"Documento importante : 5039403 !!" spam / Planilha-Documento.docx_.rar

This terse Portuguese language spam has a malicious attachment:


From:     Adriane Camargo. [adriane@yahoo.com.br]
Date:     29 July 2013 20:59
Subject:     Documento importante : 5039403 !!

Arquivo : DC-59KDJF994J3K303940430DJJRI8.rar ( 173,4 KB)

The link in the email downloads goes through a legitimate hacked site and then downloads a RAR file from [donotclick]

Read More

Facebook spam / deltaoutriggercafe.com

These guys are busy. This fake Facebook spam leads to malware on deltaoutriggercafe.com:


Date:      Tue, 30 Jul 2013 15:05:25 -0500 [16:05:25 EDT]From:      Facebook [no-reply@facebook.com]Subject:      Issac Dyer wants to be friends with you on Facebook.facebook    Issac Dyer wants to be friends with you on Facebook.University of Houston, Victoria342 friends - 28 photosConfirm Request

Read More

eBay "ready to get started? Here’s how." spam / deltamarineinspections.net

There is currently an eBay-themed  "ready to get started? Here’s how" spam run active, effectively almost the same as this one, except this time there is a new set of intermediate scripts and payload page. The three scripts involved are:

[donotclick]03778d6.namesecurehost.com/meaningful/unsnapping.js
[donotclick]icontractor.org/followings/trolloped.js
[donotclick]tvassist.co.uk/plead/

Read More

"Your password on Pinterest was Successfully modified!" spam / onsayoga.net

This fake Pinterest spam leads to malware on onsayoga.net:


Date:      Tue, 30 Jul 2013 11:17:28 -0500 [12:17:28 EDT]From:      Pinterest [caulksf8195@customercare.pinterrest.net]Subject:      Your password on Pinterest was Successfully modified!A Few Updates...[redacted]   [redacted]   Changing your password is complete. Please use the link below within 24 hours. reset. Receive New Password

Read More

CNN "Angelina Jolie tops list of highest-paid actresses" spam / deltadazeresort.net

This fake CNN spam leads to malware on deltadazeresort.net:


Date:      Tue, 30 Jul 2013 17:52:54 +0330 [10:22:54 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: Forbes: Angelina Jolie tops list of highest-paid actresses

Forbes: Angelina Jolie tops list of highest-paid actresses
By Sheridan Watson, EW.com
July 29, 2013 -- Updated 2014 GMT (0414 HKT)
Angelina Jolie attends a

Read More

Pharma sites to block 30/7/13

This IPs host (fake) pharma sites which seem to be associated with this gang and share some of their infrastructure. As far as I can tell, none of them host malware.. but the IPs involved could be repurposed as malware servers and blocking them might be prudent.
88.190.218.27 (PROXAD Free SAS, France)91.199.149.238 (Novosibirsk A3 Ltd, Russia)91.199.149.239 (Novosibirsk A3 Ltd, Russia)

Read More

Malware sites to block 30/7/13

These sites and IPs are associated with this gang, and are either currently in use or they have been in use recently. The list has individual IPs and web hosts first, followed by a plain list of recommended items to block.

5.175.191.106 (GHOSTnet, Germany)
5.175.191.124 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
24.188.19.227 (Optimum Online, US)
41.196.17.252 (Link Egypt,

Read More

Facebook spam / happykido.com

This fake Facebook spam leads to malware on


Date:      Mon, 29 Jul 2013 09:33:38 -0600 [11:33:38 EDT]
From:      Facebook [update+zj4o40c2_aay@facebookmail.com]
Subject:      Betsy Wells wants to be friends with you on Facebook.
   
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.
�
Betsy Wells
Betsy Wells
   
Baldric

Read More

"Key Secured Message" spam / SecureMessage.zip

This spam has a malicious attachment:


Date:      Mon, 29 Jul 2013 06:08:44 -0800 [10:08:44 EDT]From:      "Marcia_Manning@key.com" [Marcia_Manning@key.com]Subject:      Key Secured MessageYou have received a Secured Message from:Marcia_Manning@key.comThe attached file contains the encrypted message that you have received. To decrypt the message use the following password -  nC4WR706To read

Read More

Jolly Works Hosting.. is it really Jolly?

I was a little curious as to why I kept coming across Jolly Works Hosting from the Philippines when it came to malware hosting. They are a customer of Secured Servers LLC in the US, and when I took a close look at malware reports with Secured Servers IPs addresses it turns out that most of them were actually suballocated to Jolly Works Hosting instead.

Jolly Works has a real website and real

Read More

Bank of America "Your transaction is completed" spam / payment receipt 26-07-2013.zip

This fake Bank of America spam has a malicious attachment:


Date:      Fri, 26 Jul 2013 15:50:32 +0200 [09:50:32 EDT]
From:      impairyd04@gmail.com
Subject:      Your transaction is completed

Transaction is completed. $09681416 has been successfully transferred.

If the transaction was made by mistake please contact our customer service.

Payment receipt is attached.


*** This is an

Read More

Intellicast.com spam / artimagefrance.com

This fake weather spam leads to malware on artimagefrance.com:


Date:      Fri, 26 Jul 2013 02:46:26 -0800 [06:46:26 EDT]From:      "Intellicast.com" [weather@intellicast.com]Subject:      Intellicast.com [weather@intellicast.com]Intellicast.com Weather E-mail - Thursday, Jul 25, 2013 3:38 AMFor the complete 10-Day forecast and current conditions, visit Intellicast.com:http://

Read More

"welcome to the eBay community!" spam / artimagefrance.com

This fake eBay email leads to malware on artimagefrance.com:


Date:      Fri, 26 Jul 2013 21:40:48 +0900 [08:40:48 EDT]
From:      eBay [eBay@reply1.ebay.com]
Subject:      [redacted] welcome to the eBay community!





Items selected just for you.View this message in your browser     eBay Buyer Protectionebay™     Fashion     Electionics     Collectibles     Daily Deals     Sell To Buy   

Read More

Mobiquant - when IT security goes badly wrong

UPDATE: as of September 2013, this site appears to have been cleaned up.

Mobiquant appears to be a a small French IT security company run by a gentleman called Reda Zitouni that has been reportedly struggling a bit and may have shut up shop earlier in the year. They describe themselves thusly: "Mobiquant Technologies is a leading company provides mobile SECURITY management technology to

Read More

"INCOMING FAX REPORT" spam / 2013vistakonpresidentsclub.com

This fake fax report spam (apparently from the Administrator at the Victim's domain) leads to malware on 2013vistakonpresidentsclub.com:


Date:      Thu, 25 Jul 2013 10:32:10 -0600 [12:32:10 EDT]
From:      Administrator [administrator@victimdomain]
Subject:      INCOMING FAX REPORT : Remote ID: 1150758119

*********************************************************
INCOMING FAX REPORT
*******

Read More

CNN "77 dead after train derails" spam / evocarr.net

This spam mismatches two topics, a train crash in Spain and the birth of a royal baby in the UK, but it leads to malware on evocarr.net:



Date:      Thu, 25 Jul 2013 20:19:44 +0800 [08:19:44 EDT]
From:      77 dead after train derails [BreakingNews@mail.cnn.com>]
Subject:      "Perfect gift for royal baby ... a tree?" -  BreakingNews CNN


77 dead after train derails, splits apart in Spain
By

Read More

CNN "Perfect gift for royal baby ... a tree?" spam / nphscards.com

This fake CNN spam leads to malware on nphscards.com:


Date:      Wed, 24 Jul 2013 19:54:18 +0400 [11:54:18 EDT]
From:      "Perfect gift for royal baby ... a tree?" [BreakingNews@mail.cnn.com]
Subject:      "Perfect gift for royal baby ... a tree?" -  BreakingNews CNN

CNN
U.S. presidents have spotty record on gifts for royal births
By Jessica Yellin, CNN Chief White House Correspondent
July

Read More

"You requested a new Facebook password" spam / nphscards.com

This fake Facebook spam leads to malware on nphscards.com:


Date:      Wed, 24 Jul 2013 11:22:46 -0300 [10:22:46 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password

Read More

More deceptive parkconnect.net / Emailmovers Ltd spam

This spam (sent to a scraped email address) is an apparent front operation for Emailmovers Ltd, who are using the parkconnect.net domain to hide who is spamming. I have caught them doing this before:


From:     Adam Perkins [adam.perkins@parkconnect.net]
Date:     24 July 2013 01:26
Subject:     The world’s most energy efficient sustainable hand dryer
Mailing list:     

Read More

CNN "Harrison Ford" spam / 173.246.101.146 and fragrancewalla.com

This fake CNN alert leads to malware on fragrancewalla.com:



Date:      Wed, 24 Jul 2013 12:13:04 +0530 [02:43:04 EDT]
From:      "Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'" [BreakingNews@mail.cnn.com]
Subject:      "Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'"

CNN
Harrison Ford on 'Ender's Game' controversy: 'Not an issue for me'
By Emily

Read More

Something evil on 91.233.244.102, Part II

Another batch of domains to block on this evil server. See more about the web host in question here.

3e2b312075.com
abwkscsffvqvt.com
aeflkpdhxloa.org
alnvggqlpfcnirw.in
auumhjwopdlunno.net
bgdqfddrqwpfou.net
bwincdwtyxsorh.in
cfcdgvwxnbwcs.net
cfirjgkgirkxkh.net
dkjphajyjkfpxxa.net
doxewpsjdnjmk.com
dpluydtsxloe.org
dqdoydtsxloe.org
dqyokpshxeoa.org
dqzopdhxloa.org
dsmfwjivipeysga.in

Read More

webcashmgmt.com "Incoming Money Transfer" spam / A136_Incoming_Money_Transfer_Form.zip

This fake webcashmgmt.com spam comes with a malicious attachment:


Date:      Tue, 23 Jul 2013 10:21:08 -0500 [11:21:08 EDT]
From:      WebCashmgmt [Alberto_Dotson@webcashmgmt.com]
Subject:      Important Notice - Incoming Money Transfer

An Incoming Money Transfer has been received by your financial institution for spamcop.net. In order for the funds to be remitted on the correct  account

Read More

Something evil on 91.233.244.102

These following domains are hosted on 91.233.244.102 (Olborg Ltd, Russia). This IP is implicated in Runforestrun infectors, has several malware detections on VirusTotal plus a few on URLquery. Google has flagged several domains as being malicious (marked in red below).

Obviously there's quite a concentration of evil on this IP address and the simplest thing to do would be to banish it from

Read More

Malware sites to block 23/7/13

These malicious domains and IPs are associated with this prolific gang.  As usual, I've listed IPs with hosts first and then a plain list of IPs and domains for copy-and-pasting at the end.

5.175.191.106 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
31.145.19.17 (Borusan Telekom / Ericsson-NET, Turkey)
41.196.17.252 (Link Egypt, Egypt)
46.246.41.68 (Portlane Networks, Sweden)

Read More

IRS.gov "Complaint Case #488870383295" spam / Complaint_488870383295.zip

This spam contains a malicious attachment, but seems to confuse the roles of the BBB and the IRS.


Date:      Mon, 22 Jul 2013 09:59:08 -0500 [10:59:08 EDT]From:      "IRS.gov" [fraud.dep@irs.gov]Subject:      Complaint Case #488870383295You have received a complaint in regards to your business services.The complaint was filled by Mr./Mrs. Ulivo DELERME on 07/22/2013/Case Number:

Read More

BMW spam / pagebuoy.net

This convincing looking BMW spam leads to malware on


Date:      Mon, 22 Jul 2013 13:07:50 -0500 [14:07:50 EDT]From:      BMW of North America [womanliere75@postmaster.aa-mail.org]Reply-To:      motherfuckinge926@m.aa-mail.comSubject:      The BMW 6-Series M Sport Edition, M Universe, and more.BMW’s 6-Series M Sport Edition     View OnlineBMWA 6 SERIES.WITH M PANACHE.Meet the 6-Series M Sport

Read More

American Airlines spam / sai-uka-sai.com

This fake American Airlines spam leads to malware on www.aa.com.reservation.viewFareRuleDetailsAccess.do.sai-uka-sai.com:


From:     American.Airlines@aa.net
Date:     22 July 2013 17:22
Subject:     AA.com Itinerary Summary On Hold

Dear customer,

Thank you for making your travel arrangements on AA.com! Your requested itinerary is now ON HOLD. Details below.

To ensure that your reservation

Read More

OVH Hacked

A bad thing to happen, but kudos to OVH for being transparent about this issue:


Hello,A few days ago, we discovered that the security of our internal network at our offices in Roubaix had been compromised. After internal investigations, it appeared that a hacker was able to obtain access to an email account of one of our system administrators. With this email access, they was able to gain

Read More

ygregistryltd.net / "Huasheng Ltd" domain scam

This is the same scam as this, this and this. Avoid.


From:     Jim Wang [jim.wang@ygregistryltd.net]
Date:     22 July 2013 15:29
Subject:     Regarding Asia/Cn/Hk domain name & Internet Keyword

Dear Manager,

(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)

This email is from China domain name registration center, which mainly deal with the

Read More

David Cameron's porn block - how will it work?

This government likes its half-baked ideas, and David Cameron's attempt to bring in mandatory porn blocking in the UK seems to be one of those daft ideas. Yes, ISPs should offer blocking if people want it.. and perhaps they should be made to offer it by law. But there are a number of concerns which are well addressed by this New Statesman article.

Leaving aside the moral debate and the

Read More

Verizon Wireless "Data Usage Overage Alert" / verizonwirelessreports.com

This fake Verizon email leads to malware on the domain onemessage.verizonwireless.com.verizonwirelessreports.com:


Date:      Fri, 19 Jul 2013 10:48:31 -0500 [11:48:31 EDT]
From:      Verizon Wireless [VZWMail@e-marketing.verizonwireless-mail.net]
Subject:      Data Usage Overage Alert

Important Information About Your Account.      View Online
verizon wireless    Explore    Shop    My

Read More

whoswhonetworkonline.com spam

This turd of an email was sent to an info@ email address on a domain I own. It appears to be a classic Who's Who scam.


From:     Who's Who [cpm2@contactwhoswho.us]Reply-To:     databaseemailergroup@gmail.comdate:     19 July 2013 05:44subject:     You were recently nominated into Who's Who Amoung ExecutivesWho's Who Network OnlineHello,As you are probably aware, in the last few weeks, we at

Read More

K&L Wine Merchants (KLWines.com) spam / prysmm.net

This fake K&L Wine Merchantsm spam email leads to malware on www.klwines.com.order.complete.prysmm.net:



Date:      Thu, 18 Jul 2013 05:57:28 -0800From:      drowsedl04@inbound.ups.netCC:      Subject:      Your K&L order #56920789 is completeHello from K&L Wine Merchants -- www.KLWines.comJust wanted to let you know that your order (#56920789) is complete.Additional comments for this order:

Read More

primrose.co.uk hacked, email addresses compromised

Garden accessory primrose.co.uk has been hacked, and email addresses stored in their system are being abused for phishing purposes:


From:     paypal.co.uk [service@paypal.co.uk]
Date:     18 July 2013 11:01
Subject:     We cannot process your payment at this time.

   
Dear,

We need your help resolving an issue with your account.To give us time to work together on this, we've temporarily

Read More

02086 547426 "PC Wizard" tech support scam

Just a quick one.. some Indian scammers routing through a UK number 02086 547426 (02086547426) and purporting to be from a company "PC Wizard" just called and tried to convince me that something was wrong with my PC.

I'll do a write up later.. but in the mean time their MO is to get you to look at your Event Viewer for errors (there are always) errors, and then visit ammyy.com to run some

Read More

"Houston Marriott Westchase Reservation Confirmation" spam / marriott.com.reservation.lookup.viperlair.net

This fake Marriott spam leads to malware on marriott.com.reservation.lookup.viperlair.net:



Date:      Wed, 17 Jul 2013 05:12:22 -0800 [09:12:22 EDT]From:      Marriott Hotels & Resorts Reservation [reservations@clients.marriottmail.org]Reply-To:      reservations@clients.marriottmail.orgSubject:      Houston Marriott Westchase Reservation Confirmation #86903601Marriott Hotels & Resorts

Read More

Bank of America spam / stid 36618-22.zip

This fake Bank of America spam comes with a malicious attachment:


Date:      Tue, 16 Jul 2013 21:21:06 +0200 [15:21:06 EDT]
From:      Joyce Bryson [legalsr@gmail.com]
Subject:      Merchant Statement

Enclosed (pdflPDF|pdf file|document|file) is your Bank of America Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive

Read More

"Invoice 48920" spam / doc201307161139482.doc

This spam has a malicious word attachment, doc201307161139482.doc which contains an exploit.


From: Carlos Phillips [accounting@travidia.com]
Subject: Invoice 48920

Thanks !!

Greg

Precision Assemblies Products, Inc.Llc.
179 Nesbitt Hills
Holley, NY 51902
(176)-674-6500
nightmarewdp50@travidia.com
Note that the date is included into the filename. The document has an MS12-027 exploit with a

Read More

Malware sites to block 16/7/13

These domains and IPs are associated with this gang. This time there appear to be some diet pill sites in the mix, these may be spammy or they may be malicious.. I would recommend blocking them all though.

24.173.170.230 (Time Warner Cable, US)31.145.19.17 (Borusan Telekom / Ericsson, Turkey)38.96.42.60 (PSInet / WiLogic Inc, US)41.196.17.252 (Link Egypt, Egypt)46.45.182.27 (Radore Veri

Read More

Half your video missing in Windows Movie Maker? MS13-057 to blame.

I couldn't quite figure out why Windows Movie Maker was suddenly chopping off the top half of a video I was making..




I didn't investigate the problem very closely because I finished the project using Sony Vegas instead. However, it turns out that I am not alone.. an InfoWorld post also indicates that there are problems with Adobe Premiere Pro, Techsmith Camtasia Studio, Serif MoviePlus X6

Read More

msi.com hacked with kristians1.net

The website of msi.com (a major computer manufacturer) has been hacked and is serving up malware, despite MSI being informed of the problem. Injected code pointing to the domain kristians1.net (83.143.81.2, ServeTheWorld AS Norway) has been injected into the site and is serving up an exploit kit (report here).



This is not the only time msi.com has been hacked. Most significantly, they recently

Read More

UPS spam / tvblips.net

This fake UPS spam leads to malware on tvblips.net:



Date:      Mon, 15 Jul 2013 10:20:13 -0500
From:     
Subject:      Your UPS Invoice is Ready

   
This is an automatically generated email. Please do not reply to this email address.

Dear UPS Customer,

Thank you for your business.

New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS

Read More

NOST (NOST.QB) / NSU Resources Inc Pump and Dump Spam

Over the weekend a pump-and-dump spam run started for NSU Resources Inc trading as NOST.QB. NSU Resources almost definitely have nothing to do with this spam run. Here are a few examples:


Subject: This Stock MOVED HARD


Rubber Stamp N OS_T!!! With A Profoundly Humble Market Float,
The Indicated Rare Earth Business Is In Line To Quintuple.
Suspect For Big Publication In A Minute.

Trading

Read More

ygregistry.com.cn domain scam

This domain scam has been doing the rounds for years.


From:     Jim Wang [jim.wang@ygregistry.com.cn]Date:     12 July 2013 15:44Subject:     Regarding Asia/Cn/Hk domain name & Internet KeywordDear Manager,(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)This email is from China domain name registration center, which mainly deal with the domain name

Read More

"TAX Return Reminder" / cpa.state.tx.us.tax-returns.mattwaltererie.net

This fake tax return reminder leads to malware on cpa.state.tx.us.tax-returns.mattwaltererie.net:


--- Version 1 --------------------

Date:      Fri, 12 Jul 2013 14:35:31 +0300
From:      DO.NOT.REPLY@REMINDER.STATE.TX.US.GOV
Subject:      TAX Return Reminder

After
the last quarter calculations of your fiscal activity we have
determined that you are eligible to receive a tax refund of $

Read More

Malware sites to block 11/7/13

I noticed 188.138.89.106 (Intergenia AG, Germany) was the originating IP being used in this spam run using a hijacked 1&1 account, and VirusTotal thinks that the server is pretty darned evil. A quick poke at this box shows that has a number of multihomed malicious and C&C domains.

Looking at some of these servers, I'm suspicious that they may have been compromised using a Plesk vulnerability.

Read More

"WTX Media INC" spam / dajizzum.com

This fake invoice spam from the nonexistant "WTX Media" leads to a malware landing page on dajizzum.com:


From: Rebecca Media [mailto:support@rebeccacella.com]
Sent: 11 July 2013 07:46
To: [redacted]
Subject: Subscription Details

We hereby inform you that your subscription has been activated, your login information is as follows:

Username: IX9322130
Password: X#(@kIE04N
Login Key: 839384

Read More

Visa spam / estateandpropertty.com and clik-kids.com

This fake Visa spam attempts to lead to malware on estateandpropertty.com:


Date:      Wed, 10 Jul 2013 13:20:38 -0300 [12:20:38 EDT]
From:      Visa [policemank3@newsletters.visabusinessnewsmail.org]
Reply-To:      flintierv34@complains.visabusinessnewsmail.org
Subject:      Update Your Business Visa Card Information


Your Visa Business card has been limited. Please update your information

Read More

Something evil on 199.231.93.182

199.231.93.182 (Webline Service, US suballocated to "Alex Capersov") is hosting a number of exploits [1] [2] being used in injection attacks. In the sample I saw, code had been injected into the legitimate site englishrussia.com possibly through a traffic exchanger.

The following domains are all hosted on or are associated with this IP. There's a shorter list at the bottom of the post without

Read More

"Payment File Successfully Processed" spam / autorize.net.models-and-kits.net

This spam leads to malware on autorize.net.models-and-kits.net:


Date:      Tue, 9 Jul 2013 15:36:42 -0500
From:      batchprovider@eftps.gov
Subject:      Payment File Successfully Processed

*** PLEASE DO NOT REPLY TO THIS MESSAGE***

Dear Batch Provider,

This message is being sent to inform you that your payment file has successfully processed. 2013-07-09-12.08.00.815358

Detailed

Read More

Malware sites to block 9/7/13

These are the current IPs and domains that appear to be in use by this gang. IPs are listed with hosting companies and countries first, and then a plain list of IPs and domains for copy-and-pasting:
5.135.198.41 (OVH, France)
14.63.198.119 (Korea Telecom, Korea)
24.173.170.230 (Time Warner Cable, US)
46.14.182.109 (Swisscom, Switzerland)
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)

Read More

Xerox WorkCentre (or is it HP Digital Device?) spam / SCAN_129_07082013_18911.zip

This fake printer spam has a malicious attachment:


Date:      Mon, 8 Jul 2013 12:20:24 -0500 [07/08/13 13:20:24 EDT]
From:      HP Digital Device [HP.Digital8@victimdomain]
Subject:      Scanned Image from a Xerox WorkCentre

Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: [victimdomain]
Number of Images: 8
Attachment File Type: ZIP [

Read More

sendgrid.me / amazonaws.com spam

This spam is unusual in that it comes through an apparently genuine commercial email provider (sendgrid.me) and leads to malware hosted on Amazon's cloud service, amazonaws.com. There is no body text in the spam, just an image designed to look like a downloadable document.

from:     [victim] via sendgrid.me date:     8 July 2013 19:08subject:     Urgent 6:08 PM 244999Signed by:     sendgrid.me

Read More

Amex spam / americanexpress.com.krasalco.com

This fake Amex spam leads to malware on americanexpress.com.krasalco.com:

    

From: American Express [mailto:AmericanExpress@emalsrv.aexpmail.org] Sent: 08 July 2013 15:00Subject: Account Alert: A Payment Was ReceivedCheck your account balance online at any time        Hello, [redacted]             ________________________________________    View AccountMake a Payment    Manage Alerts

Read More

yelldatauk.com / Sally Gaskell spam

This email purports to come from yelldatauk.com and is trading on the name of yell.com, a business that it is not affiliated with:


From:     Yell Data UK [info@yelldatauk.com] via ansmtp.com
Date:     7 July 2013 20:37
Subject:     Yell Data
Signed by:     ansmtp.com

Good morning,

I hope this email finds you well.

Our data set contains over 750,000 UK businesses, benefits from full data

Read More

EBC "Password Reset Confirmation" spam / paynotice07.net

This fake password reset spam leads to malware on paynotice07.net:


From: EBC_EBC1961Registration@ebank6.secureaps.com
Sent: 05 July 2013 12:27
Subject: Password Reset Confirmation


Your Online Bankking password was successfully changed on 07/05/2013. If you did not make this change, or if you have any questions, please contact EBC Technical Support using this link.

Support is available

Read More

Mystery spam leads to Emailmovers Ltd (emailmovers.com / emvrs.co)

Some time ago I received a spam sent to a scraped email address promoting email marketing services (i.e. spam) which features fake contact details and a carefully anonymised web site at prospectdirect.org that shielded the identity of the spammers.

So who was behind this spam? Well, the easiest way to find out was to pretend to be interested. I filled in the contact form on the site and

Read More

Babylon and the 3954 Trojans, or the Whore of Babylon.com

"Babylon and the 3954 Trojans" sounds like a swords and sandals epic, but unfortunately it's just another example of crapware gone wild. Perhaps "The Whore of Babylon.com" is more apt though.

At the heart of Babylon.com's business is a marginally useful "free" translation application plus some paid add-ons. You know, the sort of thing that Google Translate does, except that the Babylon.com

Read More

Malware sites to block 2/7/13

These sites belong to this gang and house exploit kits and other nastiness. I've broken the list down into three sections: IPs and web hosts, plain IPs (for copy and pasting) and malware domains. The domains change on a regular basis, the IPs less frequently and are therefore probably the best things to block.

37.123.103.159 (Salay Telekomunikasyon, Turkey)38.64.161.163 (Stratonexus

Read More

Adware sites to block 2/7/13

Never trust an ad network that uses anonymous WHOIS details. These are hosted on 108.161.189.161 (NetDNA, US) and all hide their details. Those marked in yellow are flagged by Google for distributing some malware, the links go to the Google Safebrowsing diagnostic page. Given the amount of adware on this server, I would recommend blocking it.

netloader.cc
cdnloader.com
gamesformore.com

Read More

Pinterest spam / pinterest.com.reports0701.net

This fake Pinterest spam leads to malware on pinterest.com.reports0701.net:


Date:      Mon, 1 Jul 2013 21:04:36 +0530
From:      "Pinterest" [naughtinessw5@newsletters.pinterest.net]
To:      [redacted]
Subject:      Your password on Pinterest Successfully changed!

[redacted]
  
Yor password was reset. Request New Password.
   
See Password    
       
Pinterest is a tool for collecting

Read More

Adware sites to block 1/7/13

Never trust any sort of ad network that uses anonymous domains and hides all other identifying data. These seem to be doing to rounds at the moment, some of them may be involved in injection attacks or adware installs. If you have any experiences with these domains turning up unexpected on your site then please leave a comment.. thanks!

Read More