SPAM frauds, fakes, and other MALWARE deliveries...

Fake Changelog SPAM ...

FYI...

Fake Changelog SPAM / aseniakrol .ru
- http://blog.dynamoo.com/2012/12/changelog-spam-aseniakrolru.html
11 Dec 2012 - "This spam leads to malware on aseniakrol .ru:
Date: Tue, 11 Dec 2012 10:46:43 -0300
From: Tarra Comer via LinkedIn [member @linkedin .com]
Subject: Re: Your Changelog UPDATED
Hi,
as promised your changelog - View
I. Easley


The malicious payload is at [donotclick]aseniakrol .ru:8080/forum/links/column.php hosted on a bunch of IPs that have been used for malware before:
202.180.221.186 (GNet, Mongolia)
212.162.52.180 (Secure Netz, Germany)
212.162.56.210 (Secure Netz, Germany)..."

:fear: :mad:
 
Fake Sendspace/Citibank emails lead to malware

FYI...

Fake Sendspace emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/12/12/...notifications-lead-to-black-hole-exploit-kit/
Dec 12, 2012 - "Cybercriminals are currently attempting to trick hundreds of thousands of users into clicking on the malicious links found in the currently spamvertised -bogus- ‘Sendspace File Delivery Notifications‘. Upon clicking on any of the links found in the email, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...social_engineering_black_hole_exploit_kit.png
... Sample client-side exploits served: CVE-2010-0188
Upon successful client-side exploitation, the campaign drops MD5: 532bdd2565cae7b84cb26e4cf02f42a0 * ... Worm:Win32/Cridex.E
Once executed it creates %AppData%\kb00121600.exe on the affected system.
The sample also creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B
As well as the following Mutexes:
Local\XMM00000418
Local\XMI00000418
Local\XMRFB119394
Local\XMM000005E4
Local\XMI000005E4
Local\XMM0000009C
Local\XMI0000009C
Local\XMM000000C8
Local\XMI000000C8
It then phones back to hxxp ://210.253.102.95 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ and to hxxp ://123.49.61.59 :8080/AJtw/UCyqrDAA/Ud+asDAA/ ..."
(More detail at the webroot URL above.
* https://www.virustotal.com/file/a07...b6f9e30c03c703a678abe699019e2c1eb2b/analysis/
File name: contacts.exe.x-msdownload
Detection ratio: 33/44
Analysis date: 2012-11-13
___

Fake Citibank SPAM / platinumbristol .net
- http://blog.dynamoo.com/2012/12/citibank-spam-platinumbristolnet.html
12 Dec 2012 - "This fake Citibank spam leads to malware on platinumbristol .net:
From: citibankonline @serviceemail1 .citibank .com via pado .com .br
Date: 12 December 2012 15:38
Subject: Account Alert
Mailed-by: pado .com .br
Citi
Email Security Zone EMAIL SECURITY AREA
ATM/Credit card ending in: XXX7
Alerting System
Bill Payment
Ultimate Savings Account (USA) XXXXXXXXX2
Amount Debited: $2,973.22
Date: 12/12/12
Log In to Overview Transaction
Bill Payment
Ultimate Savings Account (USA) XXXXXXXXX2
Amount Credited: $.97
Date: 12/12/12
Visit this link to Overview Detailed information
ABOUT THIS MESSAGE
Please DO NOT reply to this message. auomatic informational system unable to accept incoming messages.
Citibank, N.A. Member FDIC.
Š 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
========================
From: citibankonline @serviceemail5 .citibank .com via clickz .com
Date: 12 December 2012 15:39
Subject: Account Notify
Mailed-by: clickz .com
Citi
Email Security Zone EMAIL SAFETY AREA
ATM/Debit card ending in: XXX7
Alerting System
Money Transfer Report
Savings Account XXXXXXXXX8
Amount Withdrawn: $3,620.11
Date: 12/12/12
Visit this link to Cancel Details
Money Transfer Report
Savings Account XXXXXXXXX8
Amount Withdrawn: $.38
Date: 12/12/12
Sign In to Overview Details
ABOUT THIS MESSAGE
Please Not try to reply to this message. automative notification system unable to accept incoming messages.
Citibank, N.A. Member FDIC.
© 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
========================
Date: Wed, 12 Dec 2012 23:16:15 +0700
From: alets-no-reply @serviceemail6 .citibank .com
Subject: Account Insufficient funds
EMAIL SAFETY ZONE
ATM/Debit card ending in: XXX0
Notifications System
Transaction Announcement
Ultimate Savings Account (USA) XXXXXXXXX4
Amount Debited: $4,222.19
Date: 12/12/12
Login to Abort Detailed information
Transaction Announcement
Ultimate Savings Account (USA) XXXXXXXXX4
Amount Credited: $.41
Date: 12/12/12
Go to web site by clicking here to See Operation
ABOUT THIS MESSAGE
Please Not try to reply to this message. automative notification system cannot accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
========================
Date: Wed, 12 Dec 2012 20:07:46 +0400
From: citibankonline @serviceemail8 .citibank .com
Subject: Account Operation Alert
EMAIL SECURITY ZONE
Credit card ending in: XXX0
Notifications System
Bill Payment
Ultimate Savings Account (USA) XXXXXXXXX3
Amount Credited: $5,970.51
Date: 12/12/12
Click Here to Review Transaction
Bill Payment
Ultimate Savings Account (USA) XXXXXXXXX3
Amount Withdrawn: $.11
Date: 12/12/12
Sign In to View Operation
ABOUT THIS MESSAGE
Please don't reply to this message. auomatic informational system cannot accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.


The malicious payload is at [donotclick]platinumbristol .net/detects/alert-service.php hosted on the same 59.57.247.185 IP address in China that has been used in several recent attacks. This is definitely an IP to block if you can.
I can see the following evil domains on that same server..."
(More detail at the dynamoo URL above.)

:mad:
 
Last edited:
Fake Citi-cards/Citibank/Copies of Policies SPAM ...

FYI...

Fake Citi Cards SPAM / 6.bbnface .com and 6.mamaswishes .com
- http://blog.dynamoo.com/2012/12/citi-cards-spam-6bbnfacecom-and.html
13 Dec 2012 - "This fake Citi Cards spam leads to malware on 6.bbnface .com and 6.mamaswishes .com:
Date: Thu, 13 Dec 2012 11:59:33 +0300
From: Citi Cards [citicards @info .citibank .com]
Subject: Your Citi Credit Card Statement
Add citicards @info .citibank .com to your address book to ensure delivery.
Your Account: Important Notification
Your Citi Credit Card statement is ready to view online
Dear customer,
Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
Statement Date: December 13, 2012
Statement Balance: -$8,803.77
Minimum Payment Due: $750.00
Payment Due Date: Tue, January 01, 2013
Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
To set up alerts sign on to www .citicards .com and go to Account Profile.
Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to... Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
Should you want to contact us in writing concerning this email, please direct your correspondence to:
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at... and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
============================
Date: Thu, 13 Dec 2012 10:30:55 +0200
From: Citi Cards [citicards @info .citibank .com]
Subject: Your Citi Credit Card Statement
Add citicards @info .citibank .com to your address book to ensure delivery.
Your Account: Important Notification
Your Citi Credit Card statement is ready to view online
Dear customer,
Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
Statement Date: December 13, 2012
Statement Balance: -$5,319.77
Minimum Payment Due: $506.00
Payment Due Date: Tue, January 01, 2013
Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
To set up alerts sign on to www .citicards .com and go to Account Profile.
Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to... Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
Should you want to contact us in writing concerning this email, please direct your correspondence to:
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at... and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.


The links in the email bounce through a legitimate hacked site, and in the samples I have seen end up on [donotclick]6.bbnface .com/string/obscure-logs-useful.php or [donotclick]6.mamaswishes .com/string/obscure-logs-useful.php both hosted on 173.246.102.223 (Gandi, US) which probably contains many other evil sites, so blocking that IP address would probably be prudent."
___

More "Copies of Policies" SPAM / awoeionfpop .ru:
- http://blog.dynamoo.com/2012/12/copies-of-policies-spam-awoeionfpopru.html
13 Dec 2012 - "This spam leads to malware on awoeionfpop .ru:
Date: Thu, 13 Dec 2012 09:08:32 -0400
From: "Myspace" [noreply @message .myspace .com]
Subject: Fwd: Deshaun - Copies of Policies
Unfortunately, I cannot obtain electronic copies of the SPII policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Deshaun ZAMORA,


The malicious payload is at [donotclick]awoeionfpop .ru:8080/forum/links/column.php hosted on the following IPs that I haven't seen before:
75.148.242.70 (Comcast Business, US)
91.142.208.144 (Axarnet, Spain)..."
(More detail at the dynamoo URL above.)
___

Fake Citibank SPAM / eaglepointecondo .biz
- http://blog.dynamoo.com/2012/12/citibank-spam-eaglepointecondobiz.html
13 Dec 2012 - "This fake Citibank spam leads to malware on eaglepointecondo .biz:
Date: Thu, 13 Dec 2012 16:59:14 +0400
From: "Citi Alerts" [lubumbashiny63 @bankofdeerfield .com]
Subject: Account Operation Alert
EMAIL SAFETY AREA
ATM/Credit card ending in: XXX8
Notifications System
Wire Transaction Issued
Ultimate Savings Account (USA) XXXXXXXXX5
Amount Withdrawn: $4,564.61
Date: 12/12/12
Sign In to Abort Details
Wire Transaction Issued
Ultimate Savings Account (USA) XXXXXXXXX5
Amount Debited: $.24
Date: 12/12/12
Login to Overview Operation
ABOUT THIS MESSAGE
Please DO NOT reply to this message. auto-notification system can't accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
====================
From: Citibank - Alerts [mailto:enormityyf10 @iztzg .hr]
Sent: 13 December 2012 12:50
Subject: Account Operation Alert
Importance: High
EMAIL SAFETY AREA
ATM/Credit card ending in: XXX6
Notifications System
Bill Payment
Checking XXXXXXXXX7
Amount Withdrawn: $5,951.56
Date: 12/12/12
Visit this link to Cancel Detailed information
Bill Payment
Checking XXXXXXXXX7
Amount Debited: $.14
Date: 12/12/12
Login to Review Operation
ABOUT THIS MESSAGE
Please don't reply to this message. auto informer system unable to accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
====================
From: Citibank - Service [mailto:goaliesj79 @wonderware .com]
Sent: 13 December 2012 12:59
Subject: Account Alert
Importance: High
EMAIL SAFETY ZONE
ATM/Debit card ending in: XXX8
Alerting System
Withdraw Message
Savings Account XXXXXXXXX4
Amount Debited: $1,218.42
Date: 12/12/12
Login to Abort Operation
Withdraw Message
Savings Account XXXXXXXXX4
Amount Withdrawn: $.42
Date: 12/12/12
Sign In to Overview Operation
ABOUT THIS MESSAGE
Please DO NOT reply to this message. auto-notification system not configured to accept incoming mail.
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.


The malicious payload is on [donotclick]eaglepointecondo .biz/detects/operation_alert_login.php hosted on 59.57.247.185 in China, the same IP has been used several times for evil recently and you should block it if you can."

:mad:
 
Last edited:
Something evil on 87.229.26.138

FYI...

Dexter malware targets POS systems...
- http://www.theregister.co.uk/2012/12/14/dexter_malware_targets_pos_systems/
14 Dec 2012 - "You could be getting more than you bargained for when you swipe your credit card this holiday shopping season, thanks to new malware that can skim credit card info from compromised point-of-sale (POS) systems. First spotted by security firm Seculert*, the malware dubbed "Dexter" is believed to have infected hundreds of POS systems in 40 countries worldwide in recent months. Companies targeted include retailers, hotel chains, restaurants, and private parking providers. The US, the UK, and Canada top the list of countries where the malicious app has been found... Once the malware is installed on a POS system, it grabs the machine's list of active processes and sends them to a command-and-control server – a highly unusual step for POS malware, according to security researchers at Trustwave**..."
* http://blog.seculert.com/2012/12/dexter-draining-blood-out-of-point-of.html

** http://blog.spiderlabs.com/2012/12/the-dexter-malware-getting-your-hands-dirty.html
___

Something evil on 87.229.26.138
- http://blog.dynamoo.com/2012/12/something-evil-on-8722926138.html
14 Dec 2012 - "This seems to be a bunch of evil domains on 87.229.26.138 (Deninet, Hungary) being used in injection attacks. Possible payloads include Blackhole (for example*).
* http://urlquery.net/report.php?id=406222
There are two sets of domains, .in domains being used by themselves and .eu domains being used with subdomains, listed below.
The registration details are probably fake, but for the record the .eu domains are registered to:
Juha Salonen
Lukiokatu 23
13430 Hameenlinna
Hameenlinna
Finland
salonen_juha @yahoo .com
The .in domains are registered to:
Puk T Lapkanen
Puruntie 33
LAPPEENRANTA
53200
FI
+358.443875638
puklapkanen @yahoo .com
If you can block the IP address then it will be the simplest option as there are rather a lot of domains here..."
(More detail at the dynamoo URL above.)
___

Fake Citibank SPAM / 4.whereintrentinoaltoadige .com
- http://blog.dynamoo.com/2012/12/citibank-spam-4whereintrentinoaltoadige.html
14 Dec 2012 - "This fake Citibank spam leads to malware on 4.whereintrentinoaltoadige .com:
Date: Fri, 14 Dec 2012 13:54:14 +0200
From: Citi Cards [citicards @info .citibank .com]
Subject: Your Citi Credit Card Statement
Add citicards @info .citibank .com to your address book to ensure delivery.
Your Account: Important Notification
Your Citi Credit Card statement is ready to view online
Dear customer,
Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
Statement Date: December 13, 2012
Statement Balance: -$4,550.67
Minimum Payment Due: $764.00
Payment Due Date: Tue, January 01, 2013
Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
To set up alerts sign on to... and go to Account Profile.
Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to... Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
Should you want to contact us in writing concerning this email, please direct your correspondence to:
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at... and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
====================
Alternative mid-sections:
Statement Date: December 13, 2012
Statement Balance: -$8,902.58
Minimum Payment Due: $211.00
Payment Due Date: Tue, January 01, 2013
Statement Date: December 13, 2012
Statement Balance: -$9,905.95
Minimum Payment Due: $535.00
Payment Due Date: Tue, January 01, 2013


The malicious payload is at [donotclick]4.whereintrentinoaltoadige .com/string/obscure-logs-useful.php hosted on 198.74.54.28 (Linode, US)... malicious domains are also on the same server..."
(More detail at the dynamoo URL above.)
___

More Citibank SPAM / 6.bbnsmsgateway .com
- http://blog.dynamoo.com/2012/12/citibank-spam-6bbnsmsgatewaycom.html
14 Dec 2012 - "This fake Citibank spam leads to malware on 6.bbnsmsgateway .com:
Date: Fri, 14 Dec 2012 19:27:56 +0530
From: Citi Cards [citicards @info.citibank .com]
Subject: Your Citi Credit Card Statement
Add citicards @info.citibank .com to your address book to ensure delivery.
Your Account: Important Notification
Your Citi Credit Card statement is ready to view online
Dear customer,
Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from your statement:
Statement Date: December 13, 2012
Statement Balance: -$4,873.54
Minimum Payment Due: $578.00
Payment Due Date: Tue, January 01, 2013
Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.
To set up alerts sign on to www.citicards.com and go to Account Profile.
Iprefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
This message is from Citi Cards. Your credit card is issued by Citibank, N.A. If you'd like to refine the types of email messages you receive, or if you'd prefer to stop receiving email from us, please go to: http://www.email.citicards.com. Citibank manages email preferences by line of business. Changing your email preferences with Citi Cards does not change your email preferences for messages from Citibank?s other businesses which include retail branch banking among others.
Should you want to contact us in writing concerning this email, please direct your correspondence to:
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at... and choosing "Contact Us" from the "Help / Contact Us" menu. You can also call the customer service phone number on the back of your card.
(c) 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.


The malicious payload is at [donotclick]6.bbnsmsgateway .com/string/obscure-logs-useful.php hosted on 192.155.81.9 (Linode, US). There are probably some other bad domains on this server, so blocking access to that IP could be prudent."
___

Changelog SPAM / aviaonlolsio .ru
- http://blog.dynamoo.com/2012/12/changelog-spam-aviaonlolsioru.html
14 Dec 2012 - "This fake Changelog spam leads to malware on aviaonlolsio .ru:
From: messages-noreply @bounce .linkedin .com [mailto :messages-noreply @bounce .linkedin .com] On Behalf Of Earlean Gardner via LinkedIn
Sent: 13 December 2012 20:22
Subject: Re: Changelog as promised (upd.)
Hi,
as promised - View
I. SWEET
====================
Date: Fri, 14 Dec 2012 05:22:54 +0700
From: "Kaiya HIGGINS" [fwGpEzHIGGINS @hotmail .com]
Subject: Re: Fwd: Changelog as promised(updated)
Hi,
as promised chnglog updated - View
I. HIGGINS


The malicious payload is at [donotclick]aviaonlolsio .ru:8080/forum/links/column.php hosted on the same IPs as used in this attack:
75.148.242.70 (Comcast Business, US)
91.142.208.144 (Axarnet, Spain)..."
___

Fake Chase emails lead to malware
- http://blog.webroot.com/2012/12/14/...ling-statement-themed-emails-lead-to-malware/
Dec 14, 2012 - "Cybercriminals are currently mass mailing tens of thousands of emails, impersonating Chase in an attempt to trick its customers into executing the malicious attachment found in the fake email. Upon execution, the sample downloads additional malware on the affected hosts, and opens a backdoor allowing the cybercriminals behind the campaign complete access to the host...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...il_spam_malware_social_engineering.png?w=1024
... the cybercriminal/cybercriminals behind it applied low QA (Quality Assurance) since the actual filename found in the malicious archive exceeds 260 characters, resulting in a failed extraction process on Windows hosts.
“C:\Users\Workstation\Desktop\Statement_random_number.pdf.zip: Cannot create Statement_ID_random_number.pdf.exe
Total path and file name length must not exceed 260 characters. The system cannot find the path specified.“

Sample detection rate for the spamvertised attachment: MD5: 676c1a01739b855425f9492126b34d23 * ... Trojan-PSW.Win32.Tepfer.cbrv.
Makes DNS request to 3.soundfactor .org, then it establishes a TCP connection with 184.184.247.60 :14511, as well as UDP connections to the following IPs:
184.184.247.60 :23089
99.124.198.193 :13197
78.93.215.24 :14225
68.167.50.61 :28650 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/543...657a6c5e789097482302af37/analysis/1355442736/
File name: Statement_ID.pdf.exe
Detection ratio: 42/46
Analysis date: 2012-12-13

:mad:
 
Last edited:
Pharma SPAM - pillscarehealthcare .com

FYI...

Pharma SPAM - pillscarehealthcare .com
- http://blog.dynamoo.com/2012/12/pillscarehealthcarecom-spam.html
17 Dec 2012 - "There has been a massive amount of pharma spam pointing to pillscarehealthcare .com over the past 48 hours or so. Here are some examples:
Date: Mon, 17 Dec 2012 02:47:56 +0000 (GMT)
From: "Account Info Change" [tyjinc @palmerlakearttour .com]
To: [redacted]
Subject: Updated information
Updated information
Hello,
The following information for your ID [redacted] was updated on 12/17/2012: Date of birth, Security question and answer.
If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password.
This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.
Thanks,
Customer Support
==================
Date: Mon, 17 Dec 2012 01:22:56 -0700
From: "Angela Snider" [directsales @tyroo .com]
To: [redacted]
Subject: Pending ticket status
Ticketing System
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or close the ticket here
Go To Profile
See All tickets
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.
==================
Date: Sat, 15 Dec 2012 21:37:47 -0700
From: "Alexis Houston" [cmassuda @agf .com .br]
To: [redacted]
Subject: Pending ticket notification
Ticketing System
Hello,
You have been successfully registered in our Ticketing System
Please, login and check status of your ticket, or report new ticket here
Go To Profile
See All tickets
This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.
==================
Date: Sat, 15 Dec 2012 07:06:30 -0800
From: "Account Sender Mail" [daresco @excite .com]
To: [redacted]
Subject: Account is now available
Login unavailable due to maintenance ([redacted])
Hello,
Your Account is now available.
Our systems were unavailable due to maintenance and upgrading system. We apologizes for any inconvenience and appreciates the patience while this critical maintenance was performed. If you still face the problem then it would be better if you contact our team.
Access Your Account
Hope this information helps you.
Thanks,
Support team
==================
From: Kennedi Marquez [mailto:cwtroutn @naturalskincarereviews .info]
Sent: 17 December 2012 11:18
Subject: Updated information
Updated information
Hello,
The following information for your ID [redacted] was updated on 12/17/2012: Date of birth, Security question and answer.
If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password.
This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center.
Thanks,
Customer Support


This appears to be punting fake drugs rather than malware. pillscarehealthcare .com is hosted on 95.58.254.74 (Kazakh Telecom, Kazakhstan). In my opinion blocking 95.58.254.0/24 will probably do you no harm. These other fake pharma web sites can be found on the same IP address..."
(More detail at the dynamoo URL above.)

:mad:
 
Fake UPS/USPS SPAM - apensiona .ru

FYI...

Fake UPS/USPS SPAM / apensiona .ru
- http://blog.dynamoo.com/2012/12/ups-or-is-it-usps-spam-apensionaru.html
18 Dec 2012 - "Spammers often get UPS and the USPS mixed up. They're not the same thing at all. And this one throws FilesTube into the mix as well. Anyway, this fake UPS/USPS/ FilesTube spam leads to malware on apensiona .ru:
From: FilesTube [mailto: filestube @filestube .com]
Sent: 17 December 2012 06:01
Subject: Your Tracking Number H7300014839
USPS Customer Services for big savings!
Can't see images? CLICK HERE.
UPS - UPS TEAM 60 >>
Already Have an Account?
Enjoy all UPS has to offer by linking your My UPS profile to your account.
Link Your Account Now >>
UPS - UPS .com Customer Services
Good Evening, [redacted].
DEAR USER , Recipient's address is wrong
Track your Shipment now!
With Respect To You , Your UPS .com Customer Services.
Shipping | Tracking | Calculate Time & Cost | Open an Account
@ 2011 United Parcel Service of America, Inc. Your USPS .us Customer Services, the UPS brandmark, and the color brown are
trademarks of United Parcel Service of America, Inc. All rights reserved.
This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to
USPS Team marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.
Your USPS .us Customer Services, 8 Glenlake Parkway, NE - Atlanta, GA 30585
Attn: Customer Communications Department


The malicious payload is at [donotclick]apensiona .ru:8080/forum/links/column.php which is hosted on 217.112.40.69 (Utransit, claims to be from the UK but probably Russia). The following malicious domains are also on that IP address..."
(More detail at the dynamoo URL above.)
___

GFI Labs Email Roundup for the Week
- http://www.gfi.com/blog/gfi-labs-email-roundup-for-the-week-6/
Dec 18, 2012 - "... noteworthy email threats for the week... covering the dates of December 10 to 14...

“Mailbox Upgrade” Email is a Phish...
> http://gfisoftware.tumblr.com/post/37643320589/e-mail-credentials-phish
... Malicious URLs: my3q .com/survey/458/webgrade2052/77717.phtml

Unsolicited “Adobe CS4 License” Leads to Malware...
> http://gfisoftware.tumblr.com/post/37791588782/adobe-indesign-cs4-license-spam-returns
... Malicious URLs: safeshopper .org.nz/redirecting.htm, happy-school .edu.pl/redirecting.htm, amnaosogo .ru:8080/forum/links/column.php...

Spammers Target Citibank Clients.
> http://gfisoftware.tumblr.com/post/37830503278/malicious-citibank-credit-card-statement-spam
... Malicious URLs... (See the gfisoftware.tumblr URL above.)
___

LinkedIn SPAM / apensiona .ru
- http://blog.dynamoo.com/2012/12/linkedin-spam-apensionaru.html
18 Dec 2012 - "This fake LinkedIn spam leads to malware on apensiona .ru:
From: messages-noreply @bounce .linkedin .com on behalf of LinkedIn Connections
Sent: Tue 18/12/2012 14:01
Subject: Join my network on LinkedIn
LinkedIn
Hien Lawson has indicated you are a Friend
I'd like to add you to my professional network on LinkedIn.
- Hien Lawson
Accept
View invitation from Hien Lawson
WHY MIGHT CONNECTING WITH Hien Lawson BE A GOOD IDEA?
Hien Lawson's connections could be useful to you
After accepting Hien Lawson's invitation, check Hien Lawson's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.
2012, LinkedIn Corporation


The malicious payload is at [donotclick]apensiona .ru:8080/forum/links/column.php (the same payload as here*) although this time the IPs have changed to:
109.235.71.144 (Serveriai, Lithunia)
176.31.111.198 (OVH, France)
217.112.40.69 (Utransit , UK)
Here's a plain list if you want to block the lot:
109.235.71.144
176.31.111.198
217.112.40.69
..."
* http://blog.dynamoo.com/2012/12/ups-or-is-it-usps-spam-apensionaru.html

:mad:
 
Last edited:
Fake AV - Malware sites to block 19/12/12

FYI...

Fake AV - Malware sites to block 19/12/12
- http://blog.dynamoo.com/2012/12/malware-sites-to-block-191212.html
19 Dec 2012 - "This group of sites appears to be using a fake AV applications to download a malicious file scandsk.exe (report here*) via 79.133.196.103 (eTop, Poland) and 82.103.140.100 (Easyspeedy, Denmark) which then attempts to call home to 46.105.131.126 (OVH, Ireland).
* https://www.virustotal.com/file/5c6...c37895e88cc0e7e87398b307b4e98d4bc70/analysis/
Detection ratio: 14/45
This is a screenshot of the fake AV in action:
> https://lh3.ggpht.com/-D3JYfW2LwH8/UNGNBXwma4I/AAAAAAAAA1I/tyIDs4EZIcc/s1600/fakeav.png
From this point, the scandsk.exe gets download either through an exploit or social engineering. This executable looks like some sort of downloader, which attempt to pull down additional data from these non-responding domains:
report.q7ws17sk1ywsk79g .com
report.7ws17sku7myws931u .com
report.u79i1qgmywskuo9o .com
There's some sort of trickery here, perhaps it requires exactly the right kind of factors to hit a valid URL, the automated analysis tools are inconsistent... but seem to indicate a C&C on 46.105.131.126. This IP belongs to OVH (no surprises there) but seems to have been suballocated:
inetnum: 46.105.131.120 - 46.105.131.127
netname: marysanders1
descr: marysanders1net
country: IE
org: ORG-OH5-RIPE
admin-c: OTC9-RIPE
tech-c: OTC9-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered
I suspect that this whole block is being used for malicious purposes, 46.105.131.123 hosts a site called find-and-go .com registered in China which has been fingered as an attack site before.... I would recommend blocking the entire 46.105.131.120/29 to be on the safe side. The infection sites are on 82.103.140.100 and 79.133.196.103, they make extensive use of subdomains of mooo .com, ez .lv and zyns .com. There are probably legitimate sites making use of these domains, but blocking them completely should give you few headaches. 79.133.196.103 is part of small block of IPs, 79.133.196.96/27, that I have seen malware on before, specifically 79.133.196.105 and 79.133.196.124. Blocking the entire /27 is probably a good idea.
Recommended blocklist:
46.105.131.120/29
82.103.140.100
79.133.196.97/27
mooo .com
ez .lv
zyns .com

Alternatively, these are some of the subdomains in use.. there are a lot of them, and probably more than I have listed here..."
(More detail at the dynamoo URL above.)
___

Fake Facebook SPAM / 46.249.58.211 and 84.200.77.218
- http://blog.dynamoo.com/2012/12/facebook-spam-4624958211-and-8420077218.html
19 Dec 2012 - "There are various Facebook spams doing the rounds pointing to a variety of malware sites on 46.249.58.211 and 84.200.77.218, for example:
From: FB.Team
Sent: 19 December 2012 14:30
Subject: Re-activate account
Hi [redacted],
Your account has been blocked due to spam activity.
To verify account, please follow this link:
http ://www.facebook .com/confirmemail.php?e=[redacted]
You may be asked to enter this confirmation code: [redacted]
The Facebook Team
Didn't sign up for Facebook? Please let us know.


46.249.58.211 (Serverius Holding, Netherlands)...
84.200.77.218 (Misterhost, Germany)...
GFI has some more details on this one here*."
* http://gfisoftware.tumblr.com/post/38303266759/your-facebook-account-is-blocked-due-to-spam-activity
Your Facebook Account is Blocked due to Spam Activity
Dec 19, 2012
___

Fake ‘Change Facebook Color Theme’ events lead to rogue Chrome extensions
- http://blog.webroot.com/2012/12/19/...theme-events-lead-to-rogue-chrome-extensions/
Dec 19, 2012 - "Cybercriminals have recently launched a privacy-violating campaign spreading across Facebook in an attempt to trick Facebook’s users into installing a rogue Chrome extension. Once installed, it will have access to all the data on all web sites, as well as access to your tabs and browsing history...
Sample screenshot of one of the few currently active Facebook Events promoting the rogue Chrome extension
:
> https://webrootblog.files.wordpress...me_02_rogue_google_chrome_extension.png?w=702
The campaign is relying on automatically registered Tumblr accounts, where the actual redirection takes place. Users are exposed to the following page, enticing them into changing their Facebook color theme:
> https://webrootblog.files.wordpress...rogue_google_chrome_extension.png?w=477&h=289
Once users accept the EULA and Privacy Policy, they will become victims of the privacy-violating Chrome extension:
> https://webrootblog.files.wordpress...rogue_google_chrome_extension.png?w=555&h=355
... the cybercriminals behind the campaign not only hosted it on Amazon’s cloud, they also featured it in Chrome’s Web Store:
> https://webrootblog.files.wordpress...rogue_google_chrome_extension.png?w=614&h=324
In case users choose -not- to accept the EULA and the Privacy Policy, the cybercriminals behind the campaign will once again attempt to monetize the hijacked Facebook traffic by asking them to participate in surveys, part of CPA (Cost-Per-Action) affiliate network, earning -them- money:
> https://webrootblog.files.wordpress...rogue_google_chrome_extension.png?w=554&h=310
... Users are advised to be extra cautious when accepting EULAs and Privacy Policies, in particular when installing browser extensions that have the capacity to access sensitive and personally identifiable data on their PCs..."
___

Google Docs SPAM/PHISH...
- https://isc.sans.edu/diary.html?storyid=14731
Last Updated: 2012-12-19 - "... Scams where the attacker's data-collection form resides at a Google Docs (now Google Drive) are especially difficult to warn users about. After all, the malicious webpage resides at the -trusted- google .com domain. The effect is especially severe for organizations using Google Apps as a collaboration platform... such scams aren't going away any time soon..."
> F-secure: http://www.f-secure.com/weblog/archives/00002168.html
> GFI: http://www.gfi.com/blog/google-docs-phishing/
> Sophos: http://nakedsecurity.sophos.com/2012/05/30/phishing-with-help-from-google-docs/
... Recipients who clicked the "CLICK HERE" link were directed to the following "IT HELPDESK SERVICE" page, which prompted for logon credentials that the attacker wanted to capture...
> https://isc.sans.edu/diaryimages/images/it-helpdesk-service-3.png
... The attacker was likely using a -compromised- Google Apps account of another organization to create a Google Docs spreadsheet and expose its data entry form... Avoid clicking on email links when you need to take important actions that require logging in. Relying on a previously-saved bookmark is safer..."
___

LinkedIn Spam: The Repeat
- http://www.gfi.com/blog/linkedin-spam-the-repeat/
Dec 19, 2012 - "Another slew of spam claiming to originate from LinkedIn has hit the wild Internet in less than 24 hours, according* to the real time recording and tracking of email threats by our researchers in the AV Labs.
* http://gfisoftware.tumblr.com/post/38238165249/malicious-linkedin-invitation-spam-returns
... Here’s what the email looks like:
> http://www.gfi.com/blog/wp-content/uploads/2012/12/LinkedIn_1218-wm.png
From: {bogus email address}
To: {random}
Subject: Join my network on LinkedIn
Message body:
{redacted} has indicated you are a Friend
I’d like to add you to my professional network on LinkedIn.
[Allow button] View invitation from {redacted}
WHY MIGHT CONNECTING WITH {redacted} BE A GOOD IDEA?
{redacted} connections could be useful to you
After accepting {redacted} invitation, check {redacted} connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.

Clicking the Allow button or the link on the message body directs users to several Web pages of compromised sites, which all look like this:
> http://www.gfi.com/blog/wp-content/uploads/2012/12/linkedin-01-wm-300x105.png
This page laced with the Blackhole Exploit Kit code then auto-redirects users to a Russian website where the Cridex info-stealer payload can be downloaded.
> http://www.gfi.com/blog/wp-content/uploads/2012/12/linkedin-02-wm-300x131.png
when in doubt, users should simply visit their LinkedIn pages and check their profile mailbox for invites..."
___

Wire Transfer SPAM / angelaonfl .ru
- http://blog.dynamoo.com/2012/12/wire-transfer-spam-angelaonflru.html
19 Dec 2012 - "This fake Wire Transfer spam leads to malware on angelaonfl .ru:
Date: Wed, 19 Dec 2012 11:26:24 -0500
From: "Myspace" [noreply @message .myspace .com]
Subject: Wire Transfer (3014YZ20)
Welcome,
Your Wire Transfer Amount: USD 45,429.29
Transfer Report: View
EULALIA Henry,
The Federal Reserve Wire Network


The malicious payload is at [donotclick]angelaonfl .ru:8080/forum/links/column.php hosted on the following IPs:
91.224.135.20 (Proservis UAB, Lithunia)
210.71.250.131 (Chunghwa Telecom, Taiwan)
217.112.40.69 (Utransit, UK)
The following domains and IPs are all related and should be blocked if you can:
91.224.135.20
210.71.250.131
217.112.40.69
..."
(More detail at the dynamoo URL above.)
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Home > Security Intelligence Operations > Latest Threat Information > Threat Outbreak Alerts
Fake Order Request E-mail Messages - December 19, 2012
Fake Party Invitation E-mail Messages - December 19, 2012
Fake Sample Product Quote E-mail Messages - December 19, 2012
Fake Scanned Image E-mail Messages - December 19, 2012
Fake Unspecified E-mail Messages - December 18, 2012
Fake Payment Invoice E-mail Messages - December 18, 2012
Fake Funds Transfer Notification E-mail Message - December 18, 2012
Fake Airline Ticket Order Notification E-mail Messages - December 18, 2012
Fake Product Order Quotation Attachment E-mail Message - December 18, 2012
Fake Tax Invoice E-mail Messages - December 18, 2012
Fake Order Invoice Notification E-mail Messages - December 18, 2012
Fake Sales Request E-mail Messages - December 18, 2012 ...

:mad: :fear:
 
Last edited:
Fake Citi/Sendspace emails ...

FYI...

Fake ‘Citi Account Alert’ emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/12/20/...themed-emails-lead-to-black-hole-exploit-kit/
Dec 20, 2012 - "Cybercriminals are currently mass mailing hundreds of thousands of emails impersonating Citi, using -two- different professionally looking email templates. Upon clicking on any of the links found in the malicious emails, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the first spamvertised template:
> https://webrootblog.files.wordpress...social_engineering_black_hole_exploit_kit.png
Sample screenshot of the second spamvertised template:
> https://webrootblog.files.wordpress...ial_engineering_black_hole_exploit_kit_01.png
Sample client-side exploits serving URLs:
hxxp ://eaglepointecondo .biz/detects/operation_alert_login.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE.NET – 209.140.18.37 – Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE.NET – 211.27.42.138 – Email: solaradvent @yahoo .com
hxxp ://platinumbristol .net/detects/alert-service.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE.NET – 209.140.18.37 – Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE.NET – 211.27.42.138 – Email: solaradvent @yahoo .com
Upon successful client-side exploitation, the campaign drops MD5: b360fec7652688dc9215fd366530d40c * ... Worm:Win32/Cridex.E.
Once executed, the sample performs the following activities:
Accesses Firefox’s Password Manager local database
Creates a thread in a remote process
Installs a program to run automatically at logon
It creates the following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B
With the following value:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
KB00121600.exe = “”%AppData%\KB00121600.exe”"
It then creates the following Mutexes:
Local\XMM000003F8
Local\XMI000003F8
Local\XMRFB119394
Local\XMM000005E4
Local\XMI000005E4
Local\XMM0000009C
Local\XMI0000009C
Local\XMM000000C8
Local\XMI000000C8
It also drops the following MD5s:
MD5: 9e7577dc5d0d95e2511f65734249eba9
MD5: 61bb88526ff6275f1c820aac4cd0dbe9
MD5: b360fec7652688dc9215fd366530d40c
MD5: f6ee1fcaf7b87d23f09748cbcf5b3af5
MD5: d7a950fefd60dbaa01df2d85fefb3862
MD5: ed662e73f697c92cd99b3431d5d72091
It then phones back to 209.51.221.247/AJtw/UCyqrDAA/Ud+asDAA. We’ve already seen the same command and control server used in the following previously profiled malicious campaigns..."
* https://www.virustotal.com/file/222...30eadb3da3771347228a9583d3313d1fc10/analysis/
File name: readme.exe
Detection ratio: 32/45
Analysis date: 2012-12-20
___

Sendspace "You have been sent a file" SPAM / apendiksator .ru
- http://blog.dynamoo.com/2012/12/sendspace-you-have-been-sent-file-spam.html
20 Dec 2012 - "This fake Sendspace spam leads to malware on apendiksator .ru:
Date: Thu, 20 Dec 2012 09:25:36 -0300
From: "SHIZUKO Ho"
Subject: You have been sent a file (Filename: [redacted]-28.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-6110219.pdf, (286.58 KB) waiting to be downloaded at sendspace.(It was sent by SHIZUKO Ho).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.
===
Date: Thu, 20 Dec 2012 05:05:02 +0100
From: "GENNIE Hensley"
Subject: You have been sent a file (Filename: [redacted]-7123391.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]-38335.pdf, (282.44 KB) waiting to be downloaded at sendspace.(It was sent by GENNIE Hensley).
You can use the following link to retrieve your file:
Download Link
The file may be available for a limited time only.
Thank you,
sendspace - The best free file sharing service.
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.


The malicious payload is at [donotclick]apendiksator .ru:8080/forum/links/column.php hosted on:
91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
210.71.250.131 (Chunghwa Telecom, Taiwan)
These IPs and domains are all related and should be blocked:
91.224.135.20
187.85.160.106
210.71.250.131
afjdoospf .ru
angelaonfl .ru
akionokao .ru
apendiksator .ru
..."
___

"New message" SPAM, fake dating sites and libertymonings .info
- http://blog.dynamoo.com/2012/12/new-message-spam-fake-dating-sites-and.html
20 Dec 2012 - "This "New message" themed spam leads to both a fake anti-virus page and a Java exploit on the domains site-dating2012 .asia and libertymonings .info. There's some cunning trickery going on here too. First of all, let's start with some spam examples:
Date: Thu, 20 Dec 2012 20:50:17 -0200
From: "SecureMessage System" [2F5DEE622 @hungter .com]
Subject: New message
Click here to view the online version.
New private message from Terra Fisher received.
Total unread messages: 5
[ Read now ]
Copyright 2012 SecureMessage System. All rights reserved.
If you would like to update your profile or unsubscribe, please click here.
PLEASE DO NOT REPLY TO THIS MESSAGE.
If you require Technical Support, please check Support Center for information.
-------------------------
Date: Thu, 20 Dec 2012 20:36:14 -0200
From: "Secure Message" [82E8ACBD @lipidpanel .com]
Subject: New message
Click here to view the online version.
New private message from Josefina Albert received.
Total unread messages: 3
[ Read now ]
Copyright 2012 SecureMessage System. All rights reserved.
If you would like to update your profile or unsubscribe, please click here.
PLEASE DO NOT REPLY TO THIS MESSAGE.
If you require Technical Support, please check Support Center for information.


In these cases, the targets URLs are [donotclick]site-dating2012c .asia/link.php and [donotclick]site-dating2012 .asia/link.php both hosted on 46.249.42.161 (Serverius Holding, Netherlands) and pretty much the same as the ones found a couple of days ago hiding out on 46.249.58.211(also at Serverius Holding). These look like dating URLs, so you might assume that they are either a) a legitimate dating site or b) just some dating spam rather than malware. In any case, appearances are deceptive and it leads to fake AV site that seems to be very similar to this one. The deception goes a little deeper, because the link.php pages even forward through a fake affiliate-style link such as [donotclick]best-dating2010 .info/?affid=00110&promo_type=5&promo_opt=1 before they get to the fake anti-virus page. The site also contains an apparent Java exploit that loads in from libertymonings .info on 84.200.77.218 (Misterhost, Germany) which was also used in this attack. The malicious code is found at the page [donotclick]libertymonings .info/index/zzz/?a=YWZmaWQ9MDAxMTA= which attempts to download a Java exploit from [donotclick]libertymonings .info/analizator_data/ztsvgnvlmhe-a.qsypes.jar which is pretty thinly detected according to VirusTotal*.
The following IPs and domains are all related and should be blocked if you can:
46.249.42.161
46.249.58.211
84.200.77.218
..."
* https://www.virustotal.com/file/778...b9c42bc61d4361ddb41fb45a/analysis/1356045558/
File name: ztsvgnvlmhe-a.qsypes.jar
Detection ratio: 6/45
Analysis date: 2012-12-20

:mad::mad:
 
Last edited:
ProfileSpy / Fake Citi emails...

FYI...

Malware sites to block 21/12/12
- http://blog.dynamoo.com/2012/12/malware-sites-to-block-211212.html
21 Dec 2012 - "There are a series of malware domains on 91.201.215.173 apparently using a Java and PDF exploit to infect visitors. The infection machanism appears to be coming from an unidentifiedad running on the centerblog .net blogging system (I think specifically [donotclick]zezete2.centerblog .net/i-247-136-1356095651.html)
The malware URLs are quite lengthy and appear to be resistant to analysis, in the attack I have seen the following URLs were in use (don't visit these sites, obviously)
[donotclick]svwlekwtaign.avigorstats .pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t
[break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/
[donotclick]mcruxdufxwnp.avigorstats .pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t
[break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/
[break]indicated where I've added a linebreak to get it to fit on the page, remove that and the linebreak for a valid URL.
avigorstats .pro and its subdomains are hosted on 91.201.215.173 (PS Internet Company Ltd, Kazakhstan, but this is just the tip of a -huge- iceberg of malicious IPs and domains that are all interconnected.
Let's start with my personal recommended blockist. If you are in Russia or Ukraine then you might want to be a bit more conservative with the Russian netblocks and refer to the raw IP list below (there's one list with ISPs listed, one plain for for copy and pasting)..
Recommended blockist (annotated)...
Recommended blockist (Plain list)..."
(Too long to post here - see the dynamoo URL above - 'great list to use!)
___

Profile Spy...
- http://www.gfi.com/blog/profile-spy-resurrects-on-eve-of-mayan-apocalypse/
Dec 21, 2012 - "... Profile Spy, a once viral scam on Facebook and Twitter that entices users to check out who have been viewing their profiles. Today, on the eve of the rumored 'EoW', it has decided to rear its ugly head once more... the criminals behind it have used a number of tactics to make users hand over their credentials or give them money — like asking users to “Like” their page, answer surveys and copy and paste a code into the address bar. This time, the scammers have used a lot of elements in this effort. One is Facebook, the other two are Tumblr and the Google Chrome Web Store. This scam starts off as a Facebook event invitation spammed to random users who are part of the mark’s network, a social engineering tactic already done in the past. Since the “event” is public, anyone can visit the page if the URL is shared... Visiting any of the links on the comment posted on the page leads users to a Tumblr profile. Clicking “Get it here” then leads users to a similar looking page, which is using Amazon‘s web service, where they can download the Facebook Profile Spy v2.0 for the Google Chrome Internet browser... This rogue extension, once installed, is capable of doing three things: firstly, it updates the mark’s Facebook status by sharing an image and commenting on it — secondly, the extension displays a fake “security CAPTCHA check” pop-up window where the mark can fill in names of persons in his/her network. This then results in the creation of the Profile Spy “event” invitation... [UPDATE: Google has now taken down the Profile Spy page on the Chrome Web Store.] Watch that mouse pointer... careful where you direct and click it."
(Screenshots and more info available at the gfi URL above.)
___

Fake ‘Citi Account Alert’ emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/12/21/...themed-emails-lead-to-black-hole-exploit-kit/
Dec 21, 2012 - "Cybercriminals are currently mass mailing hundreds of thousands of emails impersonating Citi, using -two- different professionally looking email templates. Upon clicking on any of the links found in the malicious emails, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit...
Sample screenshot of the first spamvertised template:
> https://webrootblog.files.wordpress...social_engineering_black_hole_exploit_kit.png
Sample screenshot of the second spamvertised template:
> https://webrootblog.files.wordpress...ial_engineering_black_hole_exploit_kit_01.png
... Sample client-side exploits serving URLs:
hxxp ://eaglepointecondo .biz/detects/operation_alert_login.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE .NET – 209.140.18.37 – Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE .NET – 211.27.42.138 – Email: solaradvent @yahoo .com
hxxp ://platinumbristol .net/detects/alert-service.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE .NET – 209.140.18.37 – Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE .NET – 211.27.42.138 – Email: solaradvent @yahoo .com
Upon successful client-side exploitation, the campaign drops MD5: b360fec7652688dc9215fd366530d40c * ... Worm:Win32/Cridex.E.
Once executed, the sample performs the following activities:
Accesses Firefox’s Password Manager local database
Creates a thread in a remote process
Installs a program to run automatically at logon ...
Responding to 59.57.247.185 are also the following malicious domains..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/222...30eadb3da3771347228a9583d3313d1fc10/analysis/
File name: readme.exe
Detection ratio: 32/45
Analysis date: 2012-12-20
___

‘Work at Home” scams impersonating CNBC spotted in the wild
- http://blog.webroot.com/2012/12/21/...scams-impersonating-cnbc-spotted-in-the-wild/
Dec 21, 2012 - "... a currently circulating “Work At Home” scam that’s successfully and professionally impersonating CNBC in an attempt to add more legitimacy to its market proposition – the Home Business System...
Sample screenshot of the spamvertised email impersonating CNBC:
> https://webrootblog.files.wordpress.com/2012/12/fake_cnbc_work_at_home_scam_01.png
Sample screenshot of the fake CNBC news article detailing the success of the Home Business System:
> https://webrootblog.files.wordpress.com/2012/12/fake_cnbc_work_at_home_scam.png
No matter where you click, you’ll always be redirected to the Home Business System.
Sample bogus statistics sent by customers of the system:
> https://webrootblog.files.wordpress.com/2012/12/fake_cnbc_work_at_home_scam_02.png
What’s particularly interesting about this campaign is the way the scammers process credit card details. They do it internally, not through a payment processing intermediary, using basic SSL encryption, featuring fake “Site Secured” logos, including one that’s mimicking the “VeriSign Secured” service. Although the SSL certificate is valid, the fact that they even require your CVV/CVV2 code, without providing adequate information on how they store and actually process the credit card numbers in their possession, is enough to make you extremely suspicious.
Sample spamvertised URLs:
hxxp ://5186d4d1.livefreetimenews .com/
hxxp ://5f4a8abae0.get-more-news .com/
Domains participating in the campaign:
worldnewsyesterday .com – Email: johnjbrannigan @teleworm .us
worldnewsimportant .com – Email: johnjbrannigan @teleworm .us
hbs-system .com – Email: cinthiaheimbignerupbg @hotmail .com
Historically, the following domains were also used in a similar fashion:
homeworkhere .com – Email: zoilaprni4d @yahoo .com
lastnewsworld .com – Email: shirleysmith57 @yahoo .com
homecompanysystem .com – Email: deloristrevertonef53 @yahoo .com
> https://webrootblog.files.wordpress.com/2012/12/fake_cnbc_work_at_home_scam_04.png
Users are advised -not- to click on links found in spam emails, and to never entrust their credit card details to someone who’s spamvertising you using the services of some of the most prolific botnets currently online."

:mad: :mad:
 
Last edited:
"New msg rc'vd" SPAM - 22 Dec 2012

FYI...

"New message received" SPAM / siteswillsrockf .com and undering .asia
- http://blog.dynamoo.com/2012/12/new-message-received-spam.html
22 Dec 2012 - "This malicious spam run is part of this large cluster of malicious sites that I wrote about yesterday ( http://blog.dynamoo.com/2012/12/malware-sites-to-block-211212.html ).
Date: Sat, 22 Dec 2012 16:55:38 +0300
From: "Secure.Message" [FAA55EEEE @valencianadeparketts .es]
Subject: New message received
Click here to view the online version.
Hello [redacted],
You have 5 new messages.
Read now
Copyright 2012 SecurePrivateMessage. All rights reserved.
If you would like to update your profile or unsubscribe, please click here.
PLEASE DO NOT REPLY TO THIS MESSAGE.
If you require Technical Support, please check Support Center for information.


Unlike most recent campaigns where the first link in the email is a legitimate but hacked site, this one links directly to a malware server at [donotclick]undering .asia/link.php?login.aspx=[emailaddress]&id=[redacted] with a link that features the email address as part of the URL (presumably to confirm that the address is live). The next step is a redirector link at [donotclick]undering .asia/?affid=00110&promo_type=5&promo_opt=1 which loads a fake anti-virus page, and then it attempts to download a Java exploit from [donotclick]siteswillsrockf .com/?a=YWZmaWQ9MDAxMTA=
undering .asia is hosted on 46.249.42.161, and siteswillsrockf .com on 46.249.42.168. Seeing two malicious sites so closely together indicates that there is a problem with the netblock, so having a closer look at those IPs shows:
inetnum: 46.249.42.0 - 46.249.42.255 ...
The block 46.249.42.0/24 seems to have been suballocated to an unidentified customer of Serverius* who have a long history of badness in their IP ranges. Based on this, I would suggest that you add the 46.249.42.0/24 range to your blocklist to prevent other unidentified malicious servers in this block from being a problem.
There are lots of other suspect domains on these two IPs as well:
46.249.42.161 ...
46.249.42.168 ..."
(Too many to post here - see the dynamoo URL above for more detail.)
* https://www.google.com/safebrowsing/diagnostic?site=AS:50673

:mad: :fear:
 
Last edited:
Fake "SecureMessage" SPAM ...

FYI...

Fake "SecureMessage" SPAM / infiesdirekt .asia, pacesetting .asia and siteswillsrockf .net
- http://blog.dynamoo.com/2012/12/securemessage-spam-infiesdirektasia.html
23 Dec 2012 - "Another fake "SecureMessage" spam leading to malware, the same in principle to this spam run* and again hosted on the same Serverius-owned** IPs of 46.249.42.161 and 46.249.42.168. There are several variants of the spam, but they are all very similar and look something like this:
Date: Sun, 23 Dec 2012 14:26:32 +0530
From: "Secure.Message"
Subject: Alert: New message
Click here to view the online version.
Hello [redacted],
You have 4 new messages.
Read now
Copyright 2012 SecureMessage. All rights reserved.
If you would like to update your profile or unsubscribe, please click here.
PLEASE DO NOT REPLY TO THIS MESSAGE.
If you require Technical Support, please check Support Center for information.


... suspect that there is more malicious activity in the 46.249.42.0/24 range and blocking access to it would be a very good thing to do. These are the malicious domains that I can currently identify on those IPs..."
(Long list at the dynamoo URL above.)
* http://blog.dynamoo.com/2012/12/new-message-received-spam.html

** https://www.google.com/safebrowsing/diagnostic?site=AS:50673

:mad:
 
Last edited:
Pharma/Eastern bloc SPAM...

FYI...

Eastern bloc SPAM...
- http://blog.dynamoo.com/2012/12/godless-eastern-bloc-commie-athiests.html
25 Dec 2012 - "... eastern bloc... spammers are sending out today.
Date: Tue, 25 Dec 2012 22:56:51 -0700
From: "Ticket Support"
Subject: Password Assistance
Thank you for your letter of Dec 25, your information arrived today.
Alright, here's the link to the site:
Proceed to Site
If we can help in any way, please do not hesitate to contact us.
Regards, Yuonne Ferro, Support Team manager.


Some variants of the body text:
- "Thank you for contacting us, your information arrived today."
- "Thank you for your letter regarding our products and services, your information arrived today."
- "Thank you for considering our products and services, your information arrived today."
Some alternative sender names: "Jonie Gunther", "Noreen Macklin", "Bonny Oconnell". The spamvertised site is hosted on 84.22.104.123, which is Cyberbunker*. Given their awful reputation, I am surprised that they haven't been de-peered. Yet. There's certainly nothing of value at all in the 84.22.96.0/19 range, blocking the whole lot will cause you no harm. These are the other spammy domains on the same IP..."
(More detail at the dynamoo URL above.)
* https://en.wikipedia.org/wiki/CyberBunker#Russian_Business_Network
"... a host of the infamous Russian Business Network cyber-crime gang..."

> https://www.google.com/safebrowsing/diagnostic?site=AS:34109
___

Pharmaceutical scammers spamvertise YouTube emails - counterfeit drugs...
- http://blog.webroot.com/2012/12/25/...tice-users-into-purchasing-counterfeit-drugs/
Dec 25, 2012 - "Pharmaceutical scammers are currently spamvertising a YouTube themed email campaign, attempting to socially engineer users into clicking on the links found in the legitimately looking emails. Upon clicking on the fake YouTube personal message notification, users are -redirected- to a website reselling popular counterfeit drugs. The cybercriminals behind the campaign then earn revenue through an affiliate network...
Sample screenshot of the spamvertised email
:
> https://webrootblog.files.wordpress...tical_scam_email_spam_youtube.png?w=373&h=244
Once users click on the link found in the email, they’re redirected to the following holiday-themed pharmaceutical web site:
> https://webrootblog.files.wordpress.com/2012/12/pharmaceutical_scam_email_spam_youtube_01.png?w=1009
Spamvertised URL: hxxp ://roomwithaviewstudios .com/inherits.html
Landing URL: hxxp ://canadapharmcanadian .net – 109.120.138.155
... fraudulent pharmaceutical sites have also been known to respond to the same IP (109.120.138.155)...
(More detail at the webroot URL above.)...

This isn’t the first time that we’ve intercepted attempts by pharmaceutical scammers to socially engineer potential customers into clicking on the links found in legitimately looking emails. In the past, we’ve found fake Google Pharmacies and emails impersonating YouTube and Twitter, as well as Facebook Inc., in an attempt to add more authenticity and legitimacy to their campaigns. We expect to see -more- of these campaigns in 2013, with a logical peak over the next couple of days, so watch what you click on, don’t enter your credit card details on websites found in spam emails, and never bargain with your health."
___

Fake E-billing SPAM / proxfied .net
- http://blog.dynamoo.com/2012/12/e-billing-spam-proxfiednet.html
26 Dec 2012 - "There are various e-billing spam emails circulating today, pointing to malware on proxfied .net:
Date: Wed, 26 Dec 2012 18:49:37 +0300
From: alets-no-reply @customercenter .citibank .com
Subject: Your Further eBill from Citibank Credit Card
Member: [redacted]
Add alerts@ serviceemail2. citibank .com to your address book to ensure delivery.
Your Account: Important Warning
New eBill Available
Account Number: **************8
Due Date: 12/28/2012
Amount Due: 175.36
Minimum Amount Due: 175.36
How do I view this bill?
1. Sign on to Citibank Online using this link.
2. Use the Payments Menu to find the bill mentioned in this message.
3. Select View Bill to review your bill details. Select the icon to see your bill summary.
Please don't reply to this message.
If you have any questions about your bill, please contact Citibank Credit Card directly. For online payment questions, please choose Bill Payment from the menu.
E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its purpose is to help you examine that the e-mail was actually sent by Citibank. If you have questions, please visit our help center. To learn more about fraud, click "Security" at the bottom of the screen.
To set up alerts sign on by clicking this link and go to Account Profile.
I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.
View Your Account Pay Your Bill Contact Us
Privacy | Security
Email Preferences
If you want to communicate with us in writing concerning this email, please direct your correspondence to:
Citibank Customer Care Service
P. O. Box 6200
Sioux Hills, SD 57870
Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at by clicking this link and clicking on "Contact Us" from the "Help / Contact Us" menu.
2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.
3843054050826645
1/LO/439463/221/1I/6H/EH/7126/SYSTEF1 /E5225514741628064/2187

====================
(More sample FAKE emails shown at the dynamoo URL above.)

The malicious payload is at [donotclick]proxfied.net/detects/inform_rates.php hosted on 59.57.247.185 in China (a well-known malware IP address) along with these following malicious domains:
sessionid0147239047829578349578239077 .pl
latticesoft .net
proxfied .net
..."
___

Fake NACHA SPAM / bunakaranka .ru:
- http://blog.dynamoo.com/2012/12/nacha-spam-bunakarankaru.html
26 Dec 2012 - "This fake ACH / NACHA spam leads to malware on bunakaranka .ru:
Date: Wed, 26 Dec 2012 06:48:11 +0100
From: Tagged [Tagged @taggedmail .com]
Subject: Re: Fwd: Banking security update.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department


The malicious payload is on [donotclick]bunakaranka .ru:8080/forum/links/column.php hosted on the following well-known IPs:
91.224.135.20 (Proservis UAB, Lithuania)
187.85.160.106 (Ksys Soluções Web, Brazil)
210.71.250.131 (Chunghwa Telecom, Taiwan)
Plain list:
91.224.135.20
187.85.160.106
210.71.250.131

Associated domains..."

:mad: :mad:
 
Last edited:
Fake Twitter/UPS/E-ticket SPAM ...

FYI...

Fake Twitter DM emails leads to Canadian Pharma SPAM
- http://www.gfi.com/blog/fake-twitter-dm-emails-leads-to-canadian-pharma-spam/
Dec 27, 2012 - "We’re seeing quite a few of these “Can I use your…” style messages arriving in mailboxes, taking the form of fake Twitter DM notifications. The most common fakeouts seem to be asking about videos and photographs.
> http://www.gfi.com/blog/wp-content/uploads/2012/12/twitterpicpublish1.png
"Hello, Can i publish link to your photo on my web page?" Another one says:
"Hi. Can i publish link to your video on my home page?"
In both cases, the emails will lead end-users to sites that are most definitely not Twitter. Some of the URLs are offline, but here’s one that is still standing:
> http://www.gfi.com/blog/wp-content/uploads/2012/12/twitterpicpublish2.jpg
Festive Pharma spam – probably not what you need in your post-Xmas stocking. Do your best to steer clear of these."
___

Fake British Airways E-ticket receipts serve malware
- http://blog.webroot.com/2012/12/26/...rways-themed-e-ticket-receipts-serve-malware/
Dec 26, 2012 - "... Cybercriminals have resumed spamvertising fake British Airways themed E-receipts — we intercepted the same campaign back in October — in an attempt to trick its customers into executing the malicious attachment found in the emails...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2012/12/british_airways_email_spam_eticket_malware.png?w=553
Sample detection rate for the malicious attachment:
MD5: b46709cf7a6ff6071a6342eff3699bf0 * ... Worm:Win32/Gamarue.I
Upon execution, it creates the following mutex on infected hosts: SHIMLIB_LOG_MUTEX
It also initiates POST requests to the following IP: 87.255.51.229/ff/image.php
As well as DNS requests to the following hosts:
zzbb45nnagdpp43gn56 .com – 87.255.51.229
a9h23nuian3owj12 .com – 87.255.51.229
zzbg1zv329sbgn56 .com – 87.255.51.229
http ://www.update .microsoft .com – 65.55.185.26
ddbbzmjdkas .us
ddbbzmjdkas .us
The IPs are currently sinkholed by Abuse.ch..."
* https://www.virustotal.com/file/fa3...762bf7699b984767c4ee91c9/analysis/1356554124/
File name: BritishAirways-eticket.exe
Detection ratio: 39/46
Analysis date: 2012-12-26
___

Fake ‘UPS Delivery Confirmation Failed’ emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2012/12/27/...themed-emails-lead-to-black-hole-exploit-kit/
Dec 27, 2012 - "... cybercriminals are currently mass mailing tens of thousands of emails impersonating UPS, in an attempt to trick users into clicking on the malicious links found in the legitimate-looking emails. Once they click on the links, they’re automatically exposed to the client-side exploits served by the BlackHole Exploit kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...pam_exploits_black_hole_exploit_kit.png?w=603
Sample spamvertised compromised URLs:
hxxp ://www.aberdyn .fr/letter.htm
hxxp ://www.aberdyn .fr/osc.htm
Sample client-side exploits serving URLs:
hxxp ://apendiksator .ru:8080/forum/links/column.php
hxxp ://sectantes-x .ru:8080/forum/links/column.php
Sample malicious payload dropping URL:
hxxp://sectantes-x .ru:8080/forum/links/column.php?uvt=0a04070634&wvqi=33&yrhsb=3307093738070736060b&vjppc=02000200020002
Client-side exploits served: CVE-2010-0188
Although we couldn’t reproduce the client-side exploitation taking place through these domains in the time of posting this analysis, we know that on 2012-09-27 one of the domains (sectantes-x .ru) also served client-side exploits, and dropped a particular piece of malware – MD5: 9f86a132c0a5f00705433632879a20b9 * ... Trojan-Ransom.Win32.PornoAsset.abup.
Upon execution, the sample phones back to the following command and control servers:
178.77.76.102 (AS20773)
91.121.144.158 (AS16276)
213.135.42.98 (AS15396)
207.182.144.115 (AS10297)
More MD5s are known to have phoned back to the same IPs..."
* https://www.virustotal.com/file/56e...a6c26602c98dd8496f4dd692d6434459be3/analysis/
File name: e284d8a62b6d75b6818ed1150dde2a8bcc3489ee
Detection ratio: 27/42
Analysis date: 2012-09-30

:mad: :mad: :mad:
 
Fake IRS SPAM ... 2012.12.28

FYI...

Fake IRS SPAM / tv-usib .com
- http://blog.dynamoo.com/2012/12/irs-spam-tv-usibcom.html
28 December 2012 - "This fake IRS spam leads to malware on tv-usib .com:
Date: Thu, 27 Dec 2012 22:14:44 +0400
From: Internal Revenue Service [information @irs .gov]
Subject: Your transaction is not approved
Your Income Tax outstanding transaction (ID: 3870703170305), recently ordered for processing from your checking account was rejected by Internal Revenue Service payment processing unit.
Canceled Tax transfer
Tax Transaction ID: 3870703170305
Rejection ID See details in the report below
Federal Tax Transaction Report tax_report_3870703170305.pdf (Adobe Acrobat Document)
Internal Revenue Service 3192 Aliquam Rd. Edmond 65332 Oregon


The malicious payload is at [donotclick]tv-usib .com/detects/property-mass-dollar_figure.php hosted on the well-known IP of 59.57.247.185 in China. The following malicious domains appear to be on that IP:
sessionid0147239047829578349578239077.pl
tv-usib .com
proxfied .net
timesofnorth .net
latticesoft .net ..."

:fear::mad:
 
Malware sites to block - 2 Jan 2013

FYI...

Malware sites to block - 2 Jan 2013
- http://blog.dynamoo.com/2013/01/malware-sites-to-block-2113.html
2 Jan 2013 - "The following sites and IPs seem to be active today, being pushed out by spam campaigns. I'll post email samples when I get them...
91.224.135.20
187.85.160.106
210.71.250.131
afjdoospf .ru
akionokao .ru
bilainkos .ru
bumarazhkaio .ru
bunakaranka .ru
..."
___

Malware sites to block - 2 Jan 2013 part II
- http://blog.dynamoo.com/2013/01/malware-sites-to-block-2113-part-ii.html
2 Jan 2013 - "Here's a bunch of malicious IPs and domains to block, mostly based on this in-depth research* at the Malware Must Die! blog.
* http://malwaremustdie.blogspot.com/2012/12/what-happened-if-red-kit-team-up-with.html
As far as I can see, the domains in use are exclusively compromised consumer PCs dotted around the globe, rather than compromised or evil web servers.. so the ISPs are pretty irrelevant in this case. This type of infected host has a relatively short shelf-life, possibly just a few days, so you may or may not want to add them to your blocklist.
IPs... Domains ..."
(Long list at the dynamoo URL above.)

:mad:
 
Twitter Phish DMs 2013.01.04

FYI...

Twitter Phish DMs: “This profile on Twitter is spreading nasty blogs around about you”
- http://www.gfi.com/blog/twitter-phi...er-is-spreading-nasty-blogs-around-about-you/
Jan 4, 2013 - "... the following missive doing the rounds on Twitter via DMs on compromised accounts:
> http://www.gfi.com/blog/wp-content/uploads/2013/01/twitspam1.jpg
There’s a number of URLs and fake logins being posted right now to users in a wide range of geographical locations, and it all comes down to Twitter phishing with at least one of the phish URLs being registered to an individual claiming to be located in Shanghai, China. That particular site - ivtvtter(dot)com – is currently offline (and also listed in Phishtank*)... attempting to login would result in a 404 error then a redirect to the real Twitter site to make everything look nice and legitimate. These types of Twitter scam come around often, and end-users should always be wary of “Have you seen this” style messaging from contacts..."
* http://www.phishtank.com/phish_detail.php?phish_id=1643038
___

Fake Ebay/Paypal emails lead to client-side exploits and malware
- http://blog.webroot.com/2013/01/04/...ils-lead-to-client-side-exploits-and-malware/
Jan 4, 2013 - "Over the past 24 hours, cybercriminals have launched yet another massive spam campaign, this time impersonating both eBay and PayPal, in an attempt to trick their users into clicking on the client-side exploits and malware serving links found in the malicious emails...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...m_exploits_malware_black_hole_exploit_kit.png
... Malicious domain names reconnaissance:
litefragmented .pro – 59.64.144.239 – Email: kee_mckibben0869 @macfreak .com
Name Server: NS1.CHELSEAFUN .NET
Name Server: NS2.CHELSEAFUN .NET...
... ibertomoralles .com – 59.57.247.185 – Email: rick.baxter @costcontrolsoftware .com
Name Server: NS1.SOFTVIK .NET – 84.32.116.189 – Email: farbonite @hotmail .com
Name Server: NS2.SOFTVIK .NET – 15.209.33.133 – Email: farbonite @hotmail .com ...
___

Fake 'bank reports' emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/01/03/...themed-emails-lead-to-black-hole-exploit-kit/
Jan 3, 2013 - "Cybercriminals are currently spamvertising tens of thousands of emails in an attempt to impersonate the recipients’ bank, tricking them into thinking that the Ministry of Finance in their country has introduced new rules for records keeping, and that they need to print and sign a non-existent document. Once users click on the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...s_exploits_malware_black_hole_exploit_kit.png
... Malicious domain name reconnaissance:
apendiksator .ru – 91.224.135.20; 210.71.250.131; 187.85.160.106
Name server: ns1.apendiksator .ru – 62.76.186.24
Name server: ns2.apendiksator .ru – 110.164.58.250
Name server: ns3.apendiksator .ru – 42.121.116.38
Name server: ns4.apendiksator .ru – 41.168.5.140
Responding to the same IPs are also the following malicious domains part of the campaign’s infrastructure:
afjdoospf .ru – 91.224.135.20
angelaonfl .ru – 91.224.135.20
akionokao .ru – 91.224.135.20 ...
Although we couldn’t reproduce the malicious payload at apendiksator .ru, we found that the malicious payload served by immerialtv .ru (known to have responded to the same IP) is identical to the MD5: 83db494b36bd38646e54210f6fdcbc0d * ... VirTool:Win32/CeeInject. This MD5 was dropped in a previously profiled campaign..."
* https://www.virustotal.com/file/626...e44f5f8ec479f264f2280d25bf9d56d73da/analysis/
File name: cs8v0k.exe
Detection ratio: 34/42
Analysis date: 2012-06-20
___

Fake BBB (Better Business Bureau) emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/01/02/...notifications-lead-to-black-hole-exploit-kit/
Jan 2, 2013 - "Cybercriminals have recently launched yet another massive spam campaign, impersonating a rather popular brand used in a decent percentage of social engineering driven email campaigns – the BBB (Better Business Bureau). Once users click on any of the links in the malicious emails, they’re automatically exposed to the client-side exploits served by the BlackHole Exploit kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...u_exploits_malware_black_hole_exploit_kit.png
... Malicious domain name reconnaissance:
tv-usib.com – 59.57.247.185 – Email: twine.tour1 @yahoo .com
Name Server: NS1.AMISHSHOPPE .NET - Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE .NET - Email: solaradvent @yahoo .com...
Upon successful client-side exploitation, the campaign drops MD5: 2646f13db754654aff315ff9da9fa911 * ... Worm:Win32/Cridex.E.
Upon execution, the sample phones back to: 94.73.129.120 :8080/rxrt0CA/hIvhA/K66fEB/ ..."
* https://www.virustotal.com/file/4de...a61f62c718c7039ad87925095e04e101bff/analysis/
File name: KB00182962.exe
Detection ratio: 30/45
Analysis date: 2013-01-04
___

Fake Verizon Wireless emails serve client-side exploits and malware
- http://blog.webroot.com/2013/01/02/...mails-serve-client-side-exploits-and-malware/
Jan 2, 2013 - "... yet another Verizon Wireless themed malicious campaign, enticing users to click on the malicious link found in the email. Once users click on the link, they’re automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...l_exploits_malware_black_hole_exploit_kit.png
Sample email subjects: Fresh eBill is Should Be Complete. From: Verizon Wireless; Your Recent eBill from Verizon Wireless...
Malicious domain name reconnaissance:
proxfied .net – 59.57.247.185 – Email: colorsandforms @aol .com
Name Server: NS1.AMISHSHOPPE .NET – Email: solaradvent @yahoo .com
Name Server: NS2.AMISHSHOPPE .NET – Email: solaradvent @yahoo .com ..."

:mad:
 
Last edited:
Fake O2 Shop emails - Phish ...

FYI...

Fake O2 Shop emails - Phish ...
- http://www.gfi.com/blog/fake-o2-shop-mails-dangle-phishy-bait/
Jan 7, 2013 - "... fake O2 Shop emails are in circulation at the moment, in the form of a “security update” asking for login credentials on the back of an “O2 account update” the recipient is supposed to have made. They’re pretty bare bones in terms of how they look, and you’ll notice that in the below example GMail flags it as spam so hopefully lots of other mail service providers will be doing the same thing.
> http://www.gfi.com/blog/wp-content/uploads/2013/01/fakeo2.jpg
Dear User,
You can now check the progress of your account at My O2. Just go to [url removed] and enter your username and password. If you’ve forgotten these, we can send you a reminder here too. Once you’ve signed in, go to My account and follow the instructions.
Regards,
O2 Customer Service


As with so many of these fire and forget spam campaigns, the bulk of them seem to lead to currently AWOL phish pages so they’re likely being taken offline at a fair old pace... treat random mails asking for login credentials with large portions of suspicion, especially when – as above – they’re referencing changes made to your account that you haven’t actually made."

:mad: :fear:
 
Malware sites to block, Fake ACH and BBB SPAM - 8 Jan 2013

FYI...

Malware sites to block 8/1/13
- http://blog.dynamoo.com/2013/01/malware-sites-to-block-8113.html
8 Jan 2013 - "These IPs and domains appear to be active in malicious spam runs today:
41.168.5.140
42.121.116.38
62.76.186.24
82.165.193.26
91.224.135.20
110.164.58.250
187.85.160.106
210.71.250.131
belnialamsik .ru

Quite a few of these IPs have been used in multiple attacks, blocking them would be prudent.

Update: some sample emails pointing to a malicious landing page at [donotclick]belnialamsik .ru:8080/forum/links/column.php:
Date: Tue, 8 Jan 2013 10:05:55 +0100
From: Shavonda Duke via LinkedIn [member@linkedin.com]
Subject: Re: Fwd: Security update for banking accounts.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department
===
Date: Tue, 8 Jan 2013 01:31:43 -0300 [01/07/13 23:31:43 EST]
From: FilesTube [filestube @filestubecom]
Subject: Fwd: Re: Banking security update.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department

___

Fake "Federal ACH Announcement" SPAM / cookingcarlog .net
- http://blog.dynamoo.com/2013/01/federal-ach-announcement-spam.html
8 Jan 2013 - This rather terse spam leads to malware on cookingcarlog .net:
From: Federal Reserve Services @ sys.frb .org [ACHR_59273219 @fedmail .frb .org]
Date: 8 January 2013 15:11
Subject: FedMail (R): Federal ACH Announcement - End of Day - 12/27/12
Please find the ACH Letter of Advice Reporting from the Federal Reserve System clicking here.


The link in the email goes to an exploit kit on [donotclick]cookingcarlog .net/detects/occasional-average-fairly.php (report here*) which is hosted on 89.207.132.144 (Snel Internet Services, Netherlands).
* http://wepawet.iseclab.org/view.php?hash=113ca923e70652baad7b97e758bde34b&t=1357658280&type=js

Added - a BBB spam is also doing the rounds with the same payload:
Better Business Bureau ©
Start With Trust �
Mon, 7 Jan 2013
RE: Case N. 54809787
[redacted]
The Better Business Bureau has been recorded the above said claim from one of your customers in respect to their dealings with you. The detailed description of the consumer's worry are available for review at a link below. Please pay attention to this issue and communicate with us about your judgment as soon as possible.
We pleasantly ask you to click and review the CLAIM REPORT to meet on this claim letter.
We are looking forward to your prompt response.
WBR
Mason Turner
Dispute Consultant
Better Business Bureau
Better Business Bureau
3063 Wilson Blvd, Suite 600 Arlington, VA 22701
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277

___

Fake BBB SPAM / royalwinnipegballet .net
- http://blog.dynamoo.com/2013/01/bbb-spam-royalwinnipegballetnet.html
8 Jan 2013 - "This fake BBB spam leads to malware on royalwinnipegballet .net:
Date: Tue, 8 Jan 2013 19:18:34 +0200 [12:18:34 EST]
From: Better Business Bureau <information @bbb .org>
To: [redacted]Subject: BBB information regarding your customer's appeal ¹ 96682901
Better Business Bureau ©
Start With Trust ©
Mon, 7 Jan 2013
RE: Complaint # 96682901
[redacted]
The Better Business Bureau has been registered the above mentioned appeal from one of your clients as regards their business contacts with you. The details of the consumer's worry are available for review at a link below. Please give attention to this matter and notify us about your sight as soon as possible.
We graciously ask you to open the CLAIM REPORT to answer on this reclamation.
We are looking forward to your prompt answer.
Faithfully yours
Alex Green
Dispute Counselor
Better Business Bureau
3063 Wilson Blvd, Suite 600 Arlington, VA 27201
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This note was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
===
Date: Tue, 8 Jan 2013 19:12:58 +0200 [12:12:58 EST]
From: Better Business Bureau <donotreply @bbb .org>
Subject: Better Business Beareau Pretense ¹ C6273504
Priority: High Priority 1
Better Business Bureau ©
Start With Trust ©
Mon, 7 Jan 2013
RE: Issue No. C6273504
[redacted]
The Better Business Bureau has been registered the above said reclamation from one of your users in respect of their business contacts with you. The information about the consumer's anxiety are available visiting a link below. Please give attention to this problem and notify us about your mind as soon as possible.
We kindly ask you to overview the APPEAL REPORT to meet on this claim letter.
We are looking forward to your prompt rebound.
Yours respectfully
Julian Morales
Dispute Advisor
Better Business Bureau
3013 Wilson Blvd, Suite 600 Arlington, VA 20701
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe


The malicious payload is on [donotclick]royalwinnipegballet .net/detects/occasional-average-fairly.php hosted on 89.207.132.144 (Snel Internet, Netherlands) which was hosting another attack site this morning (so best blocked in my opinion)

:mad::mad::mad:
 
Fake AICPA emails, Phishing attacks - 2013.01.09

FYI...

Fake AICPA emails serve client-side exploits and malware
- http://blog.webroot.com/2013/01/09/...mails-serve-client-side-exploits-and-malware/
Jan 9, 2013 - "... recently spamvertised campaigns impersonating the American Institute of Certified Public Accountants, also known as AICPA...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...m_exploits_malware_black_hole_exploit_kit.png
Second screenshot of the spamvertised email from the same campaign:
> https://webrootblog.files.wordpress...xploits_malware_black_hole_exploit_kit_01.png
Sample subjects: Tax return assistance contrivance; Suspension of your CPA license; Revocation of your CPA license; Your accountant license can be end off; Your accountant CPA License Expiration...
Upon successful client-side exploitation, the campaign drops MD5: 5b7aafd9ab99aa2ec0e879a24610844a * ... Worm:Win32/Cridex.E.
Once executed, the sample performs the following actions:
Creates a batch script
Accesses Firefox’s Password Manager local database
Creates a thread in a remote process
Installs a program to run automatically at logon
It also drops the following MD5 on the affected hosts: MD5: 3e2df81077283e5c9d457bf688779773 ** ... PWS:Win32/Fareit.
It also phones back to the following C&C servers:
hxxp:// 69.64.89.82 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
132.248.49.112
173.192.229.36
64.120.193.112
89.221.242.217
174.143.174.136
209.51.221.247

We’ve also seen and profiled the same IP (132.248.49.112) in multiple previously analyzed malware campaigns..."
* https://www.virustotal.com/file/5f9...f12e7ae3c0b8974e88e4bc59800c68e2e12/analysis/
File name: contacts.exe
Detection ratio: 31/45
Analysis date: 2012-12-18
** https://www.virustotal.com/file/292...dc08022f7774537b7ef72e424541e09d67d/analysis/
File name: exp3C6.tmp.exe
Detection ratio: 27/45
Analysis date: 2013-01-04
___

New Year, New Old Threats
- http://www.gfi.com/blog/new-year-new-old-threats/
Jan 9, 2013 - "... we have found an old Facebook scam, which dates back from two years ago, making rounds again and a spam-phishing ploy that is so 2007...
(Screenshots available at the gfi URL above.)
Previous versions of this scam usually asks visitors to click “Like” buttons for pages, a method usually employed for the purpose of increasing the popularity of pages and their monetary value once sold. For the scam to proliferate within the network, users are also asked to update their Facebook profile with the above status message and link. Some versions present either a list of surveys to fill in or a form where users can enter their mobile numbers; only this latest scam offers both... Our researchers in the AV Labs found an in-the-wild email spam leading to a phishing attack. It targets users of the open-source webmail application, SquirrelMail... The email is exactly as it was back in 2007, so any user can take their cues from the outdated versions of the app mentioned and the supposed solution to the issue the email is attempting to address... advice? Delete the spam at once."
___

Something evil on 173.246.102.246
- http://blog.dynamoo.com/2013/01/something-evil-on-173246102246.html
9 Jan 2013 - "173.246.102.246 (Gandi, US) looks like it is being used for exploit kits being promoted either through malvertising or through exploited OpenX ad servers. In the example I have seen, the malicious payload is at [donotclick]11.lamarianella .info/read/defined_regulations-frequently.php (report here*). These other domains appear to be on the same server, all of which can be assumed to be malicious:
11.livinghistorytheatre .ca
11.awarenesscreateschange .com
11.livinghistorytheatre .com
11.b2cviaggi .com
11.13dayz .com
11.lamarianella .info
11.studiocitynorth .tv
11.scntv .tv

These all appear to be legitimate but hijacked domains, you may want to block the whole domain rather than just the 11. subdomain."
* http://wepawet.iseclab.org/view.php?hash=1e0711361dfe5801ffc4ce7b14e4a3f1&type=js

> https://www.google.com/safebrowsing/diagnostic?site=AS:29169
"... in the past 90 days. We found 67 site(s)... that infected 262 other site(s)..."
___

Fake ADP SPAM / demoralization .ru
- http://blog.dynamoo.com/2013/01/adp-spam-demoralizationru.html
9 Jan 2013 - "This fake ADP spam leads to malware on demoralization .ru:
Date: Wed, 9 Jan 2013 04:23:03 -0600
From: Habbo Hotel [auto-contact @habbo .com]
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 948284271
Wed, 9 Jan 2013 04:23:03 -0600
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https ://www .flexdirect .adp.com/client/login.aspx
Please see the following notes:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 703814359
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
� 2013 ADP, Inc. All rights reserved.


The malicious payload is at [donotclick]demoralization .ru:8080/forum/links/column.php hosted on the following IPs:
82.165.193.26 (1&1, Germany)
91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
The following IPs and domains are all related:
82.165.193.26
91.224.135.20
187.85.160.106
demoralization .ru
belnialamsik .ru
bananamamor .ru
..."
___

Fake BBB SPAM / hotelrosaire .net
- http://blog.dynamoo.com/2013/01/bbb-spam-hotelrosairenet.html
9 Jan 2013 - "This fake BBB spam leads to malware on hotelrosaire .net:
Date: Wed, 9 Jan 2013 09:21:32 -0600 [10:21:32 EST]
From: Better Business Bureau <complaint @bbb .org>
Subject: BBB notification regarding your cliente's pretense No. 62850348
Better Business Bureau ©
Start With Trust �
Tue, 8 Jan 2013
RE: Complaint N. 62850348
[redacted]
The Better Business Bureau has been booked the above said complaint from one of your users in regard to their business contacts with you. The detailed description of the consumer's anxiety are available for review at a link below. Please give attention to this problem and inform us about your sight as soon as possible.
We pleasantly ask you to click and review the APPEAL REPORT to respond on this claim letter.
We awaits to your prompt reaction.
Yours respectfully
Liam Barnes
Dispute Consultant
Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 25501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
========
Date: Wed, 9 Jan 2013 23:21:42 +0800 [10:21:42 EST]
From: Better Business Bureau <donotreply @bbb .org>
Subject: BBB Complaint No. C1343110
Better Business Bureau ©
Start With Trust ©
Tue, 8 Jan 2013
RE: Case No. C1343110
[redacted]
The Better Business Bureau has been booked the above mentioned complaint from one of your clients as regards their business relations with you. The information about the consumer's anxiety are available for review at a link below. Please pay attention to this question and inform us about your glance as soon as possible.
We pleasantly ask you to overview the COMPLAINT REPORT to reply on this grievance.
We are looking forward to your prompt reaction.
Yours respectfully
Hunter Gomez
Dispute Counselor
Better Business Bureau
Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 22801
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This message was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe


The malicious payload is on [donotclick]hotelrosaire .net/detects/keyboard_ones-piece-ring.php hosted on 64.120.177.139 (HostNOC, US) which also hosts royalwinnipegballet .net which was seen in another BBB spam run yesterday."

>> https://www.google.com/safebrowsing/diagnostic?site=AS:21788
"... in the past 90 days. We found 543 site(s).. that infected 5049 other site(s)..."

:mad::mad:
 
Last edited:
Fake U.S Air/ADP emails lead to malware...

FYI...

Fake U.S Airways emails lead to BlackHole Exploit Kit
- http://blog.webroot.com/2013/01/10/...themed-emails-lead-to-black-hole-exploit-kit/
Jan 10, 2013 - "... On numerous occasions, we intercepted related campaigns attempting to trick customers into clicking on malicious links, which ultimately exposed them to the client-side exploits served by the latest version of the BlackHole Exploit Kit. Apparently, the click-through rates for these campaigns were good enough for cybercriminals to resume spamvertising related campaigns. In this post, I’ll profile the most recently spamvertised campaign impersonating U.S Airways...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...am_exploits_malware_black_hole_expoit_kit.png
... Malicious domain name reconnaissance:
attachedsignup .pro – 41.215.225.202 – Email: kee_mckibben0869 @macfreak .com
... Upon successful client-side exploitation, the campaign drops MD5: 6f51e309530f8900be935716c3015f58 * ... Worm:Win32/Cridex.E
The executable creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B
As well as the following mutexes:
Local\XMM000003F8
Local\XMI000003F8
Local\XMRFB119394
Local\XMM000005E4
Local\XMI000005E4
Local\XMM0000009C
Local\XMI0000009C
Local\XMM000000C8
Local\XMI000000C8
Once executed, the sample phones back to the following C&C servers:
180.235.150.72 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
174.143.174.136 :8080/AJtw/UCyqrDAA/Ud+asDAA/
We’ve already seen the same pseudo-random C&C phone back characters used... previously profiled malicious campaigns..."
* https://www.virustotal.com/file/d11...df807a76d0bcca1ec212faa802de2cbd1fe/analysis/
File name: 6f51e309530f8900be935716c3015f58
Detection ratio: 24/46
Analysis date: 2012-12-07
___

Fake ADP SPAM / tetraboro .net and advertizing* .com
- http://blog.dynamoo.com/2013/01/adp-spam-tetraboronet-and-advertizingcom.html
10 Jan 2013 - "This fake ADP spam leads to malware on tetraboro .net. It contains some errors, one of which is the subject line just says "adp_subj" rather than having been filled out properly...
Date: Thu, 10 Jan 2013 17:48:09 +0200 [10:48:09 EST]
From: "ADPClientServices @adp .com" [ADPClientServices @adp .com]
Subject: adp_subj
ADP Urgent Note
Note No.: 33469
Respected ADP Consumer January, 9 2013
Your Processed Payroll Record(s) have been uploaded to the web site:
Click here to Sign In
Please take a look at the following details:
• Please note that your bank account will be debited within one banking day for the amount(s) specified on the Protocol(s).
Please don't reply to this message. auomatic informational system not configured to accept incoming mail. Please Contact your ADP Benefits Specialist.
This notification was sent to current clients in your company that approach ADP Netsecure.
As general, thank you for choosing ADP as your business butty!
Ref: 33469


The malicious payload is on [donotclick]tetraboro .net/detects/coming_lost-source.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). A quick look indicates a number of related malicious domains and IPs, including advertizing1 .com through to advertizing9 .com. All of these should be blocked.
5.135.90.19 (OVH, France - suballocated to premiervps.net, UK)
91.227.220.121 (VooServers, UK)
94.102.55.23 (Ecatel, Netherlands)
119.78.243.16 (China Science & Technology Network, China)
198.144.191.50 (New Wave Netconnect, US)
199.233.233.232 (Quickpacket, US)
203.1.6.211 (China Telecom, China)
222.238.109.66 (Hanaro Telecom, Korea)
Plain list:
advertizing1 .com
advertizing2 .com
advertizing3 .com
advertizing4 .com
advertizing5 .com
advertizing6 .com
advertizing7 .com
advertizing8 .com
advertizing9 .com
cookingcarlog .ne
hotelrosaire .net
richbergs .com
royalwinnipegballet .net
tetraboro .net
5.135.90.19
91.227.220.121
94.102.55.23
119.78.243.16
198.144.191.50
199.233.233.232
203.1.6.211
222.238.109.66
..."

:mad:
 
Last edited:
Back
Top