SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

Malware sites to block 13/8/13
- http://blog.dynamoo.com/2013/08/malw...ock-13813.html
13 August 2013 - "These IPs and domains belong to this gang* and this list follows on from the one I made last week**..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika

** http://blog.dynamoo.com/2013/08/malw...lock-6813.html
___

Pharma sites to block
- http://blog.dynamoo.com/2013/08/phar...-to-block.html
13 August 2013 - "These fake pharma sites and IPs seem related to these malware domains*, and follows on from this list last week**..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/08/malw...ock-13813.html

** http://blog.dynamoo.com/2013/08/phar...lock-6813.html
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Unpaid Debt Invoice Email Messages - 2013 Aug 13
Malicious Attachment Email Messages - 2013 Aug 12
Fake Money Transfer Notification Email Messages - 2013 Aug 12
Fake Account Payment Notification Email Messages - 2013 Aug 12
Fake Product Order Notification Email Messages - 2013 Aug 12
Fake Package Delivery Failure Notification Email Messages - 2013 Aug 12
Fake Payment Notification Email Messages - 2013 Aug 12
Fake Bank Details Reconfirmation Email Messages - 2013 Aug 12
Fake Documents Attachment Email Messages - 2013 Aug 12
Fake Portuguese Electrical Equipment Invoice Notification Email Messages - 2013 Aug 12
Fake Bank Payment Transfer Notification Email Messages - 2013 Aug 12
Fake Banking Account Information Email Messages - 2013 Aug 12
(More detail and links at the cisco URL above.)
___

LinkedIn Connection Spam
- http://threattrack.tumblr.com/post/5...onnection-spam
Aug. 13, 2013 - "Subjects Seen:
Invitation to connect on LinkedIn
Typical e-mail details:
<removed> wants to connect with you on LinkedIn.

Malicious URLs
bobbiler.corewaysolution .com/images/wp-gdt.php?x95S4F4MY33PRBG0W
sharperspill .biz/closest/i9jfuhioejskveohnuojfir.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019...sx91qz4rgp.png
___

CNN Breaking News Rehtaeh Parsons Spam
- http://threattrack.tumblr.com/post/5...h-parsons-spam
Aug. 13, 2013 - "Subjects Seen:
CNN: ” Canadian teenager Rehtaeh Parsons”
Typical e-mail details:
2 face charges in case of Canadian girl who hanged self after alleged rape
Canadian teenager Rehtaeh Parsons
Two 18-year-old men face child pornography charges in connection with the case of a 17-year-old girl who hanged herself after she was allegedly gang-raped and bullied online, Canadian authorities said Thursday evening. Full story »

Malicious URLs
retailers.truelinkswear .com/rundown/index.html
dp56148868.lolipop .jp/numeracy/index.html
ftp(DOT)equinejournal .com/apogee/index.html
ead-togo .com/croons/index.html
guterprotectionperfection .com/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019...H431qz4rgp.png
___

Fake Bank of America SPAM / Instructions Secured E-mail.zip
- http://blog.dynamoo.com/2013/08/bank...tructions.html
13 August 2013 - "This fake Bank of America spam has a malicious attachment:
Date: Tue, 13 Aug 2013 09:35:13 -0500 [10:35:13 EDT]
From: "Alphonso.Wilcox" [Alphonso.Wilcox @bankofamerica .com]
Subject: Instructions Secured E-mail.pdf
I will be forwarding the application through a secure e-mail. Attached are instructions for you to create a password to open the secure e-mails from us. Just a bit of security for when we transmit confidential information.
Thanks,
Amado.Underwood
Bank of America
Principal Business Relationship Manager...

Attached to the message is a file Instructions Secured E-mail.zip which contains an executable file Instructions Secured E-mail.exe with an icon to make it look like a PDF file.
The detection rate for this initial malware is just 9/45 at VirusTotal**.
This is a pony/gate downloader which attempts to download from [donotclick]guterprotectionperfection.com/ponyb/gate.php on 192.81.135.132 (Linode, US). This is the same IP as used in this attack*, and it also utilises a -hijacked- GoDaddy domain.
The download then attempts to download a second stage from the from the following locations (as well as installing all sorts of hooks into your system):
[donotclick]Missionsearchjobs .com/D5F7G.exe
[donotclick]betterbacksystems .com/kvq.exe
[donotclick]www.printdirectadvertising .com/vfMJH.exe
[donotclick]S381195155.onlinehome .us/vmkCQg8N.exe
The second stage has an even lower detection rate of just 3/45*** ...
Recommended blocklist:
192.81.135.132
guterprotectionperfection .com
Missionsearchjobs .com
betterbacksystems .com
www .printdirectadvertising .com
S381195155.onlinehome .us "
* http://blog.dynamoo.com/2013/08/face...helmetcom.html

** https://www.virustotal.com/en-gb/fil...is/1376406778/

*** https://www.virustotal.com/en-gb/fil...is/1376407672/

[AplusWebMaster]

FYI...

Bogus Firefox updates
- https://net-security.org/malware_news.php?id=2559
Aug. 13, 2013 - "A series of Internet campaigns pushing bogus Firefox updates onto unwary users have been spotted by researchers, and among them is one that lures them in through “Green Card Lottery” ads... According to ThreatTrack's analysis*, the website is capable of detecting which browser the user uses and to recommend an update for it. Nevertheless, the offered "update" is always the same: Firefox v13 (long outdated - the current version is 23), with several "add-ons, adware, toolbars and other malicious and irritating accompaniments" also trying to get installed via the installation wizard:
> http://www.net-security.org/images/a...t-13082013.jpg
Among this tag-along software is the Delta Toolbar, Webcake (a browser add-on that, among other things, serves ads), Optimizer Pro (a questionable PC-tune-up program), QuickShare (a deceptive browser plugin that steals data and redirects to unwanted websites) and an ad for “unlimited cloud storage”. All this "crapware" is sure to bring grief to the victims. It will slow down their computer, for sure, but the biggest problem is that they will end up with a outdated browser that can be successfully targeted with drive-by-download schemes, more additional malware and they will likely become victims of identity theft in the long run..."
* http://www.threattracksecurity.com/i...irefox-update/
___

Malicious Spam Targets Virgin Media Patrons, Consul General
- http://www.threattracksecurity.com/i...onsul-general/
Aug. 13, 2013 - "... a fresh campaign of malicious spam that purports to originate from various brands and names but delivers the same malicious attachment to recipients. As of this time of writing, the spam is disguised as a mail coming from Virgin Media* and a notification of an expiring car insurance addressed to the Consul General of Suriname**... detections we have for related malicious files form these spam, as of this writing:
- Both compressed files are detected as Trojan.Zip.Bredozp.b (v).
- The uncompressed .EXE files, which are essentially one and the same, is detected as Win32.Malware!Drop.
The file it downloads is malicious, and it changes at random..."
* http://www.threattracksecurity.com/i...media-spam.png

** http://www.threattracksecurity.com/i...rance-spam.png
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Scanned Document Attachment Email Messages - 2013 Aug 14
Fake MMS Notification Email Messages - 2013 Aug 14
Fake Package Delivery Failure Notification Email Messages - 2013 Aug 14
Fake Package Delivery Information Email Messages - 2013 Aug 14
Fake Payment Confirmation Notification Email Messages - 2013 Aug 13
Fake Secure Message Notification Email Messages - 2013 Aug 13
Fake Debt Collection Notice Email Messages - 2013 Aug 13
Malicious Attachment Email Messages - 2013 Aug 13
Fake Account Payment Notification Email Messages - 2013 Aug 13
Fake Product Purchase Order Email Messages - 2013 Aug 13
Fake Xerox Scan Attachment Email Messages - 2013 Aug 13
Fake UPS Parcel Notification Email Messages - 2013 Aug 13
Fake Bank Payment Transfer Notification Email Messages - 2013 Aug 13
Fake Product Services Specification Request Email Messages - 2013 Aug 13
Fake Unpaid Debt Invoice Email Messages - 2013 Aug 13
(More detail and links at the cisco URL above.)
___

Twitter Spam ...
- http://krebsonsecurity.com/2013/08/b...-twitter-spam/
Aug 14, 2013 - "The success of social networking community Twitter has given rise to an entire shadow economy that peddles -dummy- Twitter accounts by the thousands, primarily to spammers, scammers and malware purveyors. But new research on identifying bogus accounts has helped Twitter to drastically deplete the stockpile of existing accounts for sale, and holds the promise of driving up costs for both vendors of these shady services and their customers. Twitter prohibits the sale and auto-creation of accounts, and the company routinely suspends accounts created in violation of that policy. But according to researchers from George Mason University and the University of California, Berkeley, Twitter traditionally has done so only -after- these fraudulent accounts have been used to spam and attack legitimate Twitter users..."
(More detail at the krebsonsecurity URL above.)
___

Wells Fargo Important Documents Spam
- http://threattrack.tumblr.com/post/5...documents-spam
Aug. 14, 2013 - "Subjects Seen:
IMPORTANT Documents - WellsFargo
Typical e-mail details:
Please review attached files.
Eleanor_Wyatt
Wells Fargo Advisors
817-246-9671 office

Malicious URLs
gutterprosmaryland .com/forum/viewtopic.php
gutterhelmetleafguardgutterprotection .com/forum/viewtopic.php
gutterguardbuyersguide .com/forum/viewtopic.php
gutterglovegutterprotection .com/forum/viewtopic.php
dp55197480.lolipop .jp/1ayPTHK.exe
roundaboutcellars .com/Utuw1.exe
bbsmfg .biz/VKPqrms.exe
caribbeancinemas .net/MLEYCY9.exe

- https://www.virustotal.com/en/ip-add...4/information/

Malicious File Name and MD5:
DOC_<e-mail>.zip (B1342413F0AEE3E6440453689D26803B)
DOC_{_MAILTO_USERNAME}.exe (ABAFB7DA0F23112064F6BC3A1F93DDF6)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...O4Y1qz4rgp.png
___

Fake ADP SPAM / hubbywifeburgers .com
- http://blog.dynamoo.com/2013/08/adp-...urgerscom.html
14 Aug 2013 - "This fake ADP spam leads to malware on hubbywifeburgers .com:
Date: Wed, 14 Aug 2013 08:58:12 -0700 [11:58:12 EDT]
From: "ADPClientServices @adp .com" [service @citibank .com]
Subject: ADP Security Management Update
ADP Security Management Update
Reference ID: 39866
Dear ADP Client August 2013
This message is to inform you of the upcoming �Phase 2� enhancement to ADP Security Management (formally ADP Netsecure). This is where you manage your users� access to ADP�s Internet services, and includes the self-service registration process.
Effective August 15th, ADP Security Management will reflect a new user interface. This will include tasks such as Account Maintenance, User Maintenance, and Company Maintenance within Security Management.
Please review the following information:
� Click here to view more details of the enhancements in Phase 2
� Complete the What�s New in Security Management Service here (Expected to take about 15 minutes)... The information contained in this email is intended only for the individual(s) addressed in this message and may contain privileged and/or confidential information that is exempt from disclosure under applicable law.

Screenshot: https://lh3.ggpht.com/-33hn5xJdiRw/U.../adp-spam2.png

Yeah.. click the link. What could possibly go wrong? Well, first you go to a legitimate -hacked- site that tried to load one of the following three scripts:
[donotclick]e-equus.kei .pl/perusing/cassie.js
[donotclick]cncnc .biz/pothooks/addict.js
[donotclick]khalidkala .com/immigration/unkind.js
From there, the victim is sent to a malware site that uses a -hijacked- GoDaddy domain at [donotclick]hubbywifeburgers .com/topic/nearby-promptly.php hosted on 199.195.116.51 (A2 Hosting, US - report here*). This IP probably contains other hijacked domains from the same owner.
Recommended blocklist:
199.195.116.51
hubbywifeburgers .com
e-equus.kei .pl
cncnc .biz
khalidkala .com "
* https://www.virustotal.com/en/ip-add...1/information/

[AplusWebMaster]

FYI...

Something evil on 162.211.231.16
- http://blog.dynamoo.com/2013/08/some...221123116.html
15 August 2013 - "The server at 162.211.231.16 (IT7 Networks, Canada) is currently being used in injection attacks (example*) which have been going on for some time [1] [2] and uses several domains... All the domains are very recently registered by GoDaddy. The WHOIS details for brigitteunderwear .com (also registered by GoDaddy in 2006) are consistent, but I've seen enough hijacked GoDaddy domains recently to be suspicious that there could be an element of identity theft here, and the named person may well have nothing to do with this attack. I haven't had time to poke around at the payload too much, but this could well be a good IP to block, or alternatively use the list of domains that I have identified below (it may not be comprehensive, though)
Recommended blocklist:
162.211.231.16 ..."
(Long list at the dynamoo URL above.)
* http://urlquery.net/report.php?id=4568967

1] https://www.virustotal.com/en-gb/ip-...6/information/

2] http://urlquery.net/search.php?q=162...3-08-15&max=50
___

Fake "INCOMING FAX REPORT" SPAM / chellebelledesigns .com
- http://blog.dynamoo.com/2013/08/inco...port-spam.html
15 August 2013 - "A facsimile transmission. How quaint. Of course, it isn't.. the link in the spam goes to a malicious page on chellebelledesigns .com:
From: Administrator [administrator @victimdomain]
Date: 15 August 2013 16:08
Subject: INCOMING FAX REPORT : Remote ID: 1043524020
***********************INCOMINGFAXREPORT*****************
INCOMING FAX REPORT
*********************************************************
Date/Time: 07/25/2013 02:12:11 EST
Speed: 66387 bps
Connection time: 04:06
Pages: 0
Resolution: Normal
Remote ID: 1043524020
Line number: 7
DTMF/DID:
Description: June Payroll
Click here to view the file online
*********************************************************

Note that the spam appears to come "from" the "Administrator" in the victim's own domain. This email address is a forgery, so don't worry about it. If you are daft enough to click the link in the email you go to a legitimate -hacked- site and then on to one of three scripts:
[donotclick]millionaireheaven .com/mable/rework.js
[donotclick]pettigrew .us/airheads/testier.js
[donotclick]www .situ-ingenieurgeologie .de/tuesday/alleviation.js
from there on, the victim is forwarded to a malicious landing page at [donotclick]chellebelledesigns .com/topic/conclusion-western.php using a hacked GoDaddy domain on 173.246.104.55 (Gandi, US). There are other hijacked GoDaddy domains on the same server...
Recommended blocklist:
173.246.104.55 ..."
(More domains listed at the dynamoo URL above.)

- https://www.virustotal.com/en/ip-add...5/information/
___

UPS Quantum View Spam
- http://threattrack.tumblr.com/post/5...ntum-view-spam
Aug. 15, 2013 - "Subjects Seen:
UPS - Your package is available for pickup ( Parcel <random> )
Typical e-mail details:
You may pickup the parcel at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.

Malicious URLs
chellebelledesigns .com/ponyb/gate.php
1800callabe .com/ponyb/gate.php
abemoussa .com/ponyb/gate.php
keralahouseboatstourpackages .com/FXx.exe

Malicious File Name and MD5:
UPS-Label_<random>.zip (607F7CBD6CEF3DDD5F5DB88612FC91B6)
UPS-Label_<date>.exe
(782D6C5633D139704221E927782195E0)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...4hG1qz4rgp.png

[AplusWebMaster]

FYI...

Fake ADP SPAM / ADP_week_invoice.zip|exe
- http://blog.dynamoo.com/2013/08/adp-...icezipexe.html
16 August 2013 - "This fake ADP spam has a malicious attachment:
Date: Fri, 16 Aug 2013 09:57:59 -0500 [10:57:59 EDT]
From: "run.payroll.invoice @adp .com" [run.payroll.invoice @adp .com]
Subject: ADP Payroll INVOICE for week ending 08/16/2013
Your ADP Payroll invoice for last week is attached for your review. If you have any
questions regarding this invoice, please contact your ADP service team at the number
provided on the invoice for assistance.
Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an unattended mailbox.

There is an attachment ADP_week_invoice.zip which in turn contains a malicious executable file ADP_week_invoice.exe. The payload is exactly the same as this* other malicious spam run which is running in parallel."
* http://blog.dynamoo.com/2013/08/ceo-...ces-event.html

ADP Payroll Invoice Spam
- http://threattrack.tumblr.com/post/5...l-invoice-spam
16 August 2013 - "Subjects Seen:
ADP Payroll INVOICE for week ending 08/16/2013
Typical e-mail details:
Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Thank you for choosing ADP Payroll.

Malicious URLs
hubbywifeco .com/forum/viewtopic.php
hubbywifedesigns .com/forum/viewtopic.php
hubbywifedesserts .com/forum/viewtopic.php
hubbywifefoods .com/forum/viewtopic.php
208.106.130.52 /39UvZmv.exe
demoscreactivo .com/DKM9.exe
roundaboutcellars .com/Utuw1.exe
bbsmfg.biz/VKPqrms .exe
cccustomerctr .com/39UvZmv.exe

Malicious File Name and MD5:
ADP_week_invoice.zip (8C67BC641A95379867C4B9EBAE68446A)
ADP_week_invoice.exe
(6EBF2EA3DB16B3E912068D0A9E33320E)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...lru1qz4rgp.png
___

Fake Wells Fargo SPAM "CEO Portal Statements & Notices Event" -report_{DIGIT[12]}.exe
- http://blog.dynamoo.com/2013/08/ceo-...ces-event.html
16 August 2013 - "This fake Wells Fargo email has a malicious attachment:
Date: Fri, 16 Aug 2013 09:51:17 -0500 [10:51:17 EDT]
From: Wells Fargo Event Messaging Admin [ofsrep.ceosmuigw @wellsfargo .com]
Subject: CEO Portal Statements & Notices Event
Wells Fargo
Commercial Electronic Office (CEO) Portal Statements & Notices Event: Multiple Download Request Available
Your Deposit Adjustment Notices is now available. To access your information please download attached report and open Statements & Notices file.
Date/Time Stamp: Fri, 16 Aug 2013 09:51:17 -0500
Request Name: MM3P85NRLOXLOFJ
Event Message ID: S045-77988311
Please do not reply to this email.

The email has an attachment called report_625859705821.zip which in turn contains an exectuable report_{DIGIT[12]}.exe (which presumably is an error) which has a VirusTotal detection rate of 9/46*. The Malwr report shows that this malware does various things**, inclding an HTTP request to a hijacked GoDaddy domain at [donotclick]hubbywifeco .com/forum/viewtopic.php hosted on 66.151.138.80 (Nuclear Fallout Enterprises, US) which is shared with another -hijacked- domain, hubbywifecakes .com.
From there, another executable is downloaded from one of the following locations:
[donotclick]208.106.130.52 /39UvZmv.exe
[donotclick]demoscreactivo .com/DKM9.exe
[donotclick]roundaboutcellars .com/Utuw1.exe
[donotclick]bbsmfg .biz/VKPqrms.exe
This executable has an even lower detection rate of just 5/46***... Blocking EXE-in-ZIP files like this at your perimeter is an excellent idea if you can do it.
Recommended blocklist:
66.151.138.80
hubbywifeco .com
hubbywifecakes .com
208.106.130.52
demoscreactivo .com
roundaboutcellars .com
bbsmfg .biz "
*
https://www.virustotal.com/en-gb/fil...is/1376665654/

** https://malwr.com/analysis/NjAxNGMwY...gwYmJlMWY3YzU/

*** https://www.virustotal.com/en-gb/fil...is/1376666041/

- https://www.virustotal.com/en-gb/ip-...0/information/

- https://www.virustotal.com/en-gb/ip-...2/information/

[AplusWebMaster]

FYI...

Malware sites to block 19/8/13
- http://blog.dynamoo.com/2013/08/malw...ock-19813.html
19 August 2013 - "These sites and IPs belong to this gang*, and this list follows one from this one**..."
(Long list of IPs at the dynamoo URL above.)
* http://blog.dynamoo.com/search/label/Amerika

** http://blog.dynamoo.com/2013/08/malw...ock-13813.html
___

Fake Facebook SPAM / hubbywifewines .com
- http://blog.dynamoo.com/2013/08/face...ewinescom.html
19 August 2013 - "This fake Facebook spam leads to malware on hubbywifewines .com:
Date: Mon, 19 Aug 2013 16:20:06 +0200 [10:20:06 EDT]
From: Facebook [update+hiehdzge @facebookmail .com]
Subject: You requested a new Facebook password
facebook
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted].net at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes to a legitimate -hacked- site and then loads one or more of these three scripts:
[donotclick]ftp.hotwindsaunausa .com/clingy/concord.js
[donotclick]katchthedeal .sg/stilling/rifts.js
[donotclick]ftp.navaglia .it/gazebo/cowboys.js
The victim is then forwarded to a malware landing page using a hijacked GoDaddy domain at [donotclick]hubbywifewines .com/topic/able_disturb_planning.php hosted on 72.5.102.192* (Nuclear Fallout Enterprises, US) along with another hijacked domain of hubbywifefoods .com
Recommended blocklist:
72.5.102.192
hubbywifewines .com
hubbywifefoods .com
ftp.hotwindsaunausa .com
katchthedeal .sg
ftp.navaglia .it"
* https://www.virustotal.com/en/ip-add...2/information/
___

Booking.com Confirmation Spam
- http://threattrack.tumblr.com/post/5...firmation-spam
Aug. 19, 2013 - "Subjects Seen:
Confirmation <random>
Typical e-mail details:
BOOKING CONFIRMATION
Issued: 08/18/2013
BEDDING AND INCLUSIONS SHOWN IN ATTACHED FILE
====================================
Confirmation number: <removed>
Booking source: booking.com
(please refer to this brand when
communicating with the guest)
BOOKING SUMMARY
Check in: 29-Aug-2013
Check out: 31-Aug-2013
Total number of rooms: 1 per night
Total number of room nights: 1 (1 room for 1 night each)
Total booking amount: $314.00
Room: 1 Night 1-2 people
Number of guests: Adults: 1 Children: 0
Bedding configuration: One or 2 People
=====Comments=====
Guest comments: non-smoking
Any comments from the guest are by request only and have not been guaranteed...
The guest is also aware that you may require them to provide a security deposit at
check-in to guarantee payment of any incidental charges.
The Team Booking.com

Malicious File Name and MD5:
BOOKING ISSUED 18.Aug.2013.zip (61EE0B0EE92F717D50F42EB0171BAD6E)
BOOKING ISSUED 18.Aug.2013.pdf.exe (948FD2EA728F38886DF824AA2BB7FD3A)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...gl61qz4rgp.png
___

Fake Facebook password SPAM / frankcremascocabinets .com
- http://blog.dynamoo.com/2013/08/you-...-password.html
19 August 2013 - "This fake Facebook spam follows on from this one*, but has a different malicious landing page at frankcremascocabinets .com:
From: Facebook [update+hiehdzge @facebookmail .com]
Date: 19 August 2013 17:38
Subject: You requested a new Facebook password
facebook
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes to a legitimate -hacked- site which then tries to load one or more of the following three scripts:
[donotclick]ftp.hotwindsaunausa .com/clingy/concord.js
[donotclick]katchthedeal .sg/stilling/rifts.js
[donotclick]ftp.navaglia .it/gazebo/cowboys.js
The victim is then directed to a malware payload at [donotclick]frankcremascocabinets .com/topic/able_disturb_planning.php hosted on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines). This domain is a hijacked GoDaddy domain and there are several others on the same server...
Recommended blocklist:
184.95.37.96/28
ftp.hotwindsaunausa .com
katchthedeal .sg
ftp.navaglia .it
giuseppepiruzza .com
frankcremascocabinets .com
gordonpoint .biz
hitechcreature .com
frankcremasco .com "
* http://blog.dynamoo.com/2013/08/face...ewinescom.html

- https://www.virustotal.com/en/ip-add...2/information/
___

UK Tax-Themed Spam leads to ZeuS/ZBOT
- http://blog.trendmicro.com/trendlabs...s-to-zeuszbot/
Aug 19, 2013 - "Tax-themed spam, particularly in the United States, is already considered a staple in the threat landscape. However, a recent spam run targeting taxpayers in the United Kingdom shows that this threat is never exclusive to a region. Besides being timely, these messages contain TSPY_FAREIT, which download a ZeuS/ZBOT variant, notorious for stealing information related to online banking sites. We found sample of an email message that appears to be from HM Revenue and Customs in the UK. It notifies users of their VAT return receipt, something that might appear timely to unsuspecting users since the deadline for VAT returns and payments was last August 7. To further convince users of its validity, the message states that the email was “scanned for viruses”. Sample spam with alleged VAT return “receipt”:
> https://blog.trendmicro.com/trendlab...on-uk-spam.jpg
The message contains an attachment, which is supposed to be the receipt for the VAT return. But based on our findings, the attachment is (expectedly) a malware detected as TSPY_FAREIT.ADI. Once executed, the malware steals varied information from the system, such as those related to: FTP clients,file managers, and email... The data stealing does not stop there. TSPY_FAREIT.ADI downloads another malware, specifically TSPY_ZBOT.ADD. As expected of any ZeuS/ZBOT variant, the malware downloads configuration file(s) from randomly generated IP addresses. The said file also contains list of targeted online banking and finance-related sites and the URLs where it sends the gathered information. The cybercriminals behind this threat are obviously taking advantage of the recent tax return deadline in the UK. But the real concern here is the severity of the information to be stolen. Aside from the email and FTP credentials, which are profitable in the underground market, the bad guys are also gunning for the victims’ online banking accounts. Once they got hold of users’ banking and financial credentials, they can either sell them on the digital underground or use these to initiate unauthorized money transfers leading to actual financial loss... we noted the increase of online banking malware in the past quarter and how the CARBERP’s “leaked” source code may lead to more variety for this threat. Thus, it is important for users to double-check the messages they receive and to be careful in opening any attachments from unverified sources. As an added precaution, always implement your systems with the latest security updates from vendors..."
___

Fake Citi SPAM / securedoc.zip
- http://blog.dynamoo.com/2013/08/you-...sage-spam.html
19 August 2013 - "This fake Citi spam contains a malicious attachment:
Date: Mon, 19 Aug 2013 20:24:27 +0000 [16:24:27 EDT]
From: "secure.email @citi .com" [secure.email @citi .com]
Subject: You have received a secure message
Read your secure message by opening the attachment, securedoc. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
First time users - will need to register after opening the attachment...

Attached is a file securedoc.zip which in turn contains a malicious executable securedoc.exe which has a very low detection rate at VirusTotal of just 2/46*. The Malwr analysis** (and also ThreatExpert***) shows that the file first connects to [donotclick]frankcremascocabinets .com/forum/viewtopic.php (a -hijacked- GoDaddy domain on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines) as seen before here, and it then tries to downoad additional components from:
[donotclick]lobbyarkansas .com/0d8H.exe
[donotclick]ftp.ixcenter .com/GMMo6.exe
[donotclick]faithful-ftp .com/kFbWXZX.exe
This second part has another very low VirusTotal detection rate of just 3/46****...
Recommened blocklist:
184.95.37.96/28
frankcremascocabinets .com
giuseppepiruzza .com
gordonpoint .biz
gordonpoint .info
hitechcreature .com
frankcremasco .com
lobbyarkansas .com
ftp.ixcenter .com
faithful-ftp .com "
* https://www.virustotal.com/en/file/2...is/1376945701/

** https://malwr.com/analysis/NjcwNGFhO...dhNjk5ZDA1MTI/

*** http://www.threatexpert.com/report.a...bf106d28218cf9

**** https://www.virustotal.com/en/file/2...is/1376946672/

[AplusWebMaster]

FYI...

Fake Browser Updates drop Shylock Malware
- http://www.threattracksecurity.com/i...ylock-malware/
August 19, 2013 - "We’re no stranger to fake and often malicious Internet browsers* that are served up on equally fake and malicious Web sites. These latest samples found by... our threat researchers in the AV Labs, are hosted on the domain, browseratrisk(dot)com. It is found that once users access pages on this malicious domain with either Internet Explorer (IE), Firefox or Chrome, it opens a fake “update” page for the said browsers and auto-downloads the fake files. Below are screenshots of these pages:
> http://www.threattracksecurity.com/i...shylock-wm.jpg
> http://www.threattracksecurity.com/i...shylock-wm.jpg
> http://www.threattracksecurity.com/i...shylock-wm.jpg
... Users may find it difficult to close and navigate to other tabs after download, thanks to certain loop commands on the page’s code, which we’ve seen before**. If users choose to install the downloaded fake browser updates, it then drops a variant of either Sirefef or Shylock/Caphaw malware... Win32.Malware!Drop... Shylock had hit the news in January of this year as the banking Trojan capable of using Skype chat to spread. Note that the dropped file may change at roughly every three to four hours. The website server is also known to house Blackhole Exploit kits... If users access browseratrisk(dot)com via their mobile devices and on OSX, they are redirected to FriendFinder, a popular online dating service, via the mirror site, stealthtec(dot)net. When it comes to software updates, it pays to be wary of random sites claiming your current Internet browser needs to be updated. It is best to -ignore- these pages and go straight to official pages..."
* http://www.threattracksecurity.com/i...wser&x=12&y=21

** http://www.threattracksecurity.com/i...erves-malware/

[AplusWebMaster]

FYI...

Fake Facebook SPAM / dennissellsgateway .com
- http://blog.dynamoo.com/2013/08/face...atewaycom.html
21 August 2013 - "This fake Facebook spam leads to malware on dennissellsgateway .com:
Date: Tue, 20 Aug 2013 15:28:11 -0500 [16:28:11 EDT]
From: Facebook [no-reply @facebook .com]
Subject: Gene Maynard wants to be friends with you on Facebook.
facebook
Gene Maynard wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

This is a "ThreeScripts" attack, with the link first going to a legitimate -hacked- site and then through one of the following three scripts:
[donotclick]ftp.crimestoppersofpinellas .org/jonson/tried.js
[donotclick]italiangardensomaha .com/moocher/pawned.js
[donotclick]www.it-planet .gr/schlepped/suitor.js
From there, the victim ends up on a -hijacked- GoDaddy domain with a malicious payload at [donotclick]dennissellsgateway .com/topic/able_disturb_planning.php on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with some other hijacked domains...
Recommended blocklist:
72.5.102.146
dennissellsgateway .com
justinreid .us
waterwayrealtyteam .us
www.it-planet .gr
italiangardensomaha .com
ftp.crimestoppersofpinellas .org "

>> Update: Another spam is circulating with a different pitch, but the -same- malicious payload:
Dear Customer,
The following is your Credit Card settlement report for Monday, August 19, 2013.
Transaction Volume Statistics for Settlement Batch dated 19-Aug-2013
Batch ID: 108837538
Business Day: 19-Aug-2013
Net Batch Total: 3704.75 (USD)
Number of Charge Transactions: 1
Amount of Charge Transactions: 3704.75
Number of Refund Transactions: 5
Amount of Refund Transactions: 315.74
You can download your full report ...

- https://www.virustotal.com/en/ip-add...6/information/
___

Fake Malwarebytes scammer surveys ...
- http://blog.malwarebytes.org/news/20...rveys-victims/
August 20, 2013 - "... a twitter account pretending to be speaking for Malwarebytes. The twitter account, @ malwarebytesx, has posted heavily over the last couple days about Malwarebytes Anti-Malware being available (both legitimately and a cracked version) at a posted link. They even created a variation of our logo and got 51 people to follow them! The link leads to a blogspot page titled “Malwarebytes Anti-Malware 1.75 Full + Serial” that is covered in our signage and provides a link to download “Malwarebytes Anti-Malware” with text and graphics directly from our own website.
> http://cdn.blog.malwarebytes.org/wp-...g-1024x810.png
After clicking on the “Download Now” button, you are presented with a download page requesting a small favor.
> http://cdn.blog.malwarebytes.org/wp-...areAMOFfer.png
... Unfortunately for anyone who has fallen for this scam, this website does -not- belong to Malwarebytes nor is supported by one of our authorized distributors... Don’t become a victim and always download software from legitimate sites. Even if you just Google “Malware” or the phrase “Malware Removal,” legitimate sources to download our product are within the first few results. Tell your friends and if you encounter a survey site, maybe you should try finding your download somewhere else..."
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Malicious Attachment Email Messages - 2013 Aug 21
Fake Secure Message Notification Email Messages - 2013 Aug 21
Fake Confirmation of Payment Information Email Messages - 2013 Aug 21
Fake Money Transfer Notification Email Messages - 2013 Aug 21
Malicious Personal Pictures Attachment Email Messages - 2013 Aug 21
Fake UPS Parcel Notification Email Messages - 2013 Aug 21
Fake Product Solicitation Email Messages - 2013 Aug 21
Fake Product Purchase Request Email Messages - 2013 Aug 21
Fake Money Transfer Notification Email Messages - 2013 Aug 21
(More detail and links at the cisco URL above.)
___

Fake Facebook SPAM / thenatemiller.co
- http://blog.dynamoo.com/2013/08/face...emillerco.html
21 August 2013 - "This fake Facebook spam leads to malware on thenatemiller .co:
Date: Wed, 21 Aug 2013 22:05:38 +0530 [12:35:38 EDT]
From: Facebook [update+hiehdzge@ facebookmail .com]
Subject: You requested a new Facebook password
facebook
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

Nothing good will come from clicking the link. First victims go to a legitimate but -hacked- site that attempts to load the following three scripts:
[donotclick]gemclinicstore .com/admitted/tintinnabulations.js
[donotclick]mathenyadvisorygroup .com/toffies/ceiling.js
[donotclick]www.it-planet .gr/schlepped/suitor.js
From there the victim is directed to a malware landing page at [donotclick]thenatemiller .co/topic/able_disturb_planning.php (.co, not .com) which is a hijacked GoDaddy domain hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with several other hijacked domains...
Recommended blocklist:
72.5.102.146
successchamp .com
dennissellsgateway .com
thenatemiller .co
thenatemiller .info
justinreid .us
waterwayrealtyteam .us
thenatemiller .biz
gemclinicstore .com
mathenyadvisorygroup .com
www.it-planet .gr ..."

- https://www.virustotal.com/en/ip-add...6/information/

[AplusWebMaster]

FYI...

Fake Red Sox Baseball SPAM / lindoliveryct .net
- http://blog.dynamoo.com/2013/08/red-...veryctnet.html
22 Aug 2013 - "This fake Red Sox spam leads to malware on lindoliveryct .net:
Date: Thu, 22 Aug 2013 13:02:19 -0400 [13:02:19 EDT]
From: ticketoffice@ inbound.redsox .com
Subject: Thank You for your order. ( RSXV - 4735334 - 0959187 )
Thank you for your recent ticket purchase. We truly appreciate your support and commitment to Red Sox Baseball. If you have any questions regarding your purchase, please contact our Ticket Services department by calling (toll free) 877-REDSOX9.
Note that you will receive a separate email within the next two business days which will include the vouchers you will need for both parking at the Prudential Center and your Duck Boat ride to the ballpark, included in each End of Summer Family Pack purchase.
Please remember that all sales are final-there are no refunds or exchanges issued on any tickets. Also note that all game times are subject to change. Be sure to visit redsox.com for the latest Red Sox news and any game time updates.
Thanks again! We look forward to seeing you at the ballpark this season.
Boston Red Sox Ticketing Department...

Screenshot: https://1.bp.blogspot.com/-B_1VXJv60...600/redsox.png

The link goes through a legitimate -hacked- site (in this case using a WordPress flaw) and ends up on [donotclick]www.redsox .com.tickets-service.lindoliveryct.net/news/truck-black.php (report here*) which is actually the domain lindoliveryct .net rather than redsox .com... The WHOIS details for this domain are fake and indicate it is the work of the Amerika gang...
The malicious domain is multihomed on the following IPs which host several other malicious domains:
66.230.163.86 (Goykhman And Sons LLC, US)
86.183.191.35 (BT, UK)
188.134.26.172 (Perspectiva Ltd, Russia)
Recommended blocklist:
66.230.163.86
86.183.191.35
188.134.26.172 ..."
* http://urlquery.net/report.php?id=4682777
___

Chase Bank Remittance Spam
- http://threattrack.tumblr.com/post/5...emittance-spam
Aug 22, 2013 - "Subjects Seen:
Remittance Docs <random>
Typical e-mail details:
Please find attached the remittance If you are unable to open the attached file, please reply to this email with a contact telephone number.
The Finance Dept will be in touch in due course.
Vanessa_Rodriquez
Chase Private Banking

Malicious URLs
watch-fp .ca/ponyb/gate.php
watch-fp .com/ponyb/gate.php
watch-fp .info/ponyb/gate.php
watch-fp .mobi/ponyb/gate.php
jatw.pacificsocial .com/VSMpZX.exe
richardsonlookoutcottages .nb .ca/Q5Vf.exe
riplets .net/Qa7nXVT.exe

Malicious File Name and MD5:
Docs_<name>.zip (37A1C5AC9C0090A07F002B0A2ED57D3D)
Docs_<date>.exe
(E9FBB397E66B295F5E43FE0AA3B545D7)

- Screenshot: https://gs1.wac.edgecastcdn.net/8019...uCD1qz4rgp.png
___

Discover Card Account Information Update Spam
- http://threattrack.tumblr.com/post/5...on-update-spam
Aug 22, 2013 - "Subjects Seen:
Your account login information updated
Typical e-mail details:
Dear Customer,
This e-mail is to confirm that you have updated your log-in information for Discover.com. Please remember to use your new information the next time you log in.
Log In to review your account details or to make additional changes.

Malicious URLs
aywright .com/parables/index.html
intuneuk .com/aspell/index.html
flagitak .poznan.pl/deceptiveness/index.html
carpentryunlimitedvermont .com/slangy/index.html
labs-srl .it/misquotations/index.html
75.103.99.168 /superintend/index.html
watch-fp .ca/topic/able_disturb_planning.php

- Screenshot: https://gs1.wac.edgecastcdn.net/8019...DjI1qz4rgp.png

- http://blog.dynamoo.com/2013/08/disc...unt-login.html
22 August 2013 - "This fake Discover card spam leads to malware on abemuggs .com:
Date: Thu, 22 Aug 2013 16:14:59 +0000 [12:14:59 EDT]
From: Discover Card [no-reply@ facebook .com]
Subject: Your account login information updated
Discover
Access My Account
ACCOUNT CONFIRMATION Statements | Payments | Rewards
Your account login information has been updated.
Dear Customer,
This e-mail is to confirm that you have updated your log-in information for Discover.com. Please remember to use your new information the next time you log in.
Log In to review your account details or to make additional changes...

Screenshot: https://3.bp.blogspot.com/-yFKra6yjZ...over-card2.png

The link in the email uses the Twitter redirection service to go to [donotclick]t. co/9PsnfeL8hh then [donotclick]x .co/1neIk then [donotclick]activegranite.com/vocatives/index.html and finally to a set of three scripts as follows:
[donotclick]02aa198 .netsolhost .com/frostbite/hyde.js
[donotclick]96.9.28.44 /dacca/quintilian.js
[donotclick]cordcamera.dakisftp .com/toothsome/catch.js
From this point the victim ends up at the malicious payload at [donotclick]abemuggs .com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.253.139 (Linode, US).
At the moment, I can only see abemuggs .com active on 74.207.253.139, however other domains in the same GoDaddy account may be hijacked as well. If you see unexpected traffic going to the following domains then it may be malicious:
abemuggs .com
abesmugs .com
abemugs .com
andagency .com
mytotaltitle .com
I would strongly recommend the following blocklist:
74.207.253.139
96.9.28.44
abemuggs .com
02aa198.netsolhost .com
cordcamera.dakisftp .com "

- https://www.virustotal.com/en/ip-add...9/information/

- https://www.virustotal.com/en/ip-add...4/information/
___

Fake Remittance Docs SPAM / Docs_08222013_218.exe
- http://blog.dynamoo.com/2013/08/remi...2780-spam.html
22 August 2013 - "This fake Chase spam has a malicious attachment:
Date: Thu, 22 Aug 2013 10:00:33 -0600 [12:00:33 EDT]
From: Jed_Gregory [Jed_Gregory@ chase .com]
Subject: Remittance Docs 2982780
Please find attached the remittance 2982780.
If you are unable to open the
attached file, please reply to this email with a contact telephone number. The
Finance Dept will be in touch in due course. Jed_Gregory
Chase Private Banking Level III Officer
3 Times Square
New York, NY 10036 ...

The attachment is in the format Docs_victimdomain .com.zip which contains an executable Docs_08222013_218.exe (note that the date is encoded into the file). The VirusTotal detection rate for this is a moderate 16/46*. The Malwr analysis** shows that this is a Pony/Gate downloader which attempts to connect to the following URLs:
[donotclick]watch-fp .ca/ponyb/gate.php
[donotclick]www.jatw.pacificsocial .com/VSMpZX.exe
[donotclick]richardsonlookoutcottages .nb .ca/Q5Vf.exe
[donotclick]idyno.com .au/kvdhx2.exe
The downloader then downloads a second part with a much lower detection rate of 6/46***. This appears to be a Zbot variant... The Pony/Gate component is hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) and is a hijacked GoDaddy domain, one of several on that server...
Recommended blocklist:
72.5.102.146 ..."
* https://www.virustotal.com/en/file/d...is/1377201922/

** https://malwr.com/analysis/YTNiNzMwZ...FiYjY4YjU3ZmY/

*** https://www.virustotal.com/en/file/3...is/1377202683/

- https://www.virustotal.com/en/ip-add...6/information/

[AplusWebMaster]

FYI...

Fake Wells Fargo SPAM / WellsFargo_08232013.exe
- http://blog.dynamoo.com/2013/08/well...232013exe.html
23 August 2013 - "This fake Wells Fargo spam has a malicious attachment:
Date: Fri, 23 Aug 2013 09:43:44 -0500 [10:43:44 EDT]
From: Morris_Osborn@ wellsfargo .com
Please review attached documents.
Morris_Osborn
Wells Fargo Advisors
817-718-8096 office
817-610-5531 cell Morris_Osborn@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103...

In this case there is an attachment WellsFargo.victimname.zip which contains a malicious executable WellsFargo_08232013.exe (note the date is encoded into the filename). The VirusTotal detection rate is just 4/45*, but the file itself is unusually small (just 21Kb unzipped, 8Kb zipped) when I would normally expect to see the executable closer to 100Kb for this sort of malware. What does it do? Well, the automated reports show it rummaging through various browser and address book data, and the ThreatTrack report [pdf**] shows a DNS lookup of the domain huyontop.com plus what appears to be some peer-to-peer activity... The WHOIS details for the domain huyontop .com appear to be valid (I won't list them here, look them up if you want), however it was only registered a few days ago. I can't tell you exactly what it is doing, but I would treat huyontop .com as being potentially malicious and block it if you can."
* https://www.virustotal.com/en/file/b...is/1377272785/

** http://www.dynamoo.com/files/analysi...1acd09feb3.pdf

- https://www.virustotal.com/en/ip-add...2/information/
___

Orbit Downloader - DDoS component found
- https://net-security.org/malware_news.php?id=2570
Aug 23, 2013 - "... The DDoS component has been discovered by ESET researchers* while doing a routine examination of the software, and subsequent analysis of previous versions has shown that it was added to orbitDM.exe sometime between the release of version 4.1.1.14 (December 25, 2012) and version 4.1.1.15 (January 10, 2013)... ESET has decided to make its AV software detect all versions of Orbit Downloader with DoS functionality. Trend Micro, Kaspersky Land and Ikarus decided to follow suit, at least for the latest version of OD. Users are advised to deinstall the software and choose another one for their needs."

* http://www.welivesecurity.com/2013/0...nloading-tool/
21 Aug 2013

** https://www.virustotal.com/en/file/1...3ec6/analysis/

[AplusWebMaster]

FYI...

Fake UPS SPAM / UPS Invoice 74458652.zip
- http://blog.dynamoo.com/2013/08/ups-...458652zip.html
26 August 2013 - "This fake UPS invoice has a malicious attachment:
From: "UPSBillingCenter @ups .com" [UPSBillingCenter@ ups .com]
Subject: Your UPS Invoice is Ready
New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center. Download the attachment. Invoice will be automatically shown by double click.

Attached is a file UPS Invoice 74458652 which in turn contains a file called UPS Invoice {DIGIT[8]}.exe which presumably isn't meant to be named like that..
The VirusTotal detection rate is a so-so 18/46*. The Malwr analysis** is that this is a trojan downloader that attempts to download bad things from the following locations:
[donotclick]gordonpoint .org/forum/viewtopic.php
[donotclick]mierukaproject .jp/PjSE.exe
[donotclick]programcommunications .com/WZP3mMPV.exe
[donotclick]fclww .com/QdytJso0.exe
[donotclick]www .lajen .cz/tPT8oZTB.exe
The VirusTotal detection rate for the downloaded file is not great at just 9/46***.
The domain gordonpoint .org is a hijacked GoDaddy domain on 74.207.229.45 (Linode, US) along with several other -hijacked- domains...
Recommended blocklist:
74.207.229.45
gordonpoint .org
hitechcreature .com
industryseeds .ca
infocreature .com
itanimal .com
itanimals .com
jngburgerjoint .ca
jngburgerjoint .com
johnmejalli .com
mierukaproject .jp
programcommunications .com
fclww .com
www .lajen .cz "
* https://www.virustotal.com/en/file/3...is/1377553766/

** https://malwr.com/analysis/NTE2MGRjO...gxYzUzY2NlOTg/

*** https://www.virustotal.com/en/file/d...is/1377552510/

- https://www.virustotal.com/en/ip-add...5/information/
___

PayPal Protection Services Spam
- http://threattrack.tumblr.com/post/5...-services-spam
Aug 26. 2013 - "Subjects Seen:
Resolution of case #<random>
Typical e-mail details:
Our records indicate that you never responded to requests for additional information about this claim. We hope you review the attached file and solve the situation amicably.
For more details please see on the page View all details
Sincerely,
Protection Services Department

Malicious URLs
8744f321834af6ba.lolipop .jp/monetary/index.html
scentsability .org/interlocks/index.html
batcoroadlinescorporation .com/misfire/index.html
gordonpoint .org/topic/able_disturb_planning.php

Screenshot: https://gs1.wac.edgecastcdn.net/8019...gPk1qz4rgp.png