usanewwork.com fake job offer

This fake job offer will be some illegal activity such as money laundering or reshipping stolen goods:


Date:      Thu, 28 Feb 2013 14:57:55 -0600From:      andrzej.wojnarowski@[victimdomain]Subject:      There is a vacancy of a Regional manager in USA:If you have excellent administrative skills, working knowledge of Microsoft Office,a keen eye for detail, well-versed in the use of social

Read More

"Contract of 09.07.2011" spam / forumny.ru

This contracts-themed spam leads to malware on forumny.ru:


Date:      Thu, 28 Feb 2013 11:43:15 +0400
From:      "LiveJournal.com" [do-not-reply@livejournal.com]
Subject:      Fw: Contract of 09.07.2011
Attachments:     Contract_Scan_IM0826.htm

Dear Sirs,

In the attached file I am forwarding you the Translation of the Loan Contract that I have just received a minute ago. I am really sorry

Read More

"Follow this link" spam / sidesgenealogist.org

This rather terse spam appears to leads to an exploit kit on sidesgenealogist.org:


From: Josefina Underwood [mailto:hdFQe@heathrowexpress.com]
Sent: 27 February 2013 16:43
Subject: Follow this link

I have found it http://www.eurosaudi.com/templates/beez/wps.php?v20120226

Sincerely yours,
Sara Walton
The link is to a legitimate hacked site, and in this case it attempts to bounce to [

Read More

"End of Aug. Statement" spam / forumusaaa.ru

This invoice-themed spam leads to malware on forumusaaa.ru:


Date:      Thu, 28 Feb 2013 06:04:08 +0530
From:      "Lisa HAGEN" [WilsonVenditti@ykm.com.tr]
Subject:      Re: FW: End of Aug. Statement
Attachments:     Invoice_JAN-2966.htm

Good day,

as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).

Regards

Lisa HAGEN
The malware is hosted at [donotclick]

Read More

US Airways spam / berrybots.net

This very details but fake US Airways spam leads to malware on berrybots.net:

Date:      Wed, 27 Feb 2013 08:09:36 -0500 [08:09:36 EST]
From:      bursarp1@email-usairways.com
Subject:      Your US Airways trip

Read More

Intuit spam / forumligandaz.ru

This fake Intuit spam leads to malware on forumligandaz.ru:


Date:      Tue, 26 Feb 2013 01:27:09 +0330
From:      "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:      Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Tue, 26 Feb 2013 01:27:09 +0330.

    Finances would be gone away from below account #

Read More

Facebook spam / lazaro-sosa.com

This fake Facebook spam leads to malware on lazaro-sosa.com:


Date:      Tue, 26 Feb 2013 14:26:20 +0200
From:      "Facebook" [twiddlingv29@informer.facebook.com]
Subject:      Brian Parker commented your photo.

facebook
   
Brian Parker commented on Your photo.
Reply to this email to comment on this photo.
See Comment
This message was sent to [redacted]. If you don't want to receive these

Read More

"TrustKeeper Vulnerabilities Scan Information" spam / saberdelvino.net

Well this is new.. this "TrustKeeper Vulnerabilities Scan Information" spam leads to an exploit kit on saberdelvino.net:

From: Trustwave [porosity@e.trustwave.com]Date: 25 February 2013 17:09Subject: TrustKeeper Vulnerabilities Scan InformationTo view this email as a web page, go here.view email in a web browser[redacted]  This is an auto-generated report to notice you that the scheduled

Read More

LinkedIn spam / greatfallsma.com and yoga-thegame.net

This "accidental" LinkedIn spam is a fake and leads to malware on greatfallsma.com:


From: LinkedIn [mailto:papersv@informer.linkedin.com]
Sent: 22 February 2013 15:58
Subject: Reminder about link requests pending

See who connected with you this week on LinkedIn
Now it's easy to connect with people you email
Continue
 
This is an accidental LinkedIn Marketing email to help you get the most

Read More

"Data Processing" spam / dekolink.net

This fake "Data Processing" spam leads to malware on dekolink.net:



Date:      Fri, 22 Feb 2013 08:06:43 -0500
From:      "Data Processing Service" [customersupport@dataprocessingservice.com]
Subject:      ACH file ID '768.579

Files Processing Service

SUCCESS Note
We have successfully handled ACH file 'ACH2013-02-20-5.txt' (id '768.579') submitted by user '[redacted]' on '2013-02-20 1:14:

Read More

"End of Aug. Stat." spam / forummersedec.ru

This fake invoice email leads to malware on forummersedec.ru:


Date:      Fri, 22 Feb 2013 11:33:38 +0530
From:      AlissonNistler@[victimdomain]
Subject:      Re: FW: End of Aug. Stat.
Attachments:     Invoices-1207-2012.htm

Hallo,

as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer/Mozilla Firefox file)

Regards


The attachment attempts to redirect the victim

Read More

"Scan from a Xerox WorkCentre Pro" spam / familanar.ru

This familiar printer spam leads to malware on the familanar.ru domain:


Date:      Thu, 21 Feb 2013 09:22:25 -0500 [09:22:25 EST]
From:      Tagged [Tagged@taggedmail.com]
Subject:      Fwd: Re:  Scan from a Xerox WorkCentre Pro #800304

A Document was sent to you using a XEROX WorkJet PRO 760820.

SENT BY : BRYNN
IMAGES : 5
FORMAT (.JPEG) DOWNLOAD
The malicious payload is at [donotclick]

Read More

ACH transaction spam / payment receipt - 884993762994.zip

This fake ACH transaction spam comes with a malicous attachment:


Date:      Thu, 21 Feb 2013 14:32:08 -0500 [14:32:08 EST]
From:      Payment notification system [homebodiesga38@gmail.com]
Subject:      Automatic transfer notification

ACH transaction is completed. $443 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt on

Read More

"Efax Corporate" spam / fuigadosi.ru

This fake eFax spam leads to malware on fuigadosi.ru:


Date:      Thu, 21 Feb 2013 -05:24:35 -0800
From:      LinkedIn Password [password@linkedin.com]
Subject:      Efax Corporate
Attachments:     EFAX_Corporate.htm



Fax Message [Caller-ID: 705646877]

You have received a 29 pages fax at Thu, 21 Feb 2013 -05:24:35 -0800, (913)-809-4198.

* The reference number for this fax is [

Read More

ADP Spam / faneroomk.ru

This fake ADP spam tries (and fails) to lead to malware on faneroomk.ru:


From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 20 February 2013 20:02
Subject: ADP Immediate Notification

ADP Immediate Notification
Reference #: 001737199

Thu, 21 Feb 2013 02:01:39 +0600
Dear ADP Client

Your Transfer Record(s) have been created at

Read More

Verizon Wireless spam / participamoz.com

This fake Verizon Wireless spam leads to malware on participamoz.com:



Date:      Wed, 20 Feb 2013 23:24:49 +0400
From:      "AccountNotify@verizonwireless.com" [cupcakenc0@irs.gov]
Subject:      Verizon wireless online bill.



Important account information from Verizon Wireless
Your current bill for your account ending in XXXX-XX001 is now available online in My Verizon
Total Balance Due: $

Read More

SendSecure Support spam / secure_message_02202013_01590106757637303.zip

This fake SendSecure Support / Bank of America spam comes with a malicious attachment called secure_message_02202013_01590106757637303.zip:


Date:      Wed, 20 Feb 2013 11:23:43 -0400 [10:23:43 EST]
From:      SendSecure Support [SendSecure.Support@bankofamerica.com]
Subject:      You have received a secure message from Bank Of America

You have received a secure message.

Read your secure

Read More

"Wire transfer" spam / fulinaohps.ru

This fake wire transfer spam leads to malware on fulinaohps.ru:


Date:      Wed, 20 Feb 2013 04:28:14 +0600
From:      accounting@[victimdomain]
Subject:      Fwd: ACH and Wire transfers disabled.

Dear Online Account Operator,

Your ACH transactions have been
temporarily disabled.
View details

Best regards,
Security department
The malicious payload is at [donotclick]fulinaohps.ru:8080/forum/

Read More

famagatra.ru injection attack in progress

There seems to be an injection attack in progress, leading visitors to hacked website to a malicious page on the server famagatra.ru.

The payload is at [donotclick]famagatra.ru:8080/forum/links/public_version.php?atd=1n:33:2v:1l:1h&qav=3j&yvxhqg=1j:33:32:1l:1g:1i:1o:1n:1o:1i&jehmppj=1n:1d:1f:1d:1f:1d:1j:1k:1l (report here) which is basically a nasty dose of Blackhole.


84.23.66.74 (EUserv

Read More

Something evil on 62.212.130.115

Something evil seems to be lurking on 62.212.130.115 (Xenosite, Netherlands) - a collection of sites connected with the Blackhole exploit kit, plus indications of evil subdomains of legitimate hacked sites. All-in-all, this IP is probably worth avoiding.

Firstly, there are the evil subomains that have a format like 104648746540365e.familyholidayaccommodation.co.za - these are mostly hijacked .

Read More

USPS spam / USPS delivery failure report.zip

This fake USPS spam contains malware in an attachment called USPS delivery failure report.zip.


Date:      Wed, 20 Feb 2013 06:40:39 +0200 [02/19/13 23:40:39 EST]From:      USPS client manager Michael Brewer [reports@usps.com]Subject:      USPS delivery failure reportUSPS notificationOur company’s courier couldn’t make the delivery of package.REASON: Postal code contains an error.LOCATION OF

Read More

Cyberbunker fake pharma spam / 84.22.104.123

Crime-friendly host Cyberbunker strikes again, this time hosting more fake pharma sites on 84.22.104.123, being promoted through this suspicious looking spam:


Date:      Tue, 19 Feb 2013 22:58:26 +0000 (GMT)
From:      Apple [noreply@bellona.wg.saar.de]
To:      [redacted]
Subject:      Your Apple ID was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5

   
Dear Customer,

Read More

Something evil on 74.208.148.35

Spotted by the good folks at GFI Labs here, here and here are several Canadian domains on the same server, 74.208.148.35 (1&1, US):

justcateringfoodservices.com
dontgetcaught.ca
blog.ritual.ca
lumberlandnorth.com

Obviously, there's some sort of server-level compromise here. Blocking access to 74.208.148.35 will give some protection against several very active malicious spam campaigns.

Read More

UPS Spam / emmmhhh.ru

The spammers sending this stuff out always confuse UPS with USPS, this one is not exception although on balance it is more UPS than USPS.. anyway, it leads to malware on emmmhhh.ru:


From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Valda Gill via LinkedIn
Sent: 19 February 2013 10:00
Subject: United Postal Service Tracking Nr. H9878032462

Read More

Something evil on 67.208.74.71

67.208.74.71 (Inforelay, US) is a parking IP with several thousand IPs hosted on it. However, it also includes a large number of malicious sites using Dynamic DNS servces. Some of these sites have recently moved from the server mentioned here.

Probably most of the sites on this server are legitimate and blocking access to it might cause some problems. However, you can block most of these

Read More

Wire transfer spam / 202.72.245.146

This fake wire transfer spam leads to malware on 202.72.245.146:


Date:      Fri, 15 Feb 2013 07:24:40 -0500
From:      Tasha Rosenthal via LinkedIn [member@linkedin.com]
Subject:      RE: Wire transfer cancelled

Good day,

Wire Transfer was canceled by the other bank.



Canceled transaction:

FED NR: 94813904RE5666838

Transfer Report: View



The Federal Reserve Wire Network
The malicious

Read More

"Cum Avenue" IRS Spam / azsocseclawyer.net

This fake IRS spam (from an office on "Cum Avenue"!) actually leads to malware on azsocseclawyer.net:


Date:      Fri, 15 Feb 2013 09:47:25 -0500
From:      Internal Revenue Service [ahabfya196@etax.irs.gov]
Subject:      pecuniary penalty for delay of tax return filling

Herewith we are informing you that you are required to pay a surcharge for not filling the income tax return prior to

Read More

Malware sites to block 15/2/13

A set of malware sites.. or I think two sets of malware sites that you might want to block. The .ru domains are connected with this botnet, a second set of sites seem to be something else malicious. Both groups of sites are connected by a server at 142.0.45.27 (Volumedrive, US) which may be a C&C server. Interested parties might want to poke at the server a bit..

As a bonus, these are the IPs

Read More

Intuit spam / epionkalom.ru

This fake Intuit spam leads to malware on epionkalom.ru:


Date:      Thu, 14 Feb 2013 09:05:48 -0500
From:      "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:      Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Thu, 14 Feb 2013 09:05:48 -0500.

    Finances would be gone away from below account # ending

Read More

HP ScanJet spam / 202.72.245.146

This fake printer spam leads to malware on 202.72.245.146:


Date:      Thu, 14 Feb 2013 10:10:56 +0000
From:      AntonioShapard@hotmail.com
Subject:      Fwd: Re: Scan from a Hewlett-Packard ScanJet #6293
Attachments:     HP_Document.htm

Attached document was scanned and sent

to you using a HP A-32347P.

SENT BY : TRISH
PAGES : 3
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

========

Read More

"Copies of policies" spam / ewinhdutik.ru

This spam leads to malware on ewinhdutik.ru:

Date:      Thu, 14 Feb 2013 07:16:28 -0500
From:      "Korbin BERG" [ConnorAlmeida@telia.com]
Subject:      RE: Korbin - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

Korbin BERG,

======================


Date

Read More

HP ScanJet spam / eipuonam.ru

This fake printer spam leads to malware on eipuonam.ru:


Date:      Thu, 14 Feb 2013 -02:00:50 -0800
From:      "Xanga" [noreply@xanga.com]
Subject:      Fwd: Scan from a HP ScanJet #72551
Attachments:     HP_Document.htm

Attached document was scanned and sent

to you using a HP A-39329P.

SENT BY : Ingrid
PAGES : 0
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

The attachment

Read More

Something evil on 92.63.105.23

Looks like a nasty infestion of Blackhole is lurking on 92.63.105.23 (TheFirst-RU, Russia) - see an example of the nastiness here (this link is safe to click!). The following domains are present on this address, although there are probably more.

ueizqnm.changeip.name
fmmrlp.ddns.name
qhtqqtxqua.onmypc.org
jakrcr.changeip.org
slnpqel.lflinkup.org
ydrehhvgjz.ezua.com
hurocozr.onedumb.com

Read More

"First Foundation Bank Secure Email Notification" spam

It looks a bit like a phish, but this "First Foundation Bank Secure Email Notification" spam has a ZIP file that leads to malware:


Date:      Wed, 13 Feb 2013 20:08:46 +0200 [13:08:46 EST]
From:      FF-inc Secure Notification [secure.notification@ff-inc.com]
Subject:      First Foundation Bank Secure Email Notification - 94JIMEEQ

You have received a secure message

Read your secure message

Read More

NACHA spam / eminakotpr.ru

More fake NACHA spam, this time leading to malware on eminakotpr.ru:



Date:      Wed, 13 Feb 2013 05:24:26 +0530
From:      "ACH Network" [risk-management@nacha.org]
Subject:      Re: Fwd: ACH Transfer rejected

The ACH transaction, initiated from your checking acc., was canceled.


Canceled transfer:

Transfer ID: FE-65426265630US

Transaction Report: View

August BLUE

NACHA - The National

Read More

Malware sites to block 13/2/13

These malicious sites appear to be part of a Waledac botnet. I haven't had much time to analyse what exactly what it going on, but here is one example from [donotclick]merwiqca.ru/nothing.exe: URLquery, VirusTotal, Comodo CAMAS, ThreatExpert.

I'm still working on IP addresses (there are a LOT), but these are the domains that I have managed to identify.. it is probably not an exhaustive list

Read More

NACHA spam / thedigidares.net

This fake NACHA spam leads to malware on thedigidares.net:



Date:      Wed, 13 Feb 2013 12:10:27 +0000
From:      " NACHA" [limbon@direct.nacha.org]
Subject:      Aborted transfer

Canceled transaction
The ACH process (ID: 648919687408), recently sent from your bank account (by you), was canceled by the other financial institution.

Transaction ID:     648919687408
Cancellation Reason    

Read More

Something evil on 192.81.129.219

It looks like there's a nasty case of the Blackhole Exploit kit on 192.81.129.219 (see example). The IP is controlled by Linode in the US who have been a bit quiet recently. Here are the active domains that I can identify on this IP:

17.soldatna.com17.coloryourpatiowholesale.com17.silvascape.com17.dcnwire.com17.canyonturf.com17.kdebug.com17.soldatnacapital.com17.swvmail.com17.drycanyon.com17

Read More

Changelog spam / emaianem.ru

This changelog spam leads to malware on emaianem.ru:


Date:      Tue, 12 Feb 2013 09:11:11 +0200
From:      LinkedIn Password [password@linkedin.com]
Subject:      Re: Changlog 10.2011

Good day,

changelog update - View

L. KIRKLAND

=================


Date:      Tue, 12 Feb 2013 05:14:54 -0600
From:      LinkedIn [welcome@linkedin.com]
Subject:      Fwd: Re: Changelog as promised(updated)

Read More

IRS spam / micropowerboating.net

This fake IRS spam leads to malware on micropowerboating.net:


Date:      Tue, 12 Feb 2013 22:06:55 +0800
From:      Internal Revenue Service [damonfq43@taxes.irs.gov]
Subject:      Income Tax Refund TURNED DOWN

Hereby we have to note that Your State Tax Refund Appeal ({ID: 796839212518), recently has been RETURNED. If you believe that IRS did not properly estimate your case due to

Read More

eFax spam / estipaindo.ru

This fake eFax spam leads to malware on estipaindo.ru:


From: messages-noreply@bounce.linkedin.com
Sent: 12 February 2013 04:10
Subject: Efax Corporate

Fax Message [Caller-ID: 181999356]

You have received a 44 pages fax at Tue, 12 Feb 2013 05:10:03 +0100, (944)-095-3172.

* The reference number for this fax is [eFAX-101609258].

View attached fax using your Internet Browser.

Read More

Something evil on 46.165.206.16

This is a little group of fake analytics sites containing malware (for example), hosted on 46.165.206.16 (Leaseweb, Germany). Sites listed in  red   have already been tagged by Google Safe Browsing diagnostics, presumably the others have stayed below the radar.

adstat150.comcexstat20.comkatestat77.uskmstat505.uskmstat515.uskmstat530.comlmstat450.commptraf11.infomptraf2.infomxstat205.

Read More

NACHA Spam / albaperu.net

This fake NACHA spam leads to malware on albaperu.net:


Date:      Mon, 11 Feb 2013 11:39:03 -0500 [11:39:03 EST]
From:      ACH Network [reproachedwp41@direct.nacha.org]
Subject:      ACH Transfer canceled

Aborted transfer
The ACH process (ID: 838907191379), recently initiated from your checking account (by one of your account members), was reversed by the other financial institution.

Read More

British Airways spam / epianokif.ru

This fake British Airways spam leads to malware on epianokif.ru:



Date:      Mon, 11 Feb 2013 11:30:39 +0330
From:      JamesTieszen@[victimdomain.com]
Subject:      British Airways E-ticket receipts
Attachments:     E-Ticket-N234922XM.htm



e-ticket receipt
Booking reference: DZ87548418
Dear,

Thank you for booking with British Airways.

Ticket Type: e-ticket
This is your e-ticket receipt.

Read More

Something evil on 46.163.79.209

The following sites are connected with some ADP-themed malware that has been doing the rounds for the past few days. As far as I can tell, they are some sort of download server for this malware, hosted on 46.163.79.209 (Host Europe, Germany), it all looks quite nasty.

social-neos.eu
cloud.social-neos.eu
quest.social-neos.eu
archiv.social-neos.eu
eyon-neos.eu
international.eyon-neos.eu

Read More

"Support Center" spam / phticker.com

Not malware this time, but this fake "Support Center" spam leads to a fake pharma site at phticker.com:


Date:      Mon, 11 Feb 2013 06:13:52 -0700
From:      "Brinda Wimberly" [noreply@mdsconsulting.be]
Subject:      Support Center

    Welcome to Help Support Center

Hello,

You have been successfully registered in our Ticketing System

Please, login and check status of your ticket, or

Read More

ADP spam / 048575623_02082013.zip

This fake ADP spam comes with a malicious attachment:


Date:      Fri, 8 Feb 2013 18:26:05 +0100 [12:26:05 EST]From:      "ops_invoice@adp.com" [ops_invoice@adp.com]Subject:      ADP Payroll Invoice for week ending 02/08/2013 - 01647Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the

Read More

BBB Spam / madcambodia.net

This fake BBB spam leads to malware on madcambodia.net:


Date:      Fri, 8 Feb 2013 11:55:55 -0500 [11:55:55 EST]
From:      Better Business Bureau [notify@bbb.org]
Subject:      BBB  details about your  cliente's pretense ID 43C796S77

Better Business Bureau ©
Start With Trust ©

Thu, 7 Feb 2013

RE: Issue No. 43C796S77

[redacted]

The Better Business Bureau has been booked the above

Read More

MMuskatov / OVH malware sites to block

I've mentioned an OVH range of IPs allocated to a mystery  "MMuskatov" a couple of times before (here and here). It seemed like they needed a closer look.

The IP ranges are in the 5.135.67.x block, mostly in small /28 allocations hosted in different OVH datacentres in Europe. They are:
5.135.67.128 - 5.135.67.135
5.135.67.136 - 5.135.67.143
5.135.67.144 - 5.135.67.159
5.135.67.160 -

Read More

radarsky.biz and something evil on 5.135.67.160/28

There is currently an injection attack redirecting visitors to a domains radarsky.biz (for example) hosted on 5.135.67.173 (OVH) and suballocated to:

inetnum:        5.135.67.160 - 5.135.67.175netname:        MMuskatov-FIdescr:          MMuskatovcountry:        FIorg:            ORG-OH6-RIPEadmin-c:        OTC15-RIPEtech-c:         OTC15-RIPEstatus:         ASSIGNED PAmnt-by:         

Read More

+20 3 2983245 telepest

For some reason I've been plagued with cold calling telepests recently. This particular one (+20 3 2983245) offered the usual "press 5 to be ripped off" and "press 9 to try to unsubscribe which we will ignore" recorded message about claiming for an accident.

There was a very politely spoken and nice young man on the end of the phone. He seemed a bit perplexed and upset when I told him to f--k

Read More

FFIEC spam / live-satellite-view.net

This spam attempts to load malware from live-satellite-view.net, but fails because at the moment the domain isn't registered. However, you can expect them to try again.. so watch out for emails like this.


From: FFIEC [mailto:complaints@ffiec.gov]
Sent: 06 February 2013 16:17
Subject: FFIEC Occasion No. 77715


This summons is meant to make advise of file # 77715 which is opened and under

Read More

inukjob.com fake job offer (also ineurojob.com and hollandsjob.com)

This fake job offer from inukjob.com involves illegal money laundering, and it also seems that the scammers want to use your identity for "correspondence" which normally means things like reshipping stolen goods and identity theft.


From: Victim
To: Victim
Date: 6 February 2013 09:16
Subject: Looking for remote assistants, paid $ 100 per hour helping other people


Good afternoon!

Is it

Read More

Amazon.com spam / salam-tv.com

This fake Amazon email leads to malware on salam-tv.com:



Date:      Tue, 5 Feb 2013 18:32:06 +0100
From:      "Amazon.com Orders" [no-reply@amazon.com]
Subject:      Your Amazon.com order receipt.

    Click here if the e-mail below is not displayed correctly.
   
Follow us:                    
   
   
Your Amazon.com                         Today's Deals                 See All

Read More

01530 561700: PPI refund cold callers are also PPI mis-sellers

Quick version:  01530 561700 is a PPI claims company trading as ABC Claims Management, but the people involved have been directors of a firm fined for PPI mis-selling. If you really want to wind them up, say you were mis-sold PPI by a firm called Hadenglen.

Long version:
PPI refund cold callers are annoying, and are almost always dishonest scumbags who claim that you are eligible for a PPI

Read More

Phytiva / XCHC pump-and-dump

This pump-and-dump spam (at least I assume that's what it is) caught my eye,


From:     Hugh Crouch [tacticallyf44@riceco.com]Date:     4 February 2013 12:39Subject:     RE: Targeting the global Cosmoceutical marketUS leading biotech company is please to introduce a newly launched brand - a hybrid of a proven, existing product line that has been well-managed and conservatively-run for over a

Read More

Something evil on 108.61.12.43 and 212.7.192.100

A few sites worth blocking on 108.61.12.43 (Constant Hosting, US) courtesy of Malware Must Die:
helloherebro.compainterinvoice.rupainterinvoicet.ruimmediatelyinvoicew.ru

While you are at it, you might like to block 212.7.192.100 (Dediserv, Netherlands) as well.

Read More

StumbleUpon spam / drugstorepillstablets.ru

This fake StumbleUpon spam is something new, it leads to a fake pharma site on drugstorepillstablets.ru:


Date:      Mon, 4 Feb 2013 01:01:46 -0600 (CST)From:      StumbleUpon [no-reply@stumblemail.com]Subject:      Update: Changes to Your Email Settings    Hi [redacted],This is a quick note to let you know about some changes we've made to the email settings in your StumbleUpon account. We've

Read More

Something evil on 50.116.40.194

50.116.40.194 (Linode, US) is hosting the Blackhole Exploit Kit (e.g. [donotclick]14.goodstudentloans.org/read/walls_levels.php - report here) and seems to have been active in the past 24 hours. I can see two domains at present, although there are probably many more ready to go:

14.goodstudentloans.org14.mattresstoppersreviews.net

Read More

Photos spam / eghirhiam.ru

Here's a tersely-worded Photos spam leading to malware on eghirhiam.ru:


Subject: Photos

Good day,
your photos here http://www.jonko.com/photos.htm
As is usually the case, the malware bounces through a legitimate hacked site and in this case ends up at [donotclick]eghirhiam.ru:8080/forum/links/public_version.php (report here) hosted on:

82.148.98.36 (Qatar Telecom, Qatar)
195.210.47.208 (PS

Read More