0:00 rwhois.xeex.com (by Network Connection Canada. V-1.0)network:auth-area:69.26.160.0/19network:network-name:69.26.171.176network:ip-network:69.26.171.176/28network:org-name:MJB Capital, Inc.network:street-address:8275 South Eastern

Read More

"Division of Unemployment Assistance" spam / attached_forms.exe

This spam comes with a malicious attachment:


Date:      Tue, 29 Oct 2013 11:12:18 -0600 [13:12:18 EDT]
From:      "info@victimdomain" [info@victimdomain]
Subject:      [No Subject]

A former employee(s) of your company or organization recently filed a claim for benefits
with the Division of Unemployment Assistance (DUA). In order to process this claim, DUA
needs information about each former

Read More

Something evil on 82.211.31.147

Still investigating this one, but 82.211.31.147 (IP-Projects, Germany) appears to be a completely rogue server hosting exploit kits and malware [1] [2].

The following domains and subdomains are associated with with IP address. I recommend blocking them, or more easily the IP address itself.

(Note, this is an updated and shorter version that in the original post)

Read More

Wells Fargo "Check copy" spam / Copy_10292013.zip

These fake Wells Fargo spam messages have a malicious attachment:


Date:      Tue, 29 Oct 2013 22:34:50 +0800 [10:34:50 EDT]
From:      Wells Fargo [Emilio.Hendrix@wellsfargo.com]
Subject:      FW: Check copy

We had problems processing your latest check, attached is a image copy.

Emilio Hendrix
Wells Fargo Check Processing Services
817-576-4067 office
817-192-2390 cell Emilio.Hendrix@

Read More

Google Ads and #FFF7ED.. what's wrong with this picture?

So here's a long-standing source of irritation that I decided to have a poke at today.. Google Ads in search results. Now, obviously this is one of the main ways that Google makes money and frankly it's part of the deal in them giving you all those search results for free.

Let's take a look at a typical results page, for the term data recovery software (this is traditionally one of the most

Read More

American Express "Fraud Alert" spam / steelhorsecomputers.net

This fake Amex spam leads to malware on steelhorsecomputers.net:

       

From:     American Express [fraud@aexp.com]Date:     28 October 2013 14:14Subject:     Fraud Alert : Irregular Card ActivityIrregular Card Activity                                    Dear Customer,We detected irregular card activity on your American ExpressCheck Card on 28th October, 2013.As the Primary Contact, you

Read More

"You are a Mercedes-Benz winner !!!" spam

This is a slightly novel twist on an advanced fee fraud scam:


From:     Mercedes-Benz [desk_notification@yahoo.com]Reply-To:     bmlot20137@live.comDate:     27 October 2013 13:44Subject:     You are a Mercedes-Benz winner !!!Dear Recipient,You have received a loyalty reward from Mercedes-Benz, Answer the Below question correctly and stand a chance of winning our Promotional Award Grand prize

Read More

Never mind the NSA, here is LinkedIn Intro

LinkedIn recently announced LinkedIn Intro which is an add-in to the iOS mail app, allowing you do display a contact's LinkedIn data in the message you are reading by injected code into the datastream. This is of marginal use to most people, and many reader will recognise this as being something that annoying browser plugins have done for some time.

Despite LinkedIn's Pledge of Privacy, many

Read More

"You have received a new debit" Lloyds TSB spam

This fake Lloyds TSB message has a malicious attachment:


Date:      Fri, 25 Oct 2013 13:55:41 +0200 [07:55:41 EDT]
From:      LloydsTSB [noreply@lloydstsb.co.uk]
Subject:      You have received a new debit
Priority:      High Priority 1 (High)

This is an automatically generated email by the Lloyds TSB PLC LloydsLink online payments Service.

The details of the payment are attached.

========

Read More

Malware sites to block 25/10/2013

This list replaces this one, and mostly contains domains and IPs connected with this gang. The list starts with IPs and web hosts, followed by plain IPs and domains for copy-and-pasting.

5.175.171.89 (GHOSTnet, Germany)5.231.40.197 (GHOSTnet, Germany)5.231.47.92 (GHOSTnet, Germany)31.210.112.28 (Veri Merkezi Hizmetleri, Turkey)42.121.84.12 (Aliyun Computing Co, China)60.199.253.165 (Taiwan

Read More

"My resume" spam / Resume_LinkedIn.exe

This rather terse spam email message has a malicious attachment:


Date:      Thu, 24 Oct 2013 15:45:37 +0200 [09:45:37 EDT]From:      Elijah Parr [Elijah.Parr@linkedin.com]Subject:      My resumeAttached is my resume, let me know if its ok.Thanks,Elijah Parr ------------------------Date:      Thu, 24 Oct 2013 19:14:37 +0530 [09:44:37 EDT]From:      Greg Barnes [Greg.Barnes@linkedin.com]Subject

Read More

"Voice Message from Unknown" spam / VoiceMessage.exe

These bogus voice message spams have a malicious attachment:


Date:      Wed, 23 Oct 2013 19:17:42 +0530 [09:47:42 EDT]
From:      Administrator [voice8@victimdomain]
Subject:      Voice Message from Unknown (553-843-8846)

- - -Original Message- - -

From: 553-843-8846
Sent: Wed, 23 Oct 2013 19:17:42 +0530
To: [recipient list at victimdomain]
Subject: Important: to all Employee



Date:

Read More

ADP spam / abrakandabr.ru

This fake ADP spam leads to malware on abrakandabr.ru:


From:     ClientService@adp.com [ClientService@adp.com]Date:     22 October 2013 18:04Subject:     ADP RUN: Account Charge AlertADP Urgent CommunicationNote ID: 33400October, 22 2013Valued ADP PartnerAccount operator with ID 58941 Refused Yesterday Payroll Operation from your ADP account recently. Report(s) have been uploaded to the

Read More

"Last Month Remit" spam / Remit_10212013.exe

This bogus remittance spam comes a malicious attachment:


Date:      Mon, 21 Oct 2013 15:08:15 +0100 [10:08:15 EDT]
From:      Administrator [docs9@victimdomain]
Subject:      FW: Last Month Remit

File Validity: 21/10/2013
Company : http://[victimdomain]
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: ╘ Microsoft Corporation. All rights reserved.
Original Filename: Last

Read More

Malware sites to block 18/10/2013

These IPs and domains are associated with this spam run. Some of these servers have been compromised for some time by the looks of things. There's a plain list for copy-and-pasting at the end.

12.46.52.147 (Compact Information Systems / AT&T, US)
41.203.18.120 (Hetzner, South Africa)
62.75.246.191 (Intergenia, Germany)
62.76.42.58 (Clodo-Cloud / IT House, Russia)
69.46.253.241 (RapidDSL &

Read More

Dropbox spam leads to malware on.. errr.. dynamooblog.ru

Two days ago I wrote about the apparent return of the RU:8080.. well it appears that in order to celebrate their return, they've acknowledged my acknowledgement in the form of a malware landing page of dynamooblog.ru.

Well... hi guys. Things have been a bit quieter without you. Anyway, this is the latest spam email purportedly from Dropbox, and using the same template as used in this

Read More

Avaya "Voice Mail Message" spam with a malicious payload

This fake voice mail message appears to originate from within the victim's own domain (although that is just a forgery):


Date:      Fri, 18 Oct 2013 09:19:42 -0600 [11:19:42 EDT]From:      Voice Mail Message [1c095eb9-fa18-74e5-b@victimdomain.com]Subject:      Voice Mail Message ( 45 seconds )This voice message was created by Avaya Modular Messaging. To listen to this voice message,just open

Read More

"Microsoft Windows Update" phish

A random and untargeted attempt at phishing with a Windows Update twist.


From:     Microsoft Office [accounts-updates@microsoft.com]Date:     17 October 2013 02:54Subject:     Microsoft Windows UpdateDear Customer,Evaluation period has expired. For information on how to upgrade your windows software please Upgrade Here.Thank you,Copyright © 2013 Microsoft Inc. All rights reserved.
The email

Read More

"Scan from a Xerox WorkCentre" spam / A136_Incoming_Money_Transfer_Form.exe

The malware spammers are suffering from a chronic lack of imagination with this familiar fake printer spam:


Date:      Thu, 17 Oct 2013 13:01:52 -0600 [15:01:52 EDT]From:      Incoming Fax [Incoming.Fax3@victimdomain.com]Subject:      Scan from a Xerox WorkCentrePlease download the document.  It was scanned and sent to you using a Xerox multifunction device.File Type: pdfDownload: Scanned

Read More

118directoryuk.com spam from Darren Gaskell and Sally Gaskell

This spam comes from the serial-spamming husband-and-wife team of Darren Gaskell and Sally Gaskell.


Date:      Thu, 17 Oct 2013 14:53:51 +0100 [09:53:51 EDT]
From:      118 Directory [data@118directoryuk.com]
Subject:      118 Directory

118 welcomes you to our new adventure.

We hope this email finds you well. We wanted to update you on our new service and assist you in getting the most out

Read More

"Atlantics Post LLC" fake job offer

A bit of Money Mule recruiting that isn't really trying very hard..

Date:      Wed, 16 Oct 2013 14:54:34 -0300 [13:54:34 EDT]From:      Atlantics Post [misstates7@compufort.com]Subject:      Career with Atlantics Post LLCAtlantics Post LLC is now hiring for a Shipping Clerk. If You are young, enthusiastic person. Looking for a great job opportunity with a stable in come this job is for

Read More

LinkedIn spam / Contract_Agreement_whatever.zip

This fake LinkedIn spam has a malicious attachment:


Date:      Wed, 16 Oct 2013 11:57:55 -0600 [13:57:55 EDT]From:      Shelby Gordon [Shelby@linkedin.com]Attached is your new contract agreements.Please read the notes attached, then complete, sign and return this form.Shelby GordonContract ManagerOnline Division - LinkedInShelby.Gordon@linkedin.comOffice: 302-449-8859 Ext. 33Direct:

Read More

Pinterest spam, alenikaofsa.ru and the return of the RU:8080 gang?

This fake Pinterest spam leads to a malicious download on alenikaofsa.ru:


Date:      Wed, 16 Oct 2013 12:03:11 -0300 [11:03:11 EDT]
From:      Pinterest [pinbot@pinterest.biz]
Subject:      Your Facebook friend Andrew Hernandez joined Pinterest

A Few Updates...
[redacted]
   
Andrew Hernandez    

Your Facebook friend Andrew Hernandez just joined Pinterest. Help welcome Carol to the

Read More

"Payroll Received by Intuit" spam / payroll_report_147310431_10112013.zip

This fake Intuit spam comes with a malicious attachment:


Date:      Tue, 15 Oct 2013 16:20:40 +0000 [12:20:40 EDT]From:      Intuit Payroll Services IntuitPayrollServices@payrollservices.intuit.com]Subject:      Payroll Received by IntuitDear, [redacted]We received your payroll on October 11, 2013 at 4:41 PM .Attached is a copy of your Remittance. Please click on the attachment in order to

Read More

USPS spam / Label_ZFRLOADD5PGGZ0Z_USPS.zip

This fake USPS spam has a malicious attachment:


Date:      Tue, 15 Oct 2013 09:36:02 -0500 [10:36:02 EDT]From:      USPS Express Services [service-notification@usps.com]Subject:      USPS - Missed package deliveryNotificationOur company's courier couldn't make the delivery of package.REASON: Postal code contains an error.DELIVERY STATUS: Sort OrderSERVICE: One-day ShippingNUMBER OF YOUR

Read More

Malware sites to block 14/10/2013

It's been a while since I trawled around the activities of the "Amerika" gang, but here is a new set of malicious domains and IPs to block, replacing this list.

24.111.103.183 (Midcontinent Media, US)
42.121.84.12 (Aliyun Computing Co, China)
59.99.226.17 (BB-Multiplay, India)
60.199.253.165 (Taiwan Fixed Network Co, Taiwan)
62.141.46.8 (fast IT, Germany)
65.189.35.129 (Time Warner Cable, US)

Read More

Meet Muhammad Ali Hassan, spammer

This idiot is attempting to get a job by randomly sending out spam.


From:     Muhammad Ali Hassan [sumtech12@emirates.net.ae]
Reply-To:     ALY.HASSAN.ZIA@gmail.com
Date:     11 October 2013 11:57
Subject:     Applying for the post of Chartered Accountant / Finance Manager /Financial Analytics & Auditor or any other suitable position as per my knowledge and experience.
Sub: Applying for the

Read More

Companies House phish

This fake Companies House spam appears to be some sort of phishing attempt:


Date:      Thu, 10 Oct 2013 11:57:31 +0300 [04:57:31 EDT]From:      Companies House [contact@companieshouse.co.uk]Subject:      Compulsory Companies House WebFiling Update #90721Compulsory Companies House WebFiling Update #90721This is an important notice to inform you as a registered company to update your

Read More

"Annual Form - Authorization to Use Privately Owned Vehicle on State Business" spam / warehousesale.com.my

This oddly-themed spam has a malicious attachment:


Date:      Tue, 8 Oct 2013 11:49:49 -0600 [10/08/13 13:49:49 EDT]From:      Waldo Reeder [Waldo@victimdomain.com]Subject: Annual Form - Authorization to Use Privately Owned Vehicle on State BusinessAll employees need to have on file this form STD 261 (attached).  The original isretained by supervisor and copy goes to Accounting. Accounting

Read More

An informal anti-virus comparison

I use VirusTotal quite a lot for looking at malware and determining how difficult it is to determine, and over time I've built up a fair amount of data on what performs well with the sort of malware that I throw at it.

This isn't a particularly scientific test, the malware I scan has a strong tendency to arrive by email rather than a being a drive-by download and the product settings in

Read More

Fake Well Fargo spam comes with a malicious attachment / lasub-hasta.com

This fake Wells Fargo spam is a retread of this one, but comes with a slightly different attachment:


Date:      Mon, 7 Oct 2013 19:56:29 +0100 [10/07/13 14:56:29 EDT]
From:      "Harry_Buck@wellsfargo.com" [Harry_Buck@wellsfargo.com]
Subject:      Documents - WellsFargo

Please review attached files.

Harry_Buck
Wells Fargo Advisors
817-487-2882 office
817-683-6287 cell Harry_Buck@

Read More

Fake Dropbox spam leads to malware on adelect.com

This fake Dropbox spam leads to malware:


Date:      Fri, 4 Oct 2013 16:24:30 +0330 [08:54:30 EDT]From:      Dropbox [no-reply@dropboxmail.com]Subject:      Please update your Expired Dropbox PasswordHi [redacted].We noticed that you recently tried to login in to Dropbox with a password that you haven't changed more than 90 days. Your old password has expired and you'll need to create a new

Read More

Fake Amazon spam uses email address harvested from Comparethemarket.com

This fake Amazon spam was sent to an email address only used for the UK price comparison site Comparethemarket.com.


From:     Amazon.com [ship-confirm@amazon.com]
Reply-To:     "Amazon.com" [ship-confirm@amazon.com]
Date:     3 October 2013 15:43
Subject:     Your Amazon.com order of "Canon EOS 60D DSLR..." has shipped!

 Amazon.com        
Kindle Store
     |  Your Account  |  Amazon.com

Read More

Fake Staples spam leads to malware on tootle.us

This fake Staples spam leads to malware on a site called tootle.us:


Date:      Wed, 2 Oct 2013 08:40:11 -0500 [09:40:11 EDT]From:      support@orders.staples.comSubject:      Staples order #: 1353083565            Thank you for shopping Staples.Here's what happens next:Order No.:1353083565    Customer No.:1278823232     Method of Payment:Credit or Debit CardTrack order: Track your

Read More

Fake NACHA spam leads to malware on thewalletslip.com

This fake NACHA spam leads to malware on thewalletslip.com:


Date:      Tue, 1 Oct 2013 15:05:56 +0330 [07:35:56 EDT]From:      ACH Network [markdownfyye396@nacha.org]Subject:      Your ACH transferThe ACH processing (ID: 428858072307), recently was made from your bank account (by you or any other person), was rejected by the other financial institution.Aborted transferACH transfer ID:    

Read More

Wells Fargo "Important Documents" spam with a malicious ZIP file

This fake Wells Fargo spam comes with a malicious attachment:


Date:      Mon, 30 Sep 2013 11:54:15 -0600 [13:54:15 EDT]From:      Bryon Faulkner [Bryon.Faulkner@wellsfargo.com]Subject:      Important DocumentsPlease review attached documents.Bryon FaulknerWells Fargo Advisors817-527-6769 office817-380-3921 cell Bryon.Faulkner@wellsfargo.comInvestments in securities and insurance products

Read More

IRS "Invalid File Email Reminder" spam / oooole.org

This fake IRS spam leads to malware on oooole.org:


Date:      Mon, 30 Sep 2013 03:44:12 -0800 [07:44:12 EDT]From:      "Fire@irs.gov" [burbleoe9@irs.org]Subject:      Invalid File Email Reminder9/30/2013Valued Transmitter,We few weeks agoreceived your electronic file(s) of information returns; but, the file(s) contained errors. As of the date of this email, we have not received a good

Read More

Facebook "You have new notifications" spam / directgrid.org

This fake Facebook spam leads to malware on directgrid.org:


Date:      Fri, 27 Sep 2013 16:22:58 +0300 [09:22:58 EDT]
From:      Facebook [notification+W85BNFWX@facebookmail.com]
Subject:      You have 21 friend suggestions, 11 friend requests and 14 photo tags

facebook
You have new notifications.
A lot has happened on Facebook since you last logged in. Here are some notifications
you've

Read More

Something evil on 91.231.98.149 and boats.net

This injection attack [urlquery] on boats.net caught my attention, a nasty bit of injected code pointing to a (now suspended) domain called gamelikeboards.biz hosted on 91.231.98.149 (Neohost.net, Ukraine). Basically, the victim website has code injected pointing to [donotclick]gamelikeboards.biz/_cp/crone/ which cannot be anything good.

What do we know about gamelikeboards.biz? As luck would

Read More

Intuit spam / Invoice_3056472.zip

It's an email from a company I have no dealings with, with a ZIP file that contains an EXE file! What could possible go wrong? Oh..


Date:      Wed, 25 Sep 2013 09:37:48 -0600 [11:37:48 EDT]From:      Lewis Muller [Lewis.Muller@intuit.com]Subject:      FW: Invoice 3056472Your invoice is attached.Sincerely,Lewis MullerThis e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.The

Read More

AICPA spam / children-bicycle.net

This fake AICPA spam leads to malware on the domain children-bicycle.net:


From:     Reggie Wilkins [blockp12@clients.aicpa.net]Date:     25 September 2013 15:03Subject:     Your accountant license can be cancelled.You're receiving this email as a Certified Public Accountant and a member of AICPA.Having trouble reading this email? View it in your browser.AICPA logoCancellation of Accountant

Read More

6rf.net and something evil on 198.50.225.121, 85.25.108.10 and 178.33.208.211

Here are a couple of IPs serving exploit kits.. the case in question is a legitimate site that loads code from 6rf.net and this in turn loads an exploit kit from [donotclick]yandex.ru.sgtfnregsnet.ru and [donotclick]l451l.witnessvacant.biz.

The .biz domain in this case is hosted on 198.50.225.121 (OVH, Canada) along with subdomains of the following (more here):

witnessvacant.biz

Read More

"International Wire Transfer" spam / INTL_Wire_Report-09242013.zip

This fake wire transfer spam has a malicious attachment:


Date:      Tue, 24 Sep 2013 10:54:32 -0700 [13:54:32 EDT]From:      Wells Fargo Event Messaging Admin [ofsrep.ceoemigw@wellsfargo.com]Subject:      International Wire Transfer File Not Processed

We are unable to process your International Wire Transfer request due to insufficient funds in the identified account.Review the information

Read More

Malware sites to block 24/9/2013

The malicious IPs and domains on this list are operated by this gang, and it replaces the list last week.

5.135.42.104 (OVH, Netherlands)24.111.103.183 (Midcontinent Media, US)24.173.170.230 (Time Warner Cable, US)32.64.143.79 (AT&T, US)37.153.192.72 (Routit BV, Netherlands)37.221.163.174 (Voxility SRL, Romania)42.121.84.12 (Aliyun Computing Co, China)46.32.47.24 (Syd Energi, Denmark)

Read More

Siga Resources Inc (SGAE) pump-and-dump spam

This pump-and-dump (P&D) spam for Siga Resources Inc (SGAE) follows a familiar pattern: it starts almost immediately after the close of trading on the Friday and the characteristics match several other recent spam runs which have been sent out by the Kelihos botnet. The spams look like this:


Are We having Fun Yet? THIS COMPANY IS UP TODAY ON LARGE VOLUME.

Trading Date: Monday, September

Read More

WhatsApp "3 New Voicemail(s)" spam and 219.235.1.127

I am indebted to Gary Warner for his analysis of this malware. But I can't resist having a poke at it myself. This malware is particularly cunning.

First of all, it starts with a WhatsApp-themed spam:


From:     WhatsApp Messaging Service
Date:     20 September 2013 19:36
Subject:     3 New Voicemail(s)

WhatsApp

You have a new voicemail!
Details
Time of Call: Sep-17 2013 04:05:07
Lenth of

Read More

Apple (AAPL) pump-and-dump spam

A pump and dump spam trying to move Apple (AAPL) stock? Really? I don't think a spam run is going to have much effect on a $473 share in a company worth $420bn.


From: lpskann@scminvest.com
Subject: This Company continues to surge, could new highs be ahead?

Apple has presented its new models - iPhone 5S and iPhone 5C,
which actually have not moved the providers of financing. But, we
got to

Read More

"INCOMING FAX REPORT" spam / lesperancerenovations.com

This fake fax spam appears to come from the Administrator at the victim's domain:

Date:      Wed, 18 Sep 2013 15:01:42 -0500 [16:01:42 EDT]From:      Administrator [administrator@victimdomain]Subject:   INCOMING FAX REPORT : Remote ID: 8775654573*********************************************************INCOMING FAX REPORT*********************************************************Date/Time: 09/18

Read More

FDIC spam / horse-mails.net

This fake FDIC spam leads to malware on www.fdic.gov.horse-mails.net:


Date:      Tue, 17 Sep 2013 15:28:52 +0330 [07:58:52 EDT]From:      insurance.coverage@fdic.govSubject:      FDIC: About your business accountDear Business Customer,We have important news regarding your financial institution.Please View to see further details.This includes information on the acquiring bank (if applicable),

Read More

ADP spam / ADP_831290760091.zip

This fake ADP spam has a malicious attachment:


Date:      Tue, 17 Sep 2013 20:32:04 +0530 [11:02:04 EDT]
From:      ADP ClientServices
Subject:      ADP - Reference #831290760091
Priority:      High Priority 1 (High)

We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.

Transaction details

Read More

FedEx spam FAIL

This fake FedEx spam is presumably meant to have a malicious payload:


Date:      Tue, 17 Sep 2013 13:02:25 +0000 [09:02:25 EDT]From:      webteam@virginmedia.comSubject:      Your Rewards Order Has ShippedHeaders:      Show All Headers                                This is to confirm that one or more items in your order has been shipped. Note that multiple items in an order may be shipped

Read More

SpeedPacket, CookieBomb and something evil on 37.58.73.42, 95.156.228.69 and 195.210.43.42

A few days ago the Internet Storm Center raised a question about activity on 37.58.73.42 (Softlayer, Netherlands / Techpreneurs India Pvt Ltd, India), 95.156.228.69 (Game Company, Germany) and 195.210.43.42 (Syntis, France).

I hadn't seen the attack in question until today with this injection attack on a legitimate site, using a Cookie Bomb script [1] [2] to send victims to a site [donotclick]

Read More

Malware sites to block 17/9/13

This set of malicious IPs and domains is associate with this gang, and the list replaces the last one published here.

24.173.170.230 (Time Warner Cable, US)32.64.143.79 (AT&T, US)37.153.192.72 (Routit BV, Netherlands)42.121.84.12 (Aliyun Computing Co, China)46.246.111.159 (Portlane Networks, Sweden)58.68.228.148 (Beijing Blue I.T Technologies Co., China)58.246.240.122 (China Unicom, China)

Read More

eFax spam / rockims.com

This fake eFax spam leads to malware on rockims.com:


Date:      Mon, 16 Sep 2013 22:43:06 +0400 [14:43:06 EDT]From:      eFax Corporate [message@inbound.efax.com]Subject:      Corporate eFax message - 1 pagesWarning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.Fax Message [Caller-ID:

Read More

Walls Fargo spam / WellsFargo - Important Documents.zip

This fake Wells Fargo spam has a malicious attachment:


Date:      Mon, 16 Sep 2013 09:26:51 -0500 [10:26:51 EDT]From:      Harrison_Walsh@wellsfargo.comSubject:      IMPORTANT Documents - WellsFargoPlease review attached documents.Harrison_WalshWells Fargo Advisors817-674-9414 office817-593-0721 cell Harrison_Walsh@wellsfargo.comInvestments in securities and insurance products are:NOT

Read More

Alanco Technologies Inc (ALAN) pump-and-dump spam run

Alanco Technologies Inc is an Arizona-based firm found in 1969 that used to be active in several technology markets, but over recent years it has divested itself of those assets and its primary business activities are now in the business of waste water disposal. The company does not make a profit (and indeed in some recent years made no direct income whatsoever). The bulk of its financial

Read More

citizensbank.com "Issue File I3774 Processed" spam

For some reason I'm seeing a lot of these EXE-in-ZIP attacks recently. Here's another one with a malicious attachment:


Date:      Fri, 13 Sep 2013 11:09:53 -0500 [12:09:53 EDT]From:      "GISPROD@citizensbank.com" [GISPROD@citizensbank.com]Subject:      Issue File I3774 ProcessedRegarding Issue File 3774 - Total Issue Items # 36 Total Issue Amount $42,171.75 Thiswill confirm that your issue

Read More

QuickBooks spam / Invoice_20130912.zip

This fake QuickBooks spam has a malicious attachment:


Date:      Thu, 12 Sep 2013 20:29:17 +0200 [14:29:17 EDT]From:      QuickBooks Invoice [auto-invoice@quickbooks.com]Subject:      Important - Payment OverduePlease find attached your invoices for the past months. Remit the payment by 09/16/2013 as outlines under our "Payment Terms" agreement.Thank you for your business,Sincerely,Quentin

Read More

USPS spam / Label_FOHWXR30ZZ0LNB1.zip

This fake USPS spam has a malicious attachment:


Date:      Wed, 11 Sep 2013 11:19:05 -0500 [12:19:05 EDT]
From:      USPS Express Services [service-notification@usps.com]
Subject:      USPS - Missed package delivery
Priority:      High Priority 1 (High)

Notification

Our company's courier couldn't make the delivery of package.

REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL:

Read More

Are top porn sites still riddled with malware?

This summary is not available. Please click here to view the post.

Read More

BBB Spam / Case_0938818_2818.exe

This fake BBB spam has a malicious attachment:


Date:      Tue, 10 Sep 2013 15:07:14 +0100 [10:07:14 EDT]From:      Better Business Bureau [Aldo_Austin@newyork.bbb.org]Subject:      FW: Case IN11A44X2WCP44MThe Better Business Bureau has received the above-referenced complaint from one of yourcustomers regarding their dealings with you. The details of the consumer's concern areincluded on the

Read More

ACH file ID "999.107" has been processed successfully spam / www.fiscdp.com.airfare-ticketscheap.com

This fake FISC ACH spam leads to malware on www.fiscdp.com.airfare-ticketscheap.com:


Date:      Tue, 10 Sep 2013 17:05:49 +0530 [07:35:49 EDT]From:      Financial Institution Service [improvehv89@m.fiscdp.gov]Subject:      ACH file ID "999.107"  has been processed successfullyFiles FISC Processing ServiceSUCCESS NotificationWe have successfully handled ACH file 'ACH2013-09-09-62.txt' (id '

Read More

ygregistry.org domain scam

This Chinese domain scammers never give up, this scam has been seen several times before [1] [2] [3] [4].


From:     Jim Bing [jim.bing@ygregistry.org]Date:     9 September 2013 14:32Subject:     Regarding "[redacted]" Cn domain name and Internet KeywordDear Manager,(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)This email is from China domain name

Read More

Malware sites to block 9/9/13, part II

Another set of IPs and domains related to this attack detailed by Sophos, and overlapping slightly with the malicious servers documented here.

I've just listed the main domains, but the attack itself uses thousands of subdomains (e.g. zwgaf72d4erv7g.www5.tohk5ja.cc) to do evil things.

46.20.36.9 (Syslayer.com, Germany)
74.63.229.252 (Limestone Networks / 123systems Solutions, US)

Read More

Malware sites to block 9/9/13

These domains and IPs are associated with this gang, this list supersedes (or complements) the one I made last week.

1.209.108.29 (BORANET, Korea)24.173.170.230 (Time Warner Cable, US)37.153.192.72 (Routit BV, Netherlands)42.121.84.12 (Aliyun Computing Co, China)58.68.228.148 (Beijing Blue I.T Technologies Co., China)58.246.240.122 (China Unicom, China)61.36.178.236 (LG DACOM, Korea)

Read More

Dealerbid.co.uk "Quotation.zip" spam with malicious VBS script

The website dealerbid.co.uk has been compromised and their servers hacked in order to send spam to their customer list. Something similar has happened before a few months ago.

In this case the spam email was somewhat mangled, but I am assuming that the spammers know how to fix this. The spam email is as follows:


From:     Christopher Rawson [christopher.r@kema.com]Date:     7 September 2013

Read More

"Scanned Document Attached" spam / FSEMC.06092013.exe

This fake financial spam contains an encrypted attachment with a malicious file in it.


Date:      Fri, 6 Sep 2013 15:19:37 +0000 [11:19:37 EDT]From:      Fiserv [Lawanda_Underwood@fiserv.com]Subject:      FW: Scanned Document AttachedDear Business Associate:Protecting the privacy and security of client, company, and employeeinformation is one of our highest priorities. That is why Fiserv

Read More

CNN "The United States began bombing" spam / luggagepreview.com

This fake CNN spam leads to malware on luggagepreview.com:


Date:      Fri, 6 Sep 2013 11:30:57 -0600 [13:30:57 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: "The United States began bombing"

The United States began bombing!
By Casey Wian, CNN
updated 9:01 AM EDT, Wed August 14, 2013


(CNN) -- Pentagon officials said that the United States launched the first strikes

Read More

Facebook spam / www.facebook.com.achrezervations.com

This fake Facebook spam leads to malware on www.facebook.com.achrezervations.com:


Date:      Fri, 6 Sep 2013 08:07:14 -0500 [09:07:14 EDT]From:      Facebook [notification+puppies9@mail.facebookmail.net]Reply-To:      noreply [noreply@postmaster.facebookmail.org]Subject:      Cole Butler confirmed your Facebook friend requestfacebook    Cole Butler has confirmed that you're friends on

Read More

Something evil on 37.59.164.209 (OVH)

37.59.164.209 is a server operated by OVH in France. It has many malicious domains hosted on it, indeed almost everything on it is flagged by Google as being malicious (highlighted in the list below). Blocking access to that IP address is the simplest approach as the malicious sites do seem to be in some flux.

Recommended blocklist:

Read More

NACHA spam / nacha-ach-processor.com

This fake NACHA spam (I thought these were out of fashion!) leads to malware on nacha-ach-processor.com:


From:     The Electronic Payments Association - NACHA [leansz35@inbound.nacha.com]Date:     5 September 2013 17:55Subject:     Rejected ACH transferThe ACH transaction (ID: 985284643257), yesterday sent from your account (by one of your account members), was cancelled by the recipient's

Read More

Facebook spam / kapcotool.com

This fake Facebook spam leads to malware on kapcotool.com:


From:     Facebook [no-reply@facebook.com]Date:     5 September 2013 15:21Subject:     Michele Murdock wants to be friends with you on Facebook.facebook    Michele Murdock wants to be friends with you on Facebook.University of Houston, Victoria342 friends - 28 photosConfirm Request          See All RequestsThis message was sent to [

Read More

HSBC spam / Original Copy (Edited).zip

This fake HSBC spam links to a malicious ZIP file:


Date:      Wed, 4 Sep 2013 01:45:17 -0700 [04:45:17 EDT]
From:      HSBC Wire Advising service [wireservice@hsbc.com.hk]
Reply-To:      hsbcadviceref@mail.com
Subject:      HSBC Payment Advice Ref: [H6789000] / ACH Credits / Customer Ref: [PO780090] (Edited)


Dear Sir/Madam,

The attached payment advice is issued at the request of our

Read More

PayPal spam / dshapovalov.info

This fake (and badly formatted) fake PayPal spam email leads to malware on dshapovalov.info:


Date:      Wed, 4 Sep 2013 08:33:25 -0500 [09:33:25 EDT]From:      PayPal [service@int.paypal.com]Subject:      History of transactions #PP-011-538-446-067IDTransaction: { figure } {SYMBOL }On your account malicious activity , for 1 hour was filmed around $ 100 , in small amounts In order to avoid

Read More

Something is very wrong with Gandi US (AS29169 / 173.246.96.0/20)

Recently I have been suggesting reader block quite a few individual IPs at Gandi in the US, but I hadn't noticed exactly how many IPs I had been suggesting until a couple of days ago.

The problem seems to exist in the 173.246.96.0/20 block of AS29169 (173.246.96.0 - 173.246.111.255), a range of IP addresses that houses very many legitimate domains. Unfortunately, it also houses several

Read More

Something evil on 174.140.168.239

The server at 174.140.168.239 (DirectSpace Networks LLC, US) is currently hosting a large number of hijacked GoDaddy domains and is being used to distribute malware [1] [2] [3].

It looks like this server has been active for a couple of months and has been used for a variety of evil purposes, I strongly recommend blocking the following:

Read More

Facebook spam / watchfp.net

All this malware-laden Facebook spam is boring. Here's another one, leading to a malicious payload on watchfp.net:


Date: Tue, 3 Sep 2013 11:37:14 -0700 [14:37:14 EDT]
From: Facebook [notification+zrdohvri=vd1@facebookmail.com]
Subject: Blake Miranda tagged 5 photos of you on Facebook

facebook

Blake Miranda added 5 photos of you.
See photos

Go to notifications
This message

Read More

PayPal spam / londonleatheronline.com

This fake PayPal spam leads to malware on londonleatheronline.com:


Date:      Tue, 3 Sep 2013 09:43:09 +0400 [01:43:09 EDT]
From:      PayPal [service@int.paypal.com]
Subject:      Identity Issue #PP-716-472-864-836

We are writing you this email in regards to your PayPal account. In accordance with our "Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your

Read More

MONK spam tries to profit from WAR threat

The MONK (Monarchy Resources Inc) pump-and-dump spam continues. This time though, the spammers are trying to capitalise on the threat of war in the Middle East:


From:     belova04@jeel.comDate:     2 September 2013 17:32Subject:     This Stock just released Big News!Are you interested in enriching yourself by means of war? It`s the verytime to do it! As soon as the first bombs get to the

Read More

Facebook spam / london-leather.com

This fake Facebook spam leads to malware on london-leather.com:

Date:      Mon, 2 Sep 2013 19:59:52 +0300 [12:59:52 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      Victoria Carpenter commented on your status


facebook


Hello,

Victoria Carpenter commented on your status.

Victoria wrote: "so cute;)"


Go to comments


Reply to this email to comment on this status.

Read More

Malware sites to block 2/9/13

These IPs and domains are associated with this gang and should all be considered as malicious. This list follows on from this earlier one.

1.209.108.29 (BORANET, Korea)
5.135.114.100 (OVH / onetsolutions.fr, France)
24.173.170.230 (Time Warner Cable, US)
37.200.69.43 (Selectel Ltd, Russia)
42.121.84.12 (Aliyun Computing Co, China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM,

Read More

UPS Spam / UPS Invoice 74458652.zip

This fake UPS invoice has a malicious attachment:


From:      "UPSBillingCenter@ups.com" [UPSBillingCenter@ups.com]Subject:      Your UPS Invoice is ReadyNew invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center. Download the attachment. Invoice will be automatically shown by double click.
Attached is a file UPS Invoice 74458652 which in

Read More

Wells Fargo spam / WellsFargo_08232013.exe

This fake Wells Fargo spam has a malicious attachment:


Date:      Fri, 23 Aug 2013 09:43:44 -0500 [10:43:44 EDT]From:      Morris_Osborn@wellsfargo.comPlease review attached documents.Morris_OsbornWells Fargo Advisors817-718-8096 office817-610-5531 cell Morris_Osborn@wellsfargo.comInvestments in securities and insurance products are:NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUEWells

Read More

"Remittance Docs 2982780" spam / Docs_08222013_218.exe

This fake Chase spam has a malicious attachment:


Date:      Thu, 22 Aug 2013 10:00:33 -0600 [12:00:33 EDT]From:      Jed_Gregory [Jed_Gregory@chase.com]Subject:      Remittance Docs 2982780Please find attached the remittance 2982780.                                                                                                          If you are unable to open the attached file, please

Read More

Discover card "Your account login information updated" spam / abemuggs.com

This fake Discover card spam leads to malware on abemuggs.com:


Date:      Thu, 22 Aug 2013 16:14:59 +0000 [12:14:59 EDT]From:      Discover Card [no-reply@facebook.com]Subject:      Your account login information updatedDiscoverAccess My Account    ACCOUNT CONFIRMATION    Statements | Payments | Rewards    Your account login information has been updated.Dear Customer,This e-mail is to confirm

Read More

Red Sox Baseball spam / lindoliveryct.net

This fake Red Sox spam leads to malware on lindoliveryct.net:


Date:      Thu, 22 Aug 2013 13:02:19 -0400 [13:02:19 EDT]From:      ticketoffice@inbound.redsox.comSubject:      Thank You for your order. ( RSXV - 4735334 - 0959187 )Thank you for your recent ticket purchase. We truly appreciate your support and commitment to Red Sox Baseball. If you have any questions regarding your purchase,

Read More

Facebook spam / thenatemiller.co

This fake Facebook spam leads to malware on thenatemiller.co:


Date:      Wed, 21 Aug 2013 22:05:38 +0530 [12:35:38 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new

Read More

Laughable advanced fee fraud scam promises $2.5

Two-and-a-half bucks? I think I'll pass.

From:     Mr Anthony Freed [johnewele12@cantv.net]Reply-to:     dhlcorriadeliveryservice@live.comDate:     20 August 2013 21:13Subject:     Attention please!!!Attention please!!!We have registered your ATM CARD of (US $2.5) with DHL Express Courier Company with registration code of ( 9665776) please Contact with your deliveryinformation:DHL OFFICE:Name

Read More

Facebook spam / dennissellsgateway.com

This fake Facebook spam leads to malware on dennissellsgateway.com:


Date:      Tue, 20 Aug 2013 15:28:11 -0500 [16:28:11 EDT]
From:      Facebook [no-reply@facebook.com]
Subject:      Gene Maynard wants to be friends with you on Facebook.

facebook
   
Gene Maynard wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
       
See

Read More

"You have received a secure message" spam / securedoc.zip

This fake Citi spam contains a malicious attachment:

Date:      Mon, 19 Aug 2013 20:24:27 +0000 [16:24:27 EDT]From:      "secure.email@citi.com" [secure.email@citi.com]Subject:      You have received a secure message










You have received a secure message

Read More

"You requested a new Facebook password" spam / frankcremascocabinets.com

This fake Facebook spam follows on from this one, but has a different malicious landing page at frankcremascocabinets.com:


From:     Facebook [update+hiehdzge@facebookmail.com]Date:     19 August 2013 17:38Subject:     You requested a new Facebook passwordfacebookHello,You recently asked to reset your Facebook password.Click here to change your password.Didn't request this change?If you

Read More

Facebook spam / hubbywifewines.com

This fake Facebook spam leads to malware on hubbywifewines.com:


Date:      Mon, 19 Aug 2013 16:20:06 +0200 [10:20:06 EDT]From:      Facebook [update+hiehdzge@facebookmail.com]Subject:      You requested a new Facebook passwordfacebookHello,You recently asked to reset your Facebook password.Click here to change your password.Didn't request this change?If you didn't request a new password, let

Read More

MONK / Monarchy Resources, Inc pump-and-dump spam

Another day, another pump-and-dump spam run, this time being sent to randomly generated email addresses promoting MONK (Monarchy Resources, Inc). Here are some examples:


Subject: Pick Of The Week... Do Not Miss Out This Time!Make easy $15'000 Monday!!! Hello, want to receive $15'000 bynext Friday? You would receive lot more if you get this hotstock on Monday. The stock symbol is: M_O N_K.

Read More

Malware sites to block 19/8/13

These sites and IPs belong to this gang, and this list follows one from this one:

5.39.14.148 (OVH, France)
24.173.170.230 (Time Warner Cable, US)
31.52.14.209 (BT Broadband, UK)
37.200.69.43 (Selectel Ltd, Russia)
42.121.84.12 (Aliyun Computing Co, China)
59.124.33.215 (Chunghwa Telecom Co, Taiwan)
61.36.178.236 (LG DACOM, Korea)
66.230.163.86 (Goykhman and Sons LLC, US)
66.230.190.249 (

Read More

Malekal.com Joe Job part II

There has been a Joe Job being run against Malekal.com for some time now. However, the joe job has now morphed and includes a reference to this blog (which is kind of annoying).


Date:      Sun, 18 Aug 2013 14:35:33 +0300 [08/18/13 07:35:33 EDT]Subject:      Email SPAM for malekal.comTheses emails SPAM are sent from a botnet (check the mails headers), im notresponsible of theses spam

Read More

"California Human Right Foundation CHRF USA" scam email

It's hard to say whether or not this scam is simply a version of the advanced fee fraud (you can come to the conference, but there will be fees and hotel charges), or if the idea is that you go down to Senegal and get kidnapped. In any case, this is a scam send to an email address scraped from the web via a hijacked email account in Indonesia. Similar scams have been seen before. Avoid.


From:

Read More

ADP spam / ADP_week_invoice.zip|exe

This fake ADP spam has a malicious attachment:


Date:      Fri, 16 Aug 2013 09:57:59 -0500 [10:57:59 EDT]From:      "run.payroll.invoice@adp.com" [run.payroll.invoice@adp.com]Subject:      ADP Payroll INVOICE for week ending 08/16/2013Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the

Read More

"CEO Portal Statements & Notices Event" spam / report_{DIGIT[12]}.exe

This fake Wells Fargo email has a malicious attachment:


Date:      Fri, 16 Aug 2013 09:51:17 -0500 [10:51:17 EDT]From:      Wells Fargo Event Messaging Admin [ofsrep.ceosmuigw@wellsfargo.com]Subject:      CEO Portal Statements & Notices EventWells FargoCommercial Electronic Office (CEO) Portal Statements & Notices Event: Multiple Download Request AvailableYour Deposit Adjustment Notices is

Read More

"INCOMING FAX REPORT" spam / chellebelledesigns.com

A facsimile transmission. How quaint. Of course, it isn't.. the link in the spam goes to a malicious page on chellebelledesigns.com:


From:     Administrator [administrator@victimdomain]
Date:     15 August 2013 16:08
Subject:     INCOMING FAX REPORT : Remote ID: 1043524020

*********************************************************INCOMING FAX REPORT********************************************

Read More

Something evil on 162.211.231.16

The server at 162.211.231.16 (IT7 Networks, Canada) is currently being used in injection attacks (example) which have been going on for some time [1] [2] and uses several domains, some of which are listed below.

The WHOIS details for these domains seem to be consistent but are possibly fake:

Registrant ID:CR148448937Registrant Name:Leonardo Salim ChahdaRegistrant Street1:Patron 6755Registrant

Read More

ADP spam / hubbywifeburgers.com

This fake ADP spam leads to malware on hubbywifeburgers.com:


Date:      Wed, 14 Aug 2013 08:58:12 -0700 [11:58:12 EDT]
From:      "ADPClientServices@adp.com" [service@citibank.com]
Subject:      ADP Security Management Update

ADP Security Management Update

Reference ID: 39866

Dear ADP Client August 2013

This message is to inform you of the upcoming �Phase 2� enhancement to ADP Security

Read More

Gmail Compose.. another app screwed up by Google

If you use Gmail then you've probably seen the "new compose" experience before. And turned it off. Well, Google never listed to feedback now Gmail joins a long list of applications that Google have screwed up, including Blogger, Google Play Music, Google Maps for Android and don't get me started on Google Reader and iGoogle.




The new compose experience attempts to be minimalist, but in reality

Read More

Bank of American spam / Instructions Secured E-mail.zip

This fake Bank of American spam has a malicious attachment:


Date:      Tue, 13 Aug 2013 09:35:13 -0500 [10:35:13 EDT]
From:      "Alphonso.Wilcox" [Alphonso.Wilcox@bankofamerica.com]
Subject:      Instructions Secured E-mail.pdf

I will be forwarding the application through a secure e-mail. Attached are instructions for you to create a password to open the secure e-mails from us. Just a bit

Read More

Pharma sites to block

These fake pharma sites and IPs seem related to these malware domains, and follows on from this list last week.

31.184.241.32 (Petersburg Internet Network, Russia)46.29.18.176 (Sprint SA, Poland)61.57.103.241 (Taoyuan TBC, Taiwan)61.133.234.105 (Haidong Telecom, China)91.199.149.238 (Novosibirsk A3 Ltd, Russia)91.199.149.239 (Novosibirsk A3 Ltd, Russia)91.204.162.81 (Network Communication,

Read More

Malware sites to block 13/8/13

These IPs and domains belong to this gang and this list follows on from the one I made last week.

5.39.14.148 (OVH, France)5.231.57.253 (GHOSTnet, Germany)15.185.121.30 (HP Cloud Services, US)24.173.170.230 (Time Warner Cable, US)37.99.18.145 (2day Telecom, Kazakhstan)42.121.84.12 (Aliyun Computing Co / Alibaba Advertising Co, China)50.2.109.148 (Eonix Corporation, US)50.56.172.149 (Rackspace,

Read More

Facebook spam / guterhelmet.com

This fake Facebook spam leads to malware on guterhelmet.com:


Date:      Mon, 12 Aug 2013 17:51:17 -0200 [15:51:17 EDT]From:      Facebook [update+zj433fgc2_aay@facebookmail.com]Subject:      Willie Powell wants to be friends with you on Facebook.facebook    interesting pages on facebookmark as favorite web pages that interest you to receive their updates in your news feed.Willie

Read More

CNN: " Canadian teenager Rehtaeh Parsons" spam leads to malware

The bad guys don't have much of a sense of shame. This fake CNN email leads to malware on hubbynwifewines.com:


Date:      Sat, 10 Aug 2013 01:33:17 +0330 [18:03:17 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: " Canadian teenager Rehtaeh Parsons"

2 face charges in case of Canadian girl who hanged self after alleged rape
By Stephanie Gallman and Phil Gast, CNN
updated 6:

Read More

"This video has been recognized as the most popular videos on the internet!" porn spam

This fake porn spam leads to malware on hubbynwifewines.com:


Date:      Fri, 9 Aug 2013 11:54:00 -0600 [13:54:00 EDT]
From:      "Youtobe.com" [Subscribe@Youtobe.com]
Subject:      Youtobe.com: "This video has been recognized as the most popular videos on the internet!"

Only now free TOP HD video watch now

This video has been recognized as the most popular videos on the internet! Watch now

Read More

Citibank spam / Loan_08082013.exe

This fake Citibank spam comes with a malicious attachment:


Date:      Thu, 8 Aug 2013 13:09:04 -0500 [14:09:04 EDT]From:      Erin_Gay [Erin_Gay@citibank.com]Subject:      RE: Loan ApprovedYour documents are ready , please sign them and email them back.Thank youErin_GayLevel III Account Management817-835-6023 office817-074-9181 cell Erin_Gay@citibank.comInvestments in securities and insurance

Read More

TigerDirect.com spam / palmer-ford.net

This fake TigerDirect.com spam leads to malware on palmer-ford.net:


Date:      Thu, 8 Aug 2013 21:54:14 +0400 [13:54:14 EDT]From:      "TigerDirect.com" [noreply@tigerdirect.com]Subject:      Your TigerDirect.com Order I9179488 Shipment UpdateComputersComputer PartsElectronicsTV & VideoCameras & SurveillanceCell PhonesOrder Shipped:    08/07/2013Order No.    I9179488Shipment Total:    $

Read More

Facebook spam / hubby-wife.com and 72.249.76.197

This fake Facebook spam leads to malware on hubby-wife.com:


Date:      Thu, 8 Aug 2013 09:36:19 -0800 [13:36:19 EDT]
From:      Facebook [update+zj433fgc2_aay@facebookmail.com]
Subject:      Doug Bernal wants to be friends with you on Facebook.
   
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.

Doug Bernal
Doug Bernal

Read More

eFax / jConnect spam and eliehabib.com

This fake fax spam leads to malware on eliehabib.com:


Date:      Wed, 7 Aug 2013 13:05:22 -0600 [15:05:22 EDT]
From:      Fax Message [message@inbound.efax.com]
Subject:      Fax Message at 2013-08-07 01:54:34 EST

Blue Bar
Fax Message

You have received 4 fax page(s) at 2013-08-07 01:54:34 EST.

* The reference number for this fax is wlmt_bgp85-3506454489-3878764215-49.
* The transmission

Read More

Pharma sites to block 6/8/13

A new list of pharma sites and IPs, related to this bunch.

61.150.109.186 (China Telecom, China)91.199.149.238 (Novosibirsk A3 Ltd, Russia)91.199.149.239 (Novosibirsk A3 Ltd, Russia)91.204.162.81 (Network Communication, Poland)91.204.162.96 (Network Communication, Poland)91.216.163.92 (Informacines Sistemos Ir Technologijos UAB, Lithunia)178.88.64.149 (Kazakh Telecom, Kazakhstan)185.5.99.145 (

Read More

Malware sites to block 6/8/13

Following on from last week's list, this week seems to see a smaller number of servers and malicious domains from this crew.

5.175.191.124 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
41.196.17.252 (Link Egypt, Egypt)
54.218.249.132 (Amazon AWS, US)
59.124.33.215 (Chungwa Telecom, Taiwan)
61.36.178.236 (DACOM Corp, Korea)
68.174.239.70 (Time Warner Cable, US)
78.47.248.101 (

Read More

What is 65.222.202.0/24?

A breakdown of the suballocations of the Verizon Business 65.222.202.0/24 block, mentioned in connection with Torsploit:









Block
Start
End
CustName:
Description:


65.222.202.0/28
65.222.202.0
65.222.202.15
Science
Applications Int
SAIC
(US Defense contractor)


65.222.202.16/28
65.222.202.16
65.222.202.31
Old Dominion Internet
Possibly
dormant VA

Read More

Torsploit: is 65.222.202.53 the NSA?

There has been a lot of chatter in the past day or so about the takedown of an Irish outfit called Freedom Hosting which hosted a number of "hidden services" on Tor, ranging from Tormail (which allows anonymous email communication) to.. well, Really Bad Stuff that you don't want to know about. Basically.. Law Enforcement (LE) appear to have discovered the real-world location of these servers on

Read More

alliexfinancial.com / Alliexfinancial Ltd "Legal Registered Investment company" spam (is it a scam?)

A slightly odd spam, sent to a scraped email address:


From:     Dirk Nunes [flamwood888@gmail.com]
Date:     5 August 2013 10:54
Subject:     Legal Registered Investment company
Signed by:     gmail.com

alliexfinancial Ltd                                                                                                       Our advantages :

Legal Registered Investment company

Guaranteed

Read More

BLDW "Building Turbines Corp" pump-and-dump spam

This illegal spam run almost definitely does not come from Building Turbines Corp (BLDW) but instead someone trying to game the system through a pump-and-dump scam.

There are lots of variations on the spam, but here are three examples:


Subject: This Stock is our New Wild Sub-Penny Pick!

Green Energy Company Signs Deal to Construct Rooftop Wind Turbines
for 90 Thousand Sq-Ft Stockroom.

Read More

redwoodoptions.com "Joe Job" spam

I don't know anything about "Redwood Options" redwoodoptions.com but it seems to deal in binary options. In my personal opinion, this kind of derivative trading helped to lead to the banking collapse and should be outlawed.


Subject: For TraderSubject: For InvestorSubject: Start Trading NowTrade Forex, Commodities, Stocks and Indices with Up to 81% Return!- Exclusive 60 second option- Onetouch

Read More

cpro.su "Joe Job" spam run

This spam run is aimed at disrupting the underground forum cpro.su:

Subject: International carding board on new domainSubject: Private Hacking and Carding Forum / New DomainWelcome to Private Hacking and Carding Forum. We talking and sharing aboutCVV, Paypal, Accounts, Bank Logs, Hacking Tools and Carding Tips. Newbie isnot allowed here. Do not enter if you don't know what to do...http://

Read More

Malekal.com "Joe Job" spam

Update: there is a new version of this Joe Job spam, now mentioning this post in the body text (more info).

Malekal's Site  is a French-language site covering malware and spam. This particular spam run (called a "Joe Job") is not from Malekal, but is instead attempting to disrupt the site. Presumably the bad guys have found something the don't like.

Here are some examples:

Subject: Trojan

Read More

MoneyGram "Payment notification email" spam / drstephenlwolman.com

This fake MoneyGram spam leads to malware on drstephenlwolman.com:


Date:      Fri, 2 Aug 2013 22:23:53 +0330 [14:53:53 EDT]From:      "Moneygram Inc." [infusionnbb3@gmail.com]Subject:      Payment notification email

Revenues notification email
This is an automated email - please do not reply!

Dear customer!

You are receiving this notification because of you have been received the payment.

Read More

"Your most recent payment has been processed" spam / capitalagreements.com

This fake Discover Card spam leads to malware on capitalagreements.com:



Date:      Fri, 2 Aug 2013 20:41:09 +0200 [14:41:09 EDT]From:      Discover Card [dontrply@service.discovercard.com]Reply-To:      dontrply@service.discovercard.com    Discover     Access My Account        ACCOUNT CONFIRMATION     Statements | Payments | Rewards         Your most recent payment has been processed.   

Read More

Olborg Ltd / ОЛЬБОРГ / o1host.net (AS57636) revisited

Update:  I am trying to verify claims that Olborg Ltd are operating a sinkhole (which is a good thing) rather than a malware server (a bad thing).

Last week I pointed out a malware site on 91.233.244.102 hosted by Olborg Ltd / ООО "ОЛЬБОРГ" (AS57636) [1] [2] (website at o1host.net) and made a recommendation that admins block access to the entire 91.233.244.0/23 block.

A polite but concerned

Read More

Pump and dump spam flogs a dead horse with Biostem U.S. Corporation (HAIR)

About a month-and-a-half ago I had a look at the pump-and-dump spam promoting Biostem U.S. Corporation (HAIR) when it was trading at around $0.30.

Surprisingly, the pump-and-dump spam is still ongoing which will make it nearly two months of spam on one single stock..


This Company Will Make an Impressive Recovery! It is the answerto your portfolio troubles!Date: August 1stLong Term Target: .

Read More

"Documento importante : 5039403 !!" spam / Planilha-Documento.docx_.rar

This terse Portuguese language spam has a malicious attachment:


From:     Adriane Camargo. [adriane@yahoo.com.br]
Date:     29 July 2013 20:59
Subject:     Documento importante : 5039403 !!

Arquivo : DC-59KDJF994J3K303940430DJJRI8.rar ( 173,4 KB)

The link in the email downloads goes through a legitimate hacked site and then downloads a RAR file from [donotclick]

Read More

Facebook spam / deltaoutriggercafe.com

These guys are busy. This fake Facebook spam leads to malware on deltaoutriggercafe.com:


Date:      Tue, 30 Jul 2013 15:05:25 -0500 [16:05:25 EDT]From:      Facebook [no-reply@facebook.com]Subject:      Issac Dyer wants to be friends with you on Facebook.facebook    Issac Dyer wants to be friends with you on Facebook.University of Houston, Victoria342 friends - 28 photosConfirm Request

Read More

eBay "ready to get started? Here’s how." spam / deltamarineinspections.net

There is currently an eBay-themed  "ready to get started? Here’s how" spam run active, effectively almost the same as this one, except this time there is a new set of intermediate scripts and payload page. The three scripts involved are:

[donotclick]03778d6.namesecurehost.com/meaningful/unsnapping.js
[donotclick]icontractor.org/followings/trolloped.js
[donotclick]tvassist.co.uk/plead/

Read More

"Your password on Pinterest was Successfully modified!" spam / onsayoga.net

This fake Pinterest spam leads to malware on onsayoga.net:


Date:      Tue, 30 Jul 2013 11:17:28 -0500 [12:17:28 EDT]From:      Pinterest [caulksf8195@customercare.pinterrest.net]Subject:      Your password on Pinterest was Successfully modified!A Few Updates...[redacted]   [redacted]   Changing your password is complete. Please use the link below within 24 hours. reset. Receive New Password

Read More

CNN "Angelina Jolie tops list of highest-paid actresses" spam / deltadazeresort.net

This fake CNN spam leads to malware on deltadazeresort.net:


Date:      Tue, 30 Jul 2013 17:52:54 +0330 [10:22:54 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: Forbes: Angelina Jolie tops list of highest-paid actresses

Forbes: Angelina Jolie tops list of highest-paid actresses
By Sheridan Watson, EW.com
July 29, 2013 -- Updated 2014 GMT (0414 HKT)
Angelina Jolie attends a

Read More

Pharma sites to block 30/7/13

This IPs host (fake) pharma sites which seem to be associated with this gang and share some of their infrastructure. As far as I can tell, none of them host malware.. but the IPs involved could be repurposed as malware servers and blocking them might be prudent.
88.190.218.27 (PROXAD Free SAS, France)91.199.149.238 (Novosibirsk A3 Ltd, Russia)91.199.149.239 (Novosibirsk A3 Ltd, Russia)

Read More

Malware sites to block 30/7/13

These sites and IPs are associated with this gang, and are either currently in use or they have been in use recently. The list has individual IPs and web hosts first, followed by a plain list of recommended items to block.

5.175.191.106 (GHOSTnet, Germany)
5.175.191.124 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
24.188.19.227 (Optimum Online, US)
41.196.17.252 (Link Egypt,

Read More

Facebook spam / happykido.com

This fake Facebook spam leads to malware on


Date:      Mon, 29 Jul 2013 09:33:38 -0600 [11:33:38 EDT]
From:      Facebook [update+zj4o40c2_aay@facebookmail.com]
Subject:      Betsy Wells wants to be friends with you on Facebook.
   
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.
�
Betsy Wells
Betsy Wells
   
Baldric

Read More

"Key Secured Message" spam / SecureMessage.zip

This spam has a malicious attachment:


Date:      Mon, 29 Jul 2013 06:08:44 -0800 [10:08:44 EDT]From:      "Marcia_Manning@key.com" [Marcia_Manning@key.com]Subject:      Key Secured MessageYou have received a Secured Message from:Marcia_Manning@key.comThe attached file contains the encrypted message that you have received. To decrypt the message use the following password -  nC4WR706To read

Read More

Jolly Works Hosting.. is it really Jolly?

I was a little curious as to why I kept coming across Jolly Works Hosting from the Philippines when it came to malware hosting. They are a customer of Secured Servers LLC in the US, and when I took a close look at malware reports with Secured Servers IPs addresses it turns out that most of them were actually suballocated to Jolly Works Hosting instead.

Jolly Works has a real website and real

Read More

Bank of America "Your transaction is completed" spam / payment receipt 26-07-2013.zip

This fake Bank of America spam has a malicious attachment:


Date:      Fri, 26 Jul 2013 15:50:32 +0200 [09:50:32 EDT]
From:      impairyd04@gmail.com
Subject:      Your transaction is completed

Transaction is completed. $09681416 has been successfully transferred.

If the transaction was made by mistake please contact our customer service.

Payment receipt is attached.


*** This is an

Read More

Intellicast.com spam / artimagefrance.com

This fake weather spam leads to malware on artimagefrance.com:


Date:      Fri, 26 Jul 2013 02:46:26 -0800 [06:46:26 EDT]From:      "Intellicast.com" [weather@intellicast.com]Subject:      Intellicast.com [weather@intellicast.com]Intellicast.com Weather E-mail - Thursday, Jul 25, 2013 3:38 AMFor the complete 10-Day forecast and current conditions, visit Intellicast.com:http://

Read More

"welcome to the eBay community!" spam / artimagefrance.com

This fake eBay email leads to malware on artimagefrance.com:


Date:      Fri, 26 Jul 2013 21:40:48 +0900 [08:40:48 EDT]
From:      eBay [eBay@reply1.ebay.com]
Subject:      [redacted] welcome to the eBay community!





Items selected just for you.View this message in your browser     eBay Buyer Protectionebay™     Fashion     Electionics     Collectibles     Daily Deals     Sell To Buy   

Read More

Mobiquant - when IT security goes badly wrong

UPDATE: as of September 2013, this site appears to have been cleaned up.

Mobiquant appears to be a a small French IT security company run by a gentleman called Reda Zitouni that has been reportedly struggling a bit and may have shut up shop earlier in the year. They describe themselves thusly: "Mobiquant Technologies is a leading company provides mobile SECURITY management technology to

Read More

"INCOMING FAX REPORT" spam / 2013vistakonpresidentsclub.com

This fake fax report spam (apparently from the Administrator at the Victim's domain) leads to malware on 2013vistakonpresidentsclub.com:


Date:      Thu, 25 Jul 2013 10:32:10 -0600 [12:32:10 EDT]
From:      Administrator [administrator@victimdomain]
Subject:      INCOMING FAX REPORT : Remote ID: 1150758119

*********************************************************
INCOMING FAX REPORT
*******

Read More

CNN "77 dead after train derails" spam / evocarr.net

This spam mismatches two topics, a train crash in Spain and the birth of a royal baby in the UK, but it leads to malware on evocarr.net:



Date:      Thu, 25 Jul 2013 20:19:44 +0800 [08:19:44 EDT]
From:      77 dead after train derails [BreakingNews@mail.cnn.com>]
Subject:      "Perfect gift for royal baby ... a tree?" -  BreakingNews CNN


77 dead after train derails, splits apart in Spain
By

Read More

CNN "Perfect gift for royal baby ... a tree?" spam / nphscards.com

This fake CNN spam leads to malware on nphscards.com:


Date:      Wed, 24 Jul 2013 19:54:18 +0400 [11:54:18 EDT]
From:      "Perfect gift for royal baby ... a tree?" [BreakingNews@mail.cnn.com]
Subject:      "Perfect gift for royal baby ... a tree?" -  BreakingNews CNN

CNN
U.S. presidents have spotty record on gifts for royal births
By Jessica Yellin, CNN Chief White House Correspondent
July

Read More

"You requested a new Facebook password" spam / nphscards.com

This fake Facebook spam leads to malware on nphscards.com:


Date:      Wed, 24 Jul 2013 11:22:46 -0300 [10:22:46 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password

Read More

More deceptive parkconnect.net / Emailmovers Ltd spam

This spam (sent to a scraped email address) is an apparent front operation for Emailmovers Ltd, who are using the parkconnect.net domain to hide who is spamming. I have caught them doing this before:


From:     Adam Perkins [adam.perkins@parkconnect.net]
Date:     24 July 2013 01:26
Subject:     The world’s most energy efficient sustainable hand dryer
Mailing list:     

Read More

CNN "Harrison Ford" spam / 173.246.101.146 and fragrancewalla.com

This fake CNN alert leads to malware on fragrancewalla.com:



Date:      Wed, 24 Jul 2013 12:13:04 +0530 [02:43:04 EDT]
From:      "Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'" [BreakingNews@mail.cnn.com]
Subject:      "Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'"

CNN
Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'
By Emily

Read More

Something evil on 91.233.244.102, Part II

Another batch of domains to block on this evil server. See more about the web host in question here.

3e2b312075.com
abwkscsffvqvt.com
aeflkpdhxloa.org
alnvggqlpfcnirw.in
auumhjwopdlunno.net
bgdqfddrqwpfou.net
bwincdwtyxsorh.in
cfcdgvwxnbwcs.net
cfirjgkgirkxkh.net
dkjphajyjkfpxxa.net
doxewpsjdnjmk.com
dpluydtsxloe.org
dqdoydtsxloe.org
dqyokpshxeoa.org
dqzopdhxloa.org
dsmfwjivipeysga.in

Read More

webcashmgmt.com "Incoming Money Transfer" spam / A136_Incoming_Money_Transfer_Form.zip

This fake webcashmgmt.com spam comes with a malicious attachment:


Date:      Tue, 23 Jul 2013 10:21:08 -0500 [11:21:08 EDT]
From:      WebCashmgmt [Alberto_Dotson@webcashmgmt.com]
Subject:      Important Notice - Incoming Money Transfer

An Incoming Money Transfer has been received by your financial institution for spamcop.net. In order for the funds to be remitted on the correct  account

Read More

Something evil on 91.233.244.102

These following domains are hosted on 91.233.244.102 (Olborg Ltd, Russia). This IP is implicated in Runforestrun infectors, has several malware detections on VirusTotal plus a few on URLquery. Google has flagged several domains as being malicious (marked in red below).

Obviously there's quite a concentration of evil on this IP address and the simplest thing to do would be to banish it from

Read More

Malware sites to block 23/7/13

These malicious domains and IPs are associated with this prolific gang.  As usual, I've listed IPs with hosts first and then a plain list of IPs and domains for copy-and-pasting at the end.

5.175.191.106 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
31.145.19.17 (Borusan Telekom / Ericsson-NET, Turkey)
41.196.17.252 (Link Egypt, Egypt)
46.246.41.68 (Portlane Networks, Sweden)

Read More

IRS.gov "Complaint Case #488870383295" spam / Complaint_488870383295.zip

This spam contains a malicious attachment, but seems to confuse the roles of the BBB and the IRS.


Date:      Mon, 22 Jul 2013 09:59:08 -0500 [10:59:08 EDT]From:      "IRS.gov" [fraud.dep@irs.gov]Subject:      Complaint Case #488870383295You have received a complaint in regards to your business services.The complaint was filled by Mr./Mrs. Ulivo DELERME on 07/22/2013/Case Number:

Read More

BMW spam / pagebuoy.net

This convincing looking BMW spam leads to malware on


Date:      Mon, 22 Jul 2013 13:07:50 -0500 [14:07:50 EDT]From:      BMW of North America [womanliere75@postmaster.aa-mail.org]Reply-To:      motherfuckinge926@m.aa-mail.comSubject:      The BMW 6-Series M Sport Edition, M Universe, and more.BMW’s 6-Series M Sport Edition     View OnlineBMWA 6 SERIES.WITH M PANACHE.Meet the 6-Series M Sport

Read More

American Airlines spam / sai-uka-sai.com

This fake American Airlines spam leads to malware on www.aa.com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai.com:


From:     American.Airlines@aa.net
Date:     22 July 2013 17:22
Subject:     AA.com Itinerary Summary On Hold

Dear customer,

Thank you for making your travel arrangements on AA.com! Your requested itinerary is now ON HOLD. Details below.

To ensure that your reservation

Read More

OVH Hacked

A bad thing to happen, but kudos to OVH for being transparent about this issue:


Hello,A few days ago, we discovered that the security of our internal network at our offices in Roubaix had been compromised. After internal investigations, it appeared that a hacker was able to obtain access to an email account of one of our system administrators. With this email access, they was able to gain

Read More

ygregistryltd.net / "Huasheng Ltd" domain scam

This is the same scam as this, this and this. Avoid.


From:     Jim Wang [jim.wang@ygregistryltd.net]
Date:     22 July 2013 15:29
Subject:     Regarding Asia/Cn/Hk domain name & Internet Keyword

Dear Manager,

(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)

This email is from China domain name registration center, which mainly deal with the

Read More

David Cameron's porn block - how will it work?

This government likes its half-baked ideas, and David Cameron's attempt to bring in mandatory porn blocking in the UK seems to be one of those daft ideas. Yes, ISPs should offer blocking if people want it.. and perhaps they should be made to offer it by law. But there are a number of concerns which are well addressed by this New Statesman article.

Leaving aside the moral debate and the

Read More

Verizon Wireless "Data Usage Overage Alert" / verizonwirelessreports.com

This fake Verizon email leads to malware on the domain onemessage.verizonwireless.com.verizonwirelessreports.com:


Date:      Fri, 19 Jul 2013 10:48:31 -0500 [11:48:31 EDT]
From:      Verizon Wireless [VZWMail@e-marketing.verizonwireless-mail.net]
Subject:      Data Usage Overage Alert

Important Information About Your Account.      View Online
verizon wireless    Explore    Shop    My

Read More

whoswhonetworkonline.com spam

This turd of an email was sent to an info@ email address on a domain I own. It appears to be a classic Who's Who scam.


From:     Who's Who [cpm2@contactwhoswho.us]Reply-To:     databaseemailergroup@gmail.comdate:     19 July 2013 05:44subject:     You were recently nominated into Who's Who Amoung ExecutivesWho's Who Network OnlineHello,As you are probably aware, in the last few weeks, we at

Read More

K&L Wine Merchants (KLWines.com) spam / prysmm.net

This fake K&L Wine Merchantsm spam email leads to malware on www.klwines.com.order.complete.prysmm.net:



Date:      Thu, 18 Jul 2013 05:57:28 -0800From:      drowsedl04@inbound.ups.netCC:      Subject:      Your K&L order #56920789 is completeHello from K&L Wine Merchants -- www.KLWines.comJust wanted to let you know that your order (#56920789) is complete.Additional comments for this order:

Read More

primrose.co.uk hacked, email addresses compromised

Garden accessory primrose.co.uk has been hacked, and email addresses stored in their system are being abused for phishing purposes:


From:     paypal.co.uk [service@paypal.co.uk]
Date:     18 July 2013 11:01
Subject:     We cannot process your payment at this time.

   
Dear,

We need your help resolving an issue with your account.To give us time to work together on this, we've temporarily

Read More

02086 547426 "PC Wizard" tech support scam

Just a quick one.. some Indian scammers routing through a UK number 02086 547426 (02086547426) and purporting to be from a company "PC Wizard" just called and tried to convince me that something was wrong with my PC.

I'll do a write up later.. but in the mean time their MO is to get you to look at your Event Viewer for errors (there are always) errors, and then visit ammyy.com to run some

Read More

"Houston Marriott Westchase Reservation Confirmation" spam / marriott.com.reservation.lookup.viperlair.net

This fake Marriott spam leads to malware on marriott.com.reservation.lookup.viperlair.net:



Date:      Wed, 17 Jul 2013 05:12:22 -0800 [09:12:22 EDT]From:      Marriott Hotels & Resorts Reservation [reservations@clients.marriottmail.org]Reply-To:      reservations@clients.marriottmail.orgSubject:      Houston Marriott Westchase Reservation Confirmation #86903601Marriott Hotels & Resorts

Read More

Bank of America spam / stid 36618-22.zip

This fake Bank of America spam comes with a malicious attachment:


Date:      Tue, 16 Jul 2013 21:21:06 +0200 [15:21:06 EDT]
From:      Joyce Bryson [legalsr@gmail.com]
Subject:      Merchant Statement

Enclosed (pdflPDF|pdf file|document|file) is your Bank of America Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive

Read More

"Invoice 48920" spam / doc201307161139482.doc

This spam has a malicious word attachment, doc201307161139482.doc which contains an exploit.


From: Carlos Phillips [accounting@travidia.com]
Subject: Invoice 48920

Thanks !!

Greg

Precision Assemblies Products, Inc.Llc.
179 Nesbitt Hills
Holley, NY 51902
(176)-674-6500
nightmarewdp50@travidia.com
Note that the date is included into the filename. The document has an MS12-027 exploit with a

Read More

Malware sites to block 16/7/13

These domains and IPs are associated with this gang. This time there appear to be some diet pill sites in the mix, these may be spammy or they may be malicious.. I would recommend blocking them all though.

24.173.170.230 (Time Warner Cable, US)31.145.19.17 (Borusan Telekom / Ericsson, Turkey)38.96.42.60 (PSInet / WiLogic Inc, US)41.196.17.252 (Link Egypt, Egypt)46.45.182.27 (Radore Veri

Read More

Half your video missing in Windows Movie Maker? MS13-057 to blame.

I couldn't quite figure out why Windows Movie Maker was suddenly chopping off the top half of a video I was making..




I didn't investigate the problem very closely because I finished the project using Sony Vegas instead. However, it turns out that I am not alone.. an InfoWorld post also indicates that there are problems with Adobe Premiere Pro, Techsmith Camtasia Studio, Serif MoviePlus X6

Read More

msi.com hacked with kristians1.net

The website of msi.com (a major computer manufacturer) has been hacked and is serving up malware, despite MSI being informed of the problem. Injected code pointing to the domain kristians1.net (83.143.81.2, ServeTheWorld AS Norway) has been injected into the site and is serving up an exploit kit (report here).



This is not the only time msi.com has been hacked. Most significantly, they recently

Read More

UPS spam / tvblips.net

This fake UPS spam leads to malware on tvblips.net:



Date:      Mon, 15 Jul 2013 10:20:13 -0500
From:     
Subject:      Your UPS Invoice is Ready

   
This is an automatically generated email. Please do not reply to this email address.

Dear UPS Customer,

Thank you for your business.

New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS

Read More

NOST (NOST.QB) / NSU Resources Inc Pump and Dump Spam

Over the weekend a pump-and-dump spam run started for NSU Resources Inc trading as NOST.QB. NSU Resources almost definitely have nothing to do with this spam run. Here are a few examples:


Subject: This Stock MOVED HARD


Rubber Stamp N OS_T!!! With A Profoundly Humble Market Float,
The Indicated Rare Earth Business Is In Line To Quintuple.
Suspect For Big Publication In A Minute.

Trading

Read More

ygregistry.com.cn domain scam

This domain scam has been doing the rounds for years.


From:     Jim Wang [jim.wang@ygregistry.com.cn]Date:     12 July 2013 15:44Subject:     Regarding Asia/Cn/Hk domain name & Internet KeywordDear Manager,(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)This email is from China domain name registration center, which mainly deal with the domain name

Read More

"TAX Return Reminder" / cpa.state.tx.us.tax-returns.mattwaltererie.net

This fake tax return reminder leads to malware on cpa.state.tx.us.tax-returns.mattwaltererie.net:


--- Version 1 --------------------

Date:      Fri, 12 Jul 2013 14:35:31 +0300
From:      DO.NOT.REPLY@REMINDER.STATE.TX.US.GOV
Subject:      TAX Return Reminder

After
the last quarter calculations of your fiscal activity we have
determined that you are eligible to receive a tax refund of $

Read More

Malware sites to block 11/7/13

I noticed 188.138.89.106 (Intergenia AG, Germany) was the originating IP being used in this spam run using a hijacked 1&1 account, and VirusTotal thinks that the server is pretty darned evil. A quick poke at this box shows that has a number of multihomed malicious and C&C domains.

Looking at some of these servers, I'm suspicious that they may have been compromised using a Plesk vulnerability.

Read More

"WTX Media INC" spam / dajizzum.com

This fake invoice spam from the nonexistant "WTX Media" leads to a malware landing page on dajizzum.com:


From: Rebecca Media [mailto:support@rebeccacella.com]
Sent: 11 July 2013 07:46
To: [redacted]
Subject: Subscription Details

We hereby inform you that your subscription has been activated, your login information is as follows:

Username: IX9322130
Password: X#(@kIE04N
Login Key: 839384

Read More

Visa spam / estateandpropertty.com and clik-kids.com

This fake Visa spam attempts to lead to malware on estateandpropertty.com:


Date:      Wed, 10 Jul 2013 13:20:38 -0300 [12:20:38 EDT]
From:      Visa [policemank3@newsletters.visabusinessnewsmail.org]
Reply-To:      flintierv34@complains.visabusinessnewsmail.org
Subject:      Update Your Business Visa Card Information


Your Visa Business card has been limited. Please update your information

Read More

Something evil on 199.231.93.182

199.231.93.182 (Webline Service, US suballocated to "Alex Capersov") is hosting a number of exploits [1] [2] being used in injection attacks. In the sample I saw, code had been injected into the legitimate site englishrussia.com possibly through a traffic exchanger.

The following domains are all hosted on or are associated with this IP. There's a shorter list at the bottom of the post without

Read More

"Payment File Successfully Processed" spam / autorize.net.models-and-kits.net

This spam leads to malware on autorize.net.models-and-kits.net:


Date:      Tue, 9 Jul 2013 15:36:42 -0500
From:      batchprovider@eftps.gov
Subject:      Payment File Successfully Processed

*** PLEASE DO NOT REPLY TO THIS MESSAGE***

Dear Batch Provider,

This message is being sent to inform you that your payment file has successfully processed. 2013-07-09-12.08.00.815358

Detailed

Read More

Malware sites to block 9/7/13

These are the current IPs and domains that appear to be in use by this gang. IPs are listed with hosting companies and countries first, and then a plain list of IPs and domains for copy-and-pasting:
5.135.198.41 (OVH, France)
14.63.198.119 (Korea Telecom, Korea)
24.173.170.230 (Time Warner Cable, US)
46.14.182.109 (Swisscom, Switzerland)
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)

Read More

Xerox WorkCentre (or is it HP Digital Device?) spam / SCAN_129_07082013_18911.zip

This fake printer spam has a malicious attachment:


Date:      Mon, 8 Jul 2013 12:20:24 -0500 [07/08/13 13:20:24 EDT]
From:      HP Digital Device [HP.Digital8@victimdomain]
Subject:      Scanned Image from a Xerox WorkCentre

Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: [victimdomain]
Number of Images: 8
Attachment File Type: ZIP [

Read More

sendgrid.me / amazonaws.com spam

This spam is unusual in that it comes through an apparently genuine commercial email provider (sendgrid.me) and leads to malware hosted on Amazon's cloud service, amazonaws.com. There is no body text in the spam, just an image designed to look like a downloadable document.

from:     [victim] via sendgrid.me date:     8 July 2013 19:08subject:     Urgent 6:08 PM 244999Signed by:     sendgrid.me

Read More

Amex spam / americanexpress.com.krasalco.com

This fake Amex spam leads to malware on americanexpress.com.krasalco.com:

    

From: American Express [mailto:AmericanExpress@emalsrv.aexpmail.org] Sent: 08 July 2013 15:00Subject: Account Alert: A Payment Was ReceivedCheck your account balance online at any time        Hello, [redacted]             ________________________________________    View AccountMake a Payment    Manage Alerts

Read More

yelldatauk.com / Sally Gaskell spam

This email purports to come from yelldatauk.com and is trading on the name of yell.com, a business that it is not affiliated with:


From:     Yell Data UK [info@yelldatauk.com] via ansmtp.com
Date:     7 July 2013 20:37
Subject:     Yell Data
Signed by:     ansmtp.com

Good morning,

I hope this email finds you well.

Our data set contains over 750,000 UK businesses, benefits from full data

Read More

EBC "Password Reset Confirmation" spam / paynotice07.net

This fake password reset spam leads to malware on paynotice07.net:


From: EBC_EBC1961Registration@ebank6.secureaps.com
Sent: 05 July 2013 12:27
Subject: Password Reset Confirmation


Your Online Bankking password was successfully changed on 07/05/2013. If you did not make this change, or if you have any questions, please contact EBC Technical Support using this link.

Support is available

Read More

Mystery spam leads to Emailmovers Ltd (emailmovers.com / emvrs.co)

Some time ago I received a spam sent to a scraped email address promoting email marketing services (i.e. spam) which features fake contact details and a carefully anonymised web site at prospectdirect.org that shielded the identity of the spammers.

So who was behind this spam? Well, the easiest way to find out was to pretend to be interested. I filled in the contact form on the site and

Read More

Babylon and the 3954 Trojans, or the Whore of Babylon.com

"Babylon and the 3954 Trojans" sounds like a swords and sandals epic, but unfortunately it's just another example of crapware gone wild. Perhaps "The Whore of Babylon.com" is more apt though.

At the heart of Babylon.com's business is a marginally useful "free" translation application plus some paid add-ons. You know, the sort of thing that Google Translate does, except that the Babylon.com

Read More

Malware sites to block 2/7/13

These sites belong to this gang and house exploit kits and other nastiness. I've broken the list down into three sections: IPs and web hosts, plain IPs (for copy and pasting) and malware domains. The domains change on a regular basis, the IPs less frequently and are therefore probably the best things to block.

37.123.103.159 (Salay Telekomunikasyon, Turkey)38.64.161.163 (Stratonexus

Read More

Adware sites to block 2/7/13

Never trust an ad network that uses anonymous WHOIS details. These are hosted on 108.161.189.161 (NetDNA, US) and all hide their details. Those marked in yellow are flagged by Google for distributing some malware, the links go to the Google Safebrowsing diagnostic page. Given the amount of adware on this server, I would recommend blocking it.

netloader.cc
cdnloader.com
gamesformore.com

Read More

Pinterest spam / pinterest.com.reports0701.net

This fake Pinterest spam leads to malware on pinterest.com.reports0701.net:


Date:      Mon, 1 Jul 2013 21:04:36 +0530
From:      "Pinterest" [naughtinessw5@newsletters.pinterest.net]
To:      [redacted]
Subject:      Your password on Pinterest Successfully changed!

[redacted]
  
Yor password was reset. Request New Password.
   
See Password    
       
Pinterest is a tool for collecting

Read More

Adware sites to block 1/7/13

Never trust any sort of ad network that uses anonymous domains and hides all other identifying data. These seem to be doing to rounds at the moment, some of them may be involved in injection attacks or adware installs. If you have any experiences with these domains turning up unexpected on your site then please leave a comment.. thanks!

Read More

jConnect spam / FAX_281_3927981981_283.zip

This fake fax spam is meant to contain malware, but in this particular case is being sent out with a corrupt attachment:


Date:      Fri, 28 Jun 2013 09:41:52 -0500 [10:41:52 EDT]
From:      jConnect [message@inbound.j2.com]
Subject:      jConnect fax from "697-377-6967" - 28 page(s), Caller-ID: 697-377-6967

Fax Message[Caller-ID: 697-377-6967] You have received a 28 page(s) fax at 2012-12-17

Read More

OfficeWorld.com spam / sartorilaw.net

This fake OfficeWorld spam leads to malware on sartorilaw.net:


Date:      Thu, 27 Jun 2013 12:39:36 -0430 [13:09:36 EDT]From:      customerservice@emalsrv.officeworldmail.netSubject:      Confirmation notification for order 1265953Thank you for choosing OfficeWorld.com - the world's biggest selection of business products!Please review your order details below. If you have any questions,

Read More

ADP spam / spanishafair.com

This fake ADP spam leads to malware on spanishafair.com:


Date:      Tue, 25 Jun 2013 14:38:05 +0000 [10:38:05 EDT]From:      Run Do Not Reply [RunDoNotReply@ipn.adp.net]Subject:      Your Biweekly payroll is  acceptedYoyr payroll for check date 06/25/2013 is approved. Your payroll would be done at least 3 days before to your check date to ensure timely tax deposits and payroll delivery. If

Read More

"Southwest Airlines Confirmation: KQR101" spam / meynerlandislaw.net

This fake Southwest Airlines spam leads to malware on meynerlandislaw.net:


from:     Southwest Airlines [information@luv.southwest.com]reply-to:     Southwest Airlines [no-reply@emalsrv.southwestmail.com]date:     25 June 2013 17:09subject:     Southwest Airlines Confirmation: KQR101[redacted] 2013-06-25 JACEE3 INITIAL SLC WN PHX0.00T/TFF 0.00 END AY2.50$SLC1.50 1583018870396 2013-12-22 1394

Read More

Something evil on 173.246.104.154

173.246.104.154 (Gandi, US) is hosting hacked GoDaddy domains serving a variety of malware [1] [2]. At the moment the following domains appear to be hosted on that server:
aandimedsolutions.com
aandimedsolutions.info
aandimedsolutions.net
antarcticland-union.it
antarcticland-union.org
antarcticland-union.us
easymapbuilder.com
findmynewschool.com
governmentofantarcticland.it

Read More

"Fiserv Secure Email Notification - TBTATU41DMJDT5B" spam / SecureMessage_TBTATU41DMJDT5B.zip

This fake FISERV email has a malicious attachment SecureMessage_TBTATU41DMJDT5B.zip containing a trojan named SecureMessage.exe:


Date:      Mon, 24 Jun 2013 07:27:59 -0600 [09:27:59 EDT]
From:      Fiserv Secure Notification [secure.notification@fiserv.com]
Subject:      Fiserv Secure Email Notification - TBTATU41DMJDT5B
Part(s):     
      2      SecureMessage_TBTATU41DMJDT5B.zip      [

Read More

Facebook spam / chinadollars.net

This fake Facebook spam leads to malware on chinadollars.net:



Date:      Mon, 24 Jun 2013 09:18:12 -0500From:      Facebook [notification+SCCRJ42M8P@facebookmail.com]Subject:      You have 1 friend requestfacebook    You have new notifications.A lot has happened on Facebook since you last logged in. Here are some notifications you've missed from your friends.    1 friend requestView

Read More

DanielMcClintic@hotmail.com fake job offer

Another staggeringly crude money mule recruitment spam, like this one. Unless you like prison food I would advise you to leave this fake offer alone.


Date:      Mon, 24 Jun 2013 22:56:39 +0900 [09:56:39 EDT]From:      Delmar RoarkSubject:      Work in the finance departmentWe invite you to work in the home assistant offer.This job takes 2-3 hours a week and requires absolutely no

Read More

www.public-trust.com false positive at Phishtank

public-trust.com houses Certificate Revocation Lists (CRLs) and is controlled by Verizon. It probably houses other certificate infrastructure too, but at the moment several web filtering systems are detecting it as a phishing site due to a false positive at Phishtank.

Some example URLs (which are perfectly safe) include:
http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crlhttp://cdp1.

Read More

julia.sailor@hotmail.com fake job offer

These guys aren't really trying. The email address is julia.sailor@hotmail.com but the email is signed Claudine Nash and appears to be "from" brooksd@kormanlederer.com originating from an IP address in Brazil. The so-called "job" is going to be money laundering or some such, avoid.


Date:      Sat, 22 Jun 2013 20:47:56 -0300 [19:47:56 EDT]From:      Claudine Nash [brooksd@kormanlederer.com]

Read More

LexisNexis spam FAIL

This fake LexisNexis spam is meant to have a malicious attachment, but something has gone wrong. Nonetheless, the next time the spammers try it they will probably get it right.. so beware of any emails similar to this one that have an attachment larger than a couple of hundred bytes.


Date:      Fri, 21 Jun 2013 10:48:12 -0700 [13:48:12 EDT]
From:      LexisNexis [einvoice.notification@

Read More

"Unusual Visa card activity" spam / anygus.com

It's not usually like these guys to mess up so badly, but this FAIL of a Visa spam leads to malware on anygus.com. Note the bits in {braces} that should have content..


From:     Visa Anti-Fraud [upbringingve@visabusiness.com]
Date:     21 June 2013 17:36
Subject:     Unusual Visa card activity

we {l1} detected {l2} activity in your business visa account.

please click here to view {l4}
your

Read More

luntravel.com are a bunch of stupid spammers

Like most people I get of lot of spam. Sometimes it makes me cross. Here's one sent to scraped email address that is effectively a spamtrap.

From:     Luntravel [noreply@luntravelmail.com]
Reply-To:     Luntravel [noreply@luntravelmail.com]
Date:     21 June 2013 13:03
Subject:     New offers from £49
Mailing list:     c425d640a3819ebec8af23ba171be24c




So far, just a spam with a graphic in,

Read More