October 2013 ~ tech support 9

Wednesday, 30 October 2013

"Corporate eFax message" spam / bulkbacklinks[.]com and Xeex.com

Posted on 09:06 by Unknown

Oh my, do people really fall for this "Corporate eFax message" spam? Apparently people do because the spammers keep sending it out.

Date:     Wed, 30 Oct 2013 23:33:23 +0900 [10:33:23 EDT]
From:     eFax Corporate [message@inbound.efax.com]
Subject:     Corporate eFax message from "673-776-6455" - 2 pages

Fax Message [Caller-ID: 673-776-6455] You have received a 2 pages fax at 2013-30-10

Posted in eFax, EXE-in-ZIP, Malware, Spam, Viruses, Xeex | No comments

Something evil on 144.76.207.224/28

Posted on 06:19 by Unknown

The network block 144.76.207.224/28 is currently hosting the Magnitude exploit kit (example report) [hat tip to Malekal.com judging from the report].

This is a Hetzner IP range suballocated to:
inetnum: 144.76.207.224 - 144.76.207.239netname: SPHERE-LTDdescr: Sphere LTD.country: DEadmin-c: AR10715-RIPEtech-c: AR10715-RIPEstatus: ASSIGNED

Posted in Evil Network, Magnitude, Malware, Viruses | No comments

Tuesday, 29 October 2013

Suspect network: 69.26.171.176/28

Posted on 12:55 by Unknown

69.26.171.176/28 is a small network range is suballocated from Xeex to the following person or company which appears to have been compromised.

%rwhois V-1.5:0000a0:00 rwhois.xeex.com (by Network Connection Canada. V-1.0)network:auth-area:69.26.160.0/19network:network-name:69.26.171.176network:ip-network:69.26.171.176/28network:org-name:MJB Capital, Inc.network:street-address:8275 South Eastern

Posted in Hacked sites, Malware, Viruses, Xeex | No comments

"Division of Unemployment Assistance" spam / attached_forms.exe

Posted on 11:47 by Unknown

This spam comes with a malicious attachment:

Date:     Tue, 29 Oct 2013 11:12:18 -0600 [13:12:18 EDT]
From:     "info@victimdomain" [info@victimdomain]
Subject:     [No Subject]

A former employee(s) of your company or organization recently filed a claim for benefits
with the Division of Unemployment Assistance (DUA). In order to process this claim, DUA
needs information about each former

Posted in EXE-in-ZIP, Malware, Spam, Viruses, Xeex | No comments

Something evil on 82.211.31.147

Posted on 09:23 by Unknown

Still investigating this one, but 82.211.31.147 (IP-Projects, Germany) appears to be a completely rogue server hosting exploit kits and malware [1] [2].

The following domains and subdomains are associated with with IP address. I recommend blocking them, or more easily the IP address itself.

(Note, this is an updated and shorter version that in the original post)

Posted in Evil Network, Malware, Viruses | No comments

Wells Fargo "Check copy" spam / Copy_10292013.zip

Posted on 08:09 by Unknown

These fake Wells Fargo spam messages have a malicious attachment:

Date:     Tue, 29 Oct 2013 22:34:50 +0800 [10:34:50 EDT]
From:     Wells Fargo [Emilio.Hendrix@wellsfargo.com]
Subject:     FW: Check copy

We had problems processing your latest check, attached is a image copy.

Emilio Hendrix
Wells Fargo Check Processing Services
817-576-4067 office
817-192-2390 cell Emilio.Hendrix@

Posted in EXE-in-ZIP, Malware, Spam, Viruses, Xeex | No comments

Monday, 28 October 2013

Google Ads and #FFF7ED.. what's wrong with this picture?

Posted on 11:30 by Unknown

So here's a long-standing source of irritation that I decided to have a poke at today.. Google Ads in search results. Now, obviously this is one of the main ways that Google makes money and frankly it's part of the deal in them giving you all those search results for free.

Let's take a look at a typical results page, for the term data recovery software (this is traditionally one of the most

Posted in Advertising, Google | No comments

American Express "Fraud Alert" spam / steelhorsecomputers.net

Posted on 09:11 by Unknown

This fake Amex spam leads to malware on steelhorsecomputers.net:

From: American Express [fraud@aexp.com]Date: 28 October 2013 14:14Subject: Fraud Alert : Irregular Card ActivityIrregular Card Activity Dear Customer,We detected irregular card activity on your American ExpressCheck Card on 28th October, 2013.As the Primary Contact, you

Posted in GoDaddy, Linode, Malware, Spam, ThreeScripts, Viruses | No comments

Sunday, 27 October 2013

"You are a Mercedes-Benz winner !!!" spam

Posted on 09:48 by Unknown

This is a slightly novel twist on an advanced fee fraud scam:

From: Mercedes-Benz [desk_notification@yahoo.com]Reply-To: bmlot20137@live.comDate: 27 October 2013 13:44Subject: You are a Mercedes-Benz winner !!!Dear Recipient,You have received a loyalty reward from Mercedes-Benz, Answer the Below question correctly and stand a chance of winning our Promotional Award Grand prize

Posted in 419, Advanced Fee Fraud, Scam, Spam | No comments

Saturday, 26 October 2013

Never mind the NSA, here is LinkedIn Intro

Posted on 00:30 by Unknown

LinkedIn recently announced LinkedIn Intro which is an add-in to the iOS mail app, allowing you do display a contact's LinkedIn data in the message you are reading by injected code into the datastream. This is of marginal use to most people, and many reader will recognise this as being something that annoying browser plugins have done for some time.

Despite LinkedIn's Pledge of Privacy, many

Posted in LinkedIn, Privacy | No comments

Friday, 25 October 2013

"You have received a new debit" Lloyds TSB spam

Posted on 05:19 by Unknown

This fake Lloyds TSB message has a malicious attachment:

Date:     Fri, 25 Oct 2013 13:55:41 +0200 [07:55:41 EDT]
From:     LloydsTSB [noreply@lloydstsb.co.uk]
Subject:     You have received a new debit
Priority:     High Priority 1 (High)

This is an automatically generated email by the Lloyds TSB PLC LloydsLink online payments Service.

The details of the payment are attached.

========

Posted in EXE-in-ZIP, Malware, Spam, Viruses | No comments

Malware sites to block 25/10/2013

Posted on 02:42 by Unknown

This list replaces this one, and mostly contains domains and IPs connected with this gang. The list starts with IPs and web hosts, followed by plain IPs and domains for copy-and-pasting.

5.175.171.89 (GHOSTnet, Germany)5.231.40.197 (GHOSTnet, Germany)5.231.47.92 (GHOSTnet, Germany)31.210.112.28 (Veri Merkezi Hizmetleri, Turkey)42.121.84.12 (Aliyun Computing Co, China)60.199.253.165 (Taiwan

Posted in .SU, Amerika, Brazil, China, Germany, GHOSTnet, India, Malware, Netherlands, Turkey, Viruses | No comments

Thursday, 24 October 2013

"My resume" spam / Resume_LinkedIn.exe

Posted on 07:16 by Unknown

This rather terse spam email message has a malicious attachment:

Date: Thu, 24 Oct 2013 15:45:37 +0200 [09:45:37 EDT]From: Elijah Parr [Elijah.Parr@linkedin.com]Subject: My resumeAttached is my resume, let me know if its ok.Thanks,Elijah Parr ------------------------Date: Thu, 24 Oct 2013 19:14:37 +0530 [09:44:37 EDT]From: Greg Barnes [Greg.Barnes@linkedin.com]Subject

Posted in EXE-in-ZIP, LinkedIn, Malware, Spam, Viruses | No comments

Wednesday, 23 October 2013

"Voice Message from Unknown" spam / VoiceMessage.exe

Posted on 07:13 by Unknown

These bogus voice message spams have a malicious attachment:

Date:     Wed, 23 Oct 2013 19:17:42 +0530 [09:47:42 EDT]
From:     Administrator [voice8@victimdomain]
Subject:     Voice Message from Unknown (553-843-8846)

- - -Original Message- - -

From: 553-843-8846
Sent: Wed, 23 Oct 2013 19:17:42 +0530
To: [recipient list at victimdomain]
Subject: Important: to all Employee

Date:

Posted in EXE-in-ZIP, Israel, Malware, Spam, Viruses | No comments

Tuesday, 22 October 2013

ADP spam / abrakandabr.ru

Posted on 10:28 by Unknown

This fake ADP spam leads to malware on abrakandabr.ru:

From: ClientService@adp.com [ClientService@adp.com]Date: 22 October 2013 18:04Subject: ADP RUN: Account Charge AlertADP Urgent CommunicationNote ID: 33400October, 22 2013Valued ADP PartnerAccount operator with ID 58941 Refused Yesterday Payroll Operation from your ADP account recently. Report(s) have been uploaded to the

Posted in ADP, Malware, RU:8080, Spam | No comments

Monday, 21 October 2013

"Last Month Remit" spam / Remit_10212013.exe

Posted on 07:57 by Unknown

This bogus remittance spam comes a malicious attachment:

Date:     Mon, 21 Oct 2013 15:08:15 +0100 [10:08:15 EDT]
From:     Administrator [docs9@victimdomain]
Subject:     FW: Last Month Remit

File Validity: 21/10/2013
Company : http://[victimdomain]
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: ╘ Microsoft Corporation. All rights reserved.
Original Filename: Last

Posted in EXE-in-ZIP, Malware, Spam, Viruses | No comments

Friday, 18 October 2013

Malware sites to block 18/10/2013

Posted on 14:58 by Unknown

These IPs and domains are associated with this spam run. Some of these servers have been compromised for some time by the looks of things. There's a plain list for copy-and-pasting at the end.

12.46.52.147 (Compact Information Systems / AT&T, US)
41.203.18.120 (Hetzner, South Africa)
62.75.246.191 (Intergenia, Germany)
62.76.42.58 (Clodo-Cloud / IT House, Russia)
69.46.253.241 (RapidDSL &

Posted in Austria, Bulgaria, India, Japan, Malware, Pakistan, RU:8080, Spam, Taiwan, Thailand, Viruses | No comments

Dropbox spam leads to malware on.. errr.. dynamooblog.ru

Posted on 14:23 by Unknown

Two days ago I wrote about the apparent return of the RU:8080.. well it appears that in order to celebrate their return, they've acknowledged my acknowledgement in the form of a malware landing page of dynamooblog.ru.

Well... hi guys. Things have been a bit quieter without you. Anyway, this is the latest spam email purportedly from Dropbox, and using the same template as used in this

Posted in Malware, RU:8080, Spam, Viruses | No comments

Avaya "Voice Mail Message" spam with a malicious payload

Posted on 09:50 by Unknown

This fake voice mail message appears to originate from within the victim's own domain (although that is just a forgery):

Date: Fri, 18 Oct 2013 09:19:42 -0600 [11:19:42 EDT]From: Voice Mail Message [1c095eb9-fa18-74e5-b@victimdomain.com]Subject: Voice Mail Message ( 45 seconds )This voice message was created by Avaya Modular Messaging. To listen to this voice message,just open

Posted in EXE-in-ZIP, Malware, Spam, Viruses | No comments

"Microsoft Windows Update" phish

Posted on 06:06 by Unknown

A random and untargeted attempt at phishing with a Windows Update twist.

From: Microsoft Office [accounts-updates@microsoft.com]Date: 17 October 2013 02:54Subject: Microsoft Windows UpdateDear Customer,Evaluation period has expired. For information on how to upgrade your windows software please Upgrade Here.Thank you,Copyright © 2013 Microsoft Inc. All rights reserved.
The email

Posted in Microsoft, Phishing, Spam | No comments

Thursday, 17 October 2013

"Scan from a Xerox WorkCentre" spam / A136_Incoming_Money_Transfer_Form.exe

Posted on 14:28 by Unknown

The malware spammers are suffering from a chronic lack of imagination with this familiar fake printer spam:

Date: Thu, 17 Oct 2013 13:01:52 -0600 [15:01:52 EDT]From: Incoming Fax [Incoming.Fax3@victimdomain.com]Subject: Scan from a Xerox WorkCentrePlease download the document. It was scanned and sent to you using a Xerox multifunction device.File Type: pdfDownload: Scanned

Posted in EXE-in-ZIP, Malware, Printer Spam, Spam, Viruses | No comments

118directoryuk.com spam from Darren Gaskell and Sally Gaskell

Posted on 08:26 by Unknown

This spam comes from the serial-spamming husband-and-wife team of Darren Gaskell and Sally Gaskell.

Date:     Thu, 17 Oct 2013 14:53:51 +0100 [09:53:51 EDT]
From:     118 Directory [data@118directoryuk.com]
Subject:     118 Directory

118 welcomes you to our new adventure.

We hope this email finds you well. We wanted to update you on our new service and assist you in getting the most out

Posted in Sally Gaskell, Spam | No comments

Wednesday, 16 October 2013

"Atlantics Post LLC" fake job offer

Posted on 14:21 by Unknown

A bit of Money Mule recruiting that isn't really trying very hard..

Date: Wed, 16 Oct 2013 14:54:34 -0300 [13:54:34 EDT]From: Atlantics Post [misstates7@compufort.com]Subject: Career with Atlantics Post LLCAtlantics Post LLC is now hiring for a Shipping Clerk. If You are young, enthusiastic person. Looking for a great job opportunity with a stable in come this job is for

Posted in Job Offer Scams, Spam | No comments

LinkedIn spam / Contract_Agreement_whatever.zip

Posted on 13:51 by Unknown

This fake LinkedIn spam has a malicious attachment:

Date: Wed, 16 Oct 2013 11:57:55 -0600 [13:57:55 EDT]From: Shelby Gordon [Shelby@linkedin.com]Attached is your new contract agreements.Please read the notes attached, then complete, sign and return this form.Shelby GordonContract ManagerOnline Division - LinkedInShelby.Gordon@linkedin.comOffice: 302-449-8859 Ext. 33Direct:

Posted in EXE-in-ZIP, LinkedIn, Malware, Spam, Viruses | No comments

Pinterest spam, alenikaofsa.ru and the return of the RU:8080 gang?

Posted on 13:10 by Unknown

This fake Pinterest spam leads to a malicious download on alenikaofsa.ru:

Date:     Wed, 16 Oct 2013 12:03:11 -0300 [11:03:11 EDT]
From:     Pinterest [pinbot@pinterest.biz]
Subject:     Your Facebook friend Andrew Hernandez joined Pinterest

A Few Updates...
[redacted]

Andrew Hernandez

Your Facebook friend Andrew Hernandez just joined Pinterest. Help welcome Carol to the

Posted in Intergenia, Malware, RU:8080, Spam, Viruses | No comments

Tuesday, 15 October 2013

"Payroll Received by Intuit" spam / payroll_report_147310431_10112013.zip

Posted on 11:40 by Unknown

This fake Intuit spam comes with a malicious attachment:

Date: Tue, 15 Oct 2013 16:20:40 +0000 [12:20:40 EDT]From: Intuit Payroll Services IntuitPayrollServices@payrollservices.intuit.com]Subject: Payroll Received by IntuitDear, [redacted]We received your payroll on October 11, 2013 at 4:41 PM .Attached is a copy of your Remittance. Please click on the attachment in order to

Posted in EXE-in-ZIP, INTUIT, Malware, Spam, Viruses | No comments

USPS spam / Label_ZFRLOADD5PGGZ0Z_USPS.zip

Posted on 08:26 by Unknown

This fake USPS spam has a malicious attachment:

Date: Tue, 15 Oct 2013 09:36:02 -0500 [10:36:02 EDT]From: USPS Express Services [service-notification@usps.com]Subject: USPS - Missed package deliveryNotificationOur company's courier couldn't make the delivery of package.REASON: Postal code contains an error.DELIVERY STATUS: Sort OrderSERVICE: One-day ShippingNUMBER OF YOUR

Posted in EXE-in-ZIP, Malware, Spam, USPS, Viruses | No comments

Monday, 14 October 2013

Malware sites to block 14/10/2013

Posted on 06:32 by Unknown

It's been a while since I trawled around the activities of the "Amerika" gang, but here is a new set of malicious domains and IPs to block, replacing this list.

24.111.103.183 (Midcontinent Media, US)
42.121.84.12 (Aliyun Computing Co, China)
59.99.226.17 (BB-Multiplay, India)
60.199.253.165 (Taiwan Fixed Network Co, Taiwan)
62.141.46.8 (fast IT, Germany)
65.189.35.129 (Time Warner Cable, US)

Posted in Amerika, Brazil, China, India, Iran, Malware, Netherlands, Philippines, Romania, Taiwan, Viruses | No comments

Friday, 11 October 2013

Meet Muhammad Ali Hassan, spammer

Posted on 06:37 by Unknown

This idiot is attempting to get a job by randomly sending out spam.

From:   Muhammad Ali Hassan [sumtech12@emirates.net.ae]
Reply-To:   ALY.HASSAN.ZIA@gmail.com
Date:   11 October 2013 11:57
Subject:   Applying for the post of Chartered Accountant / Finance Manager /Financial Analytics & Auditor or any other suitable position as per my knowledge and experience.
Sub: Applying for the

Posted in Spam, Stupidity | No comments

Thursday, 10 October 2013

Companies House phish

Posted on 06:20 by Unknown

This fake Companies House spam appears to be some sort of phishing attempt:

Date: Thu, 10 Oct 2013 11:57:31 +0300 [04:57:31 EDT]From: Companies House [contact@companieshouse.co.uk]Subject: Compulsory Companies House WebFiling Update #90721Compulsory Companies House WebFiling Update #90721This is an important notice to inform you as a registered company to update your

Posted in Phishing, Spam | No comments

Wednesday, 9 October 2013

"Annual Form - Authorization to Use Privately Owned Vehicle on State Business" spam / warehousesale.com.my

Posted on 01:33 by Unknown

This oddly-themed spam has a malicious attachment:

Date: Tue, 8 Oct 2013 11:49:49 -0600 [10/08/13 13:49:49 EDT]From: Waldo Reeder [Waldo@victimdomain.com]Subject: Annual Form - Authorization to Use Privately Owned Vehicle on State BusinessAll employees need to have on file this form STD 261 (attached). The original isretained by supervisor and copy goes to Accounting. Accounting

Posted in EXE-in-ZIP, Malware, Spam, Viruses | No comments

Tuesday, 8 October 2013

An informal anti-virus comparison

Posted on 10:30 by Unknown

I use VirusTotal quite a lot for looking at malware and determining how difficult it is to determine, and over time I've built up a fair amount of data on what performs well with the sort of malware that I throw at it.

This isn't a particularly scientific test, the malware I scan has a strong tendency to arrive by email rather than a being a drive-by download and the product settings in

Posted in Anti-Virus Software | No comments

Fake Well Fargo spam comes with a malicious attachment / lasub-hasta.com

Posted on 02:14 by Unknown

This fake Wells Fargo spam is a retread of this one, but comes with a slightly different attachment:

Date:     Mon, 7 Oct 2013 19:56:29 +0100 [10/07/13 14:56:29 EDT]
From:     "Harry_Buck@wellsfargo.com" [Harry_Buck@wellsfargo.com]
Subject:     Documents - WellsFargo

Please review attached files.

Harry_Buck
Wells Fargo Advisors
817-487-2882 office
817-683-6287 cell Harry_Buck@

Posted in EXE-in-ZIP, Malware, Spam, Viruses | No comments

Friday, 4 October 2013

Fake Dropbox spam leads to malware on adelect.com

Posted on 06:34 by Unknown

This fake Dropbox spam leads to malware:

Date: Fri, 4 Oct 2013 16:24:30 +0330 [08:54:30 EDT]From: Dropbox [no-reply@dropboxmail.com]Subject: Please update your Expired Dropbox PasswordHi [redacted].We noticed that you recently tried to login in to Dropbox with a password that you haven't changed more than 90 days. Your old password has expired and you'll need to create a new

Posted in GoDaddy, Malware, Nuclear Fallout Enterprises, Spam, Viruses | No comments

Thursday, 3 October 2013

Fake Amazon spam uses email address harvested from Comparethemarket.com

Posted on 09:22 by Unknown

This fake Amazon spam was sent to an email address only used for the UK price comparison site Comparethemarket.com.

From:    Amazon.com [ship-confirm@amazon.com]
Reply-To:    "Amazon.com" [ship-confirm@amazon.com]
Date:    3 October 2013 15:43
Subject:    Your Amazon.com order of "Canon EOS 60D DSLR..." has shipped!

Amazon.com
Kindle Store
    | Your Account | Amazon.com

Posted in Amazon, GoDaddy, Linode, Malware, Spam, Viruses | No comments

Wednesday, 2 October 2013

Fake Staples spam leads to malware on tootle.us

Posted on 08:01 by Unknown

This fake Staples spam leads to malware on a site called tootle.us:

Date: Wed, 2 Oct 2013 08:40:11 -0500 [09:40:11 EDT]From: support@orders.staples.comSubject: Staples order #: 1353083565 Thank you for shopping Staples.Here's what happens next:Order No.:1353083565 Customer No.:1278823232 Method of Payment:Credit or Debit CardTrack order: Track your

Posted in GoDaddy, Linode, Malware, Spam, ThreeScripts, Viruses | No comments

Tuesday, 1 October 2013

Fake NACHA spam leads to malware on thewalletslip.com

Posted on 06:40 by Unknown

This fake NACHA spam leads to malware on thewalletslip.com:

Date: Tue, 1 Oct 2013 15:05:56 +0330 [07:35:56 EDT]From: ACH Network [markdownfyye396@nacha.org]Subject: Your ACH transferThe ACH processing (ID: 428858072307), recently was made from your bank account (by you or any other person), was rejected by the other financial institution.Aborted transferACH transfer ID:

Posted in GoDaddy, Malware, NACHA, Spam, Viruses | No comments