UPS Spam / UPS Invoice 74458652.zip

This fake UPS invoice has a malicious attachment:


From:      "UPSBillingCenter@ups.com" [UPSBillingCenter@ups.com]Subject:      Your UPS Invoice is ReadyNew invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center. Download the attachment. Invoice will be automatically shown by double click.
Attached is a file UPS Invoice 74458652 which in

Read More

Wells Fargo spam / WellsFargo_08232013.exe

This fake Wells Fargo spam has a malicious attachment:


Date:      Fri, 23 Aug 2013 09:43:44 -0500 [10:43:44 EDT]From:      Morris_Osborn@wellsfargo.comPlease review attached documents.Morris_OsbornWells Fargo Advisors817-718-8096 office817-610-5531 cell Morris_Osborn@wellsfargo.comInvestments in securities and insurance products are:NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUEWells

Read More

"Remittance Docs 2982780" spam / Docs_08222013_218.exe

This fake Chase spam has a malicious attachment:


Date:      Thu, 22 Aug 2013 10:00:33 -0600 [12:00:33 EDT]From:      Jed_Gregory [Jed_Gregory@chase.com]Subject:      Remittance Docs 2982780Please find attached the remittance 2982780.                                                                                                          If you are unable to open the attached file, please

Read More

Discover card "Your account login information updated" spam / abemuggs.com

This fake Discover card spam leads to malware on abemuggs.com:


Date:      Thu, 22 Aug 2013 16:14:59 +0000 [12:14:59 EDT]From:      Discover Card [no-reply@facebook.com]Subject:      Your account login information updatedDiscoverAccess My Account    ACCOUNT CONFIRMATION    Statements | Payments | Rewards    Your account login information has been updated.Dear Customer,This e-mail is to confirm

Read More

Red Sox Baseball spam / lindoliveryct.net

This fake Red Sox spam leads to malware on lindoliveryct.net:


Date:      Thu, 22 Aug 2013 13:02:19 -0400 [13:02:19 EDT]From:      ticketoffice@inbound.redsox.comSubject:      Thank You for your order. ( RSXV - 4735334 - 0959187 )Thank you for your recent ticket purchase. We truly appreciate your support and commitment to Red Sox Baseball. If you have any questions regarding your purchase,

Read More

Facebook spam / thenatemiller.co

This fake Facebook spam leads to malware on thenatemiller.co:


Date:      Wed, 21 Aug 2013 22:05:38 +0530 [12:35:38 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new

Read More

Laughable advanced fee fraud scam promises $2.5

Two-and-a-half bucks? I think I'll pass.

From:     Mr Anthony Freed [johnewele12@cantv.net]Reply-to:     dhlcorriadeliveryservice@live.comDate:     20 August 2013 21:13Subject:     Attention please!!!Attention please!!!We have registered your ATM CARD of (US $2.5) with DHL Express Courier Company with registration code of ( 9665776) please Contact with your deliveryinformation:DHL OFFICE:Name

Read More

Facebook spam / dennissellsgateway.com

This fake Facebook spam leads to malware on dennissellsgateway.com:


Date:      Tue, 20 Aug 2013 15:28:11 -0500 [16:28:11 EDT]
From:      Facebook [no-reply@facebook.com]
Subject:      Gene Maynard wants to be friends with you on Facebook.

facebook
   
Gene Maynard wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
       
See

Read More

"You have received a secure message" spam / securedoc.zip

This fake Citi spam contains a malicious attachment:

Date:      Mon, 19 Aug 2013 20:24:27 +0000 [16:24:27 EDT]From:      "secure.email@citi.com" [secure.email@citi.com]Subject:      You have received a secure message










You have received a secure message

Read More

"You requested a new Facebook password" spam / frankcremascocabinets.com

This fake Facebook spam follows on from this one, but has a different malicious landing page at frankcremascocabinets.com:


From:     Facebook [update+hiehdzge@facebookmail.com]Date:     19 August 2013 17:38Subject:     You requested a new Facebook passwordfacebookHello,You recently asked to reset your Facebook password.Click here to change your password.Didn't request this change?If you

Read More

Facebook spam / hubbywifewines.com

This fake Facebook spam leads to malware on hubbywifewines.com:


Date:      Mon, 19 Aug 2013 16:20:06 +0200 [10:20:06 EDT]From:      Facebook [update+hiehdzge@facebookmail.com]Subject:      You requested a new Facebook passwordfacebookHello,You recently asked to reset your Facebook password.Click here to change your password.Didn't request this change?If you didn't request a new password, let

Read More

MONK / Monarchy Resources, Inc pump-and-dump spam

Another day, another pump-and-dump spam run, this time being sent to randomly generated email addresses promoting MONK (Monarchy Resources, Inc). Here are some examples:


Subject: Pick Of The Week... Do Not Miss Out This Time!Make easy $15'000 Monday!!! Hello, want to receive $15'000 bynext Friday? You would receive lot more if you get this hotstock on Monday. The stock symbol is: M_O N_K.

Read More

Malware sites to block 19/8/13

These sites and IPs belong to this gang, and this list follows one from this one:

5.39.14.148 (OVH, France)
24.173.170.230 (Time Warner Cable, US)
31.52.14.209 (BT Broadband, UK)
37.200.69.43 (Selectel Ltd, Russia)
42.121.84.12 (Aliyun Computing Co, China)
59.124.33.215 (Chunghwa Telecom Co, Taiwan)
61.36.178.236 (LG DACOM, Korea)
66.230.163.86 (Goykhman and Sons LLC, US)
66.230.190.249 (

Read More

Malekal.com Joe Job part II

There has been a Joe Job being run against Malekal.com for some time now. However, the joe job has now morphed and includes a reference to this blog (which is kind of annoying).


Date:      Sun, 18 Aug 2013 14:35:33 +0300 [08/18/13 07:35:33 EDT]Subject:      Email SPAM for malekal.comTheses emails SPAM are sent from a botnet (check the mails headers), im notresponsible of theses spam

Read More

"California Human Right Foundation CHRF USA" scam email

It's hard to say whether or not this scam is simply a version of the advanced fee fraud (you can come to the conference, but there will be fees and hotel charges), or if the idea is that you go down to Senegal and get kidnapped. In any case, this is a scam send to an email address scraped from the web via a hijacked email account in Indonesia. Similar scams have been seen before. Avoid.


From:

Read More

ADP spam / ADP_week_invoice.zip|exe

This fake ADP spam has a malicious attachment:


Date:      Fri, 16 Aug 2013 09:57:59 -0500 [10:57:59 EDT]From:      "run.payroll.invoice@adp.com" [run.payroll.invoice@adp.com]Subject:      ADP Payroll INVOICE for week ending 08/16/2013Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the

Read More

"CEO Portal Statements & Notices Event" spam / report_{DIGIT[12]}.exe

This fake Wells Fargo email has a malicious attachment:


Date:      Fri, 16 Aug 2013 09:51:17 -0500 [10:51:17 EDT]From:      Wells Fargo Event Messaging Admin [ofsrep.ceosmuigw@wellsfargo.com]Subject:      CEO Portal Statements & Notices EventWells FargoCommercial Electronic Office (CEO) Portal Statements & Notices Event: Multiple Download Request AvailableYour Deposit Adjustment Notices is

Read More

"INCOMING FAX REPORT" spam / chellebelledesigns.com

A facsimile transmission. How quaint. Of course, it isn't.. the link in the spam goes to a malicious page on chellebelledesigns.com:


From:     Administrator [administrator@victimdomain]
Date:     15 August 2013 16:08
Subject:     INCOMING FAX REPORT : Remote ID: 1043524020

*********************************************************INCOMING FAX REPORT********************************************

Read More

Something evil on 162.211.231.16

The server at 162.211.231.16 (IT7 Networks, Canada) is currently being used in injection attacks (example) which have been going on for some time [1] [2] and uses several domains, some of which are listed below.

The WHOIS details for these domains seem to be consistent but are possibly fake:

Registrant ID:CR148448937Registrant Name:Leonardo Salim ChahdaRegistrant Street1:Patron 6755Registrant

Read More

ADP spam / hubbywifeburgers.com

This fake ADP spam leads to malware on hubbywifeburgers.com:


Date:      Wed, 14 Aug 2013 08:58:12 -0700 [11:58:12 EDT]
From:      "ADPClientServices@adp.com" [service@citibank.com]
Subject:      ADP Security Management Update

ADP Security Management Update

Reference ID: 39866

Dear ADP Client August 2013

This message is to inform you of the upcoming �Phase 2� enhancement to ADP Security

Read More

Gmail Compose.. another app screwed up by Google

If you use Gmail then you've probably seen the "new compose" experience before. And turned it off. Well, Google never listed to feedback now Gmail joins a long list of applications that Google have screwed up, including Blogger, Google Play Music, Google Maps for Android and don't get me started on Google Reader and iGoogle.




The new compose experience attempts to be minimalist, but in reality

Read More

Bank of American spam / Instructions Secured E-mail.zip

This fake Bank of American spam has a malicious attachment:


Date:      Tue, 13 Aug 2013 09:35:13 -0500 [10:35:13 EDT]
From:      "Alphonso.Wilcox" [Alphonso.Wilcox@bankofamerica.com]
Subject:      Instructions Secured E-mail.pdf

I will be forwarding the application through a secure e-mail. Attached are instructions for you to create a password to open the secure e-mails from us. Just a bit

Read More

Pharma sites to block

These fake pharma sites and IPs seem related to these malware domains, and follows on from this list last week.

31.184.241.32 (Petersburg Internet Network, Russia)46.29.18.176 (Sprint SA, Poland)61.57.103.241 (Taoyuan TBC, Taiwan)61.133.234.105 (Haidong Telecom, China)91.199.149.238 (Novosibirsk A3 Ltd, Russia)91.199.149.239 (Novosibirsk A3 Ltd, Russia)91.204.162.81 (Network Communication,

Read More

Malware sites to block 13/8/13

These IPs and domains belong to this gang and this list follows on from the one I made last week.

5.39.14.148 (OVH, France)5.231.57.253 (GHOSTnet, Germany)15.185.121.30 (HP Cloud Services, US)24.173.170.230 (Time Warner Cable, US)37.99.18.145 (2day Telecom, Kazakhstan)42.121.84.12 (Aliyun Computing Co / Alibaba Advertising Co, China)50.2.109.148 (Eonix Corporation, US)50.56.172.149 (Rackspace,

Read More

Facebook spam / guterhelmet.com

This fake Facebook spam leads to malware on guterhelmet.com:


Date:      Mon, 12 Aug 2013 17:51:17 -0200 [15:51:17 EDT]From:      Facebook [update+zj433fgc2_aay@facebookmail.com]Subject:      Willie Powell wants to be friends with you on Facebook.facebook    interesting pages on facebookmark as favorite web pages that interest you to receive their updates in your news feed.Willie

Read More

CNN: " Canadian teenager Rehtaeh Parsons" spam leads to malware

The bad guys don't have much of a sense of shame. This fake CNN email leads to malware on hubbynwifewines.com:


Date:      Sat, 10 Aug 2013 01:33:17 +0330 [18:03:17 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: " Canadian teenager Rehtaeh Parsons"

2 face charges in case of Canadian girl who hanged self after alleged rape
By Stephanie Gallman and Phil Gast, CNN
updated 6:

Read More

"This video has been recognized as the most popular videos on the internet!" porn spam

This fake porn spam leads to malware on hubbynwifewines.com:


Date:      Fri, 9 Aug 2013 11:54:00 -0600 [13:54:00 EDT]
From:      "Youtobe.com" [Subscribe@Youtobe.com]
Subject:      Youtobe.com: "This video has been recognized as the most popular videos on the internet!"

Only now free TOP HD video watch now

This video has been recognized as the most popular videos on the internet! Watch now

Read More

Citibank spam / Loan_08082013.exe

This fake Citibank spam comes with a malicious attachment:


Date:      Thu, 8 Aug 2013 13:09:04 -0500 [14:09:04 EDT]From:      Erin_Gay [Erin_Gay@citibank.com]Subject:      RE: Loan ApprovedYour documents are ready , please sign them and email them back.Thank youErin_GayLevel III Account Management817-835-6023 office817-074-9181 cell Erin_Gay@citibank.comInvestments in securities and insurance

Read More

TigerDirect.com spam / palmer-ford.net

This fake TigerDirect.com spam leads to malware on palmer-ford.net:


Date:      Thu, 8 Aug 2013 21:54:14 +0400 [13:54:14 EDT]From:      "TigerDirect.com" [noreply@tigerdirect.com]Subject:      Your TigerDirect.com Order I9179488 Shipment UpdateComputersComputer PartsElectronicsTV & VideoCameras & SurveillanceCell PhonesOrder Shipped:    08/07/2013Order No.    I9179488Shipment Total:    $

Read More

Facebook spam / hubby-wife.com and 72.249.76.197

This fake Facebook spam leads to malware on hubby-wife.com:


Date:      Thu, 8 Aug 2013 09:36:19 -0800 [13:36:19 EDT]
From:      Facebook [update+zj433fgc2_aay@facebookmail.com]
Subject:      Doug Bernal wants to be friends with you on Facebook.
   
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.

Doug Bernal
Doug Bernal

Read More

eFax / jConnect spam and eliehabib.com

This fake fax spam leads to malware on eliehabib.com:


Date:      Wed, 7 Aug 2013 13:05:22 -0600 [15:05:22 EDT]
From:      Fax Message [message@inbound.efax.com]
Subject:      Fax Message at 2013-08-07 01:54:34 EST

Blue Bar
Fax Message

You have received 4 fax page(s) at 2013-08-07 01:54:34 EST.

* The reference number for this fax is wlmt_bgp85-3506454489-3878764215-49.
* The transmission

Read More

Pharma sites to block 6/8/13

A new list of pharma sites and IPs, related to this bunch.

61.150.109.186 (China Telecom, China)91.199.149.238 (Novosibirsk A3 Ltd, Russia)91.199.149.239 (Novosibirsk A3 Ltd, Russia)91.204.162.81 (Network Communication, Poland)91.204.162.96 (Network Communication, Poland)91.216.163.92 (Informacines Sistemos Ir Technologijos UAB, Lithunia)178.88.64.149 (Kazakh Telecom, Kazakhstan)185.5.99.145 (

Read More

Malware sites to block 6/8/13

Following on from last week's list, this week seems to see a smaller number of servers and malicious domains from this crew.

5.175.191.124 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
41.196.17.252 (Link Egypt, Egypt)
54.218.249.132 (Amazon AWS, US)
59.124.33.215 (Chungwa Telecom, Taiwan)
61.36.178.236 (DACOM Corp, Korea)
68.174.239.70 (Time Warner Cable, US)
78.47.248.101 (

Read More

What is 65.222.202.0/24?

A breakdown of the suballocations of the Verizon Business 65.222.202.0/24 block, mentioned in connection with Torsploit:









Block
Start
End
CustName:
Description:


65.222.202.0/28
65.222.202.0
65.222.202.15
Science
Applications Int
SAIC
(US Defense contractor)


65.222.202.16/28
65.222.202.16
65.222.202.31
Old Dominion Internet
Possibly
dormant VA

Read More

Torsploit: is 65.222.202.53 the NSA?

There has been a lot of chatter in the past day or so about the takedown of an Irish outfit called Freedom Hosting which hosted a number of "hidden services" on Tor, ranging from Tormail (which allows anonymous email communication) to.. well, Really Bad Stuff that you don't want to know about. Basically.. Law Enforcement (LE) appear to have discovered the real-world location of these servers on

Read More

alliexfinancial.com / Alliexfinancial Ltd "Legal Registered Investment company" spam (is it a scam?)

A slightly odd spam, sent to a scraped email address:


From:     Dirk Nunes [flamwood888@gmail.com]
Date:     5 August 2013 10:54
Subject:     Legal Registered Investment company
Signed by:     gmail.com

alliexfinancial Ltd                                                                                                       Our advantages :

Legal Registered Investment company

Guaranteed

Read More

BLDW "Building Turbines Corp" pump-and-dump spam

This illegal spam run almost definitely does not come from Building Turbines Corp (BLDW) but instead someone trying to game the system through a pump-and-dump scam.

There are lots of variations on the spam, but here are three examples:


Subject: This Stock is our New Wild Sub-Penny Pick!

Green Energy Company Signs Deal to Construct Rooftop Wind Turbines
for 90 Thousand Sq-Ft Stockroom.

Read More

redwoodoptions.com "Joe Job" spam

I don't know anything about "Redwood Options" redwoodoptions.com but it seems to deal in binary options. In my personal opinion, this kind of derivative trading helped to lead to the banking collapse and should be outlawed.


Subject: For TraderSubject: For InvestorSubject: Start Trading NowTrade Forex, Commodities, Stocks and Indices with Up to 81% Return!- Exclusive 60 second option- Onetouch

Read More

cpro.su "Joe Job" spam run

This spam run is aimed at disrupting the underground forum cpro.su:

Subject: International carding board on new domainSubject: Private Hacking and Carding Forum / New DomainWelcome to Private Hacking and Carding Forum. We talking and sharing aboutCVV, Paypal, Accounts, Bank Logs, Hacking Tools and Carding Tips. Newbie isnot allowed here. Do not enter if you don't know what to do...http://

Read More

Malekal.com "Joe Job" spam

Update: there is a new version of this Joe Job spam, now mentioning this post in the body text (more info).

Malekal's Site  is a French-language site covering malware and spam. This particular spam run (called a "Joe Job") is not from Malekal, but is instead attempting to disrupt the site. Presumably the bad guys have found something the don't like.

Here are some examples:

Subject: Trojan

Read More

MoneyGram "Payment notification email" spam / drstephenlwolman.com

This fake MoneyGram spam leads to malware on drstephenlwolman.com:


Date:      Fri, 2 Aug 2013 22:23:53 +0330 [14:53:53 EDT]From:      "Moneygram Inc." [infusionnbb3@gmail.com]Subject:      Payment notification email

Revenues notification email
This is an automated email - please do not reply!

Dear customer!

You are receiving this notification because of you have been received the payment.

Read More

"Your most recent payment has been processed" spam / capitalagreements.com

This fake Discover Card spam leads to malware on capitalagreements.com:



Date:      Fri, 2 Aug 2013 20:41:09 +0200 [14:41:09 EDT]From:      Discover Card [dontrply@service.discovercard.com]Reply-To:      dontrply@service.discovercard.com    Discover     Access My Account        ACCOUNT CONFIRMATION     Statements | Payments | Rewards         Your most recent payment has been processed.   

Read More

Olborg Ltd / ОЛЬБОРГ / o1host.net (AS57636) revisited

Update:  I am trying to verify claims that Olborg Ltd are operating a sinkhole (which is a good thing) rather than a malware server (a bad thing).

Last week I pointed out a malware site on 91.233.244.102 hosted by Olborg Ltd / ООО "ОЛЬБОРГ" (AS57636) [1] [2] (website at o1host.net) and made a recommendation that admins block access to the entire 91.233.244.0/23 block.

A polite but concerned

Read More

Pump and dump spam flogs a dead horse with Biostem U.S. Corporation (HAIR)

About a month-and-a-half ago I had a look at the pump-and-dump spam promoting Biostem U.S. Corporation (HAIR) when it was trading at around $0.30.

Surprisingly, the pump-and-dump spam is still ongoing which will make it nearly two months of spam on one single stock..


This Company Will Make an Impressive Recovery! It is the answerto your portfolio troubles!Date: August 1stLong Term Target: .

Read More