Tag Archives: spam

thelistdata.com and data-centers-online.com spam emails

A very big number of italian users have reported us similar spam emails that come from two websites:

thelistdata.com

Homepage screenshot:

Image

data-centers-online.com

Homepage screenshot:

Image

From the screenshots of their homepage, we can see these websites do not have a real homepage, just this make us think that they are scam. In the emails there are various links, and one link says that if we cant see the message in the HTML format, we should click in a specific link:

hxxp://data-centers-online.com/sending/stats.php?k=b50df751b5378c2a8da74fa9cdf9b5bb561df25238224dadb5d40f24b06147d8ceff829bcacbcf926988f3c733cae54edfda15ef8432a27d8a5eaa31efac020f

The above long URL points to another URL:

hxxp://62.75.223.200/html/wind-18-form/

With IPVoid we see the IP address is detected as suspicious:

Report 2011-04-14 18:21:37 (GMT 1)
IP Address 62.75.223.200
IP Hostname static-ip-62-75-223-200.inaddr.intergenia.de
IP Country DE
Detections 2 / 26 (8 %)
Status SUSPICIOUS

Here is a screenshot of the web page:

Image

The form POST data is redirected to the same index.php page:

<form method="post" action="/html/wind-18-form/index.php">

Now to note there is also that in the suspicious web page:

hxxp://62.75.223.200/html/wind-18-form/

There is no SSL connection, we should insert sensitive data and it should be recommended to have SSL enabled (https://), the page is located in a suspicious URL, we can see an IP address is used as main host, this is pretty suspicious, moreover there is no footer or reference to any company associated to that web page… We would recommend to never click in links that come from these two (scam?) websites.

The headers of few emails are as follow:

Received: from data-centers-online.com (unknown [174.142.87.163])
Received: by data-centers-online.com (Postfix, from userid 502)
Subject: =?UTF-8?B?Vm9kYWZvbmU6IE1haSB1biBwcmV6em8gY29zaScgYmFzc28h?=
From: Vodafone Partner <vodafonepartner@thelistdata.com> 
Reply-To: noreply@thelistdata.com
Received: from data-centers-online.com (unknown [174.142.87.163])
Received: by data-centers-online.com (Postfix, from userid 502)
Subject: =?UTF-8?B?U3VwZXIgUHJvbW96aW9uZSBCbGFja2JlcnJ5ISBQYXNzYSBhIFdpbmQh?=
From: WIND Partner <partnerofwind@thelistdata.com> 
Reply-To: partnerofwind@thelistdata.com

A quick scan with URLVoid:

Report 2011-04-14 18:52:33 (GMT 1)
Website thelistdata.com
Domain Hash 7bdd635133ba0ada9cd2c3abb1913973
IP Address 212.95.58.66 [SCAN]
IP Hostname thelistdata.com
IP Country BY (Belarus)
AS Number 28753
AS Name LEASEWEB-DE Leaseweb Germany GmbH (previously…
Detections 2 / 22 (9 %)
Status SUSPICIOUS

Report 2011-04-14 18:57:15 (GMT 1)
Website data-centers-online.com
Domain Hash 7e1a88e9395413f7434fd38aad992eeb
IP Address 174.142.87.163 [SCAN]
IP Hostname cl-t217-290cl.privatedns.com
IP Country CA (Canada)
AS Number 32613
AS Name IWEB-AS – iWeb Technologies Inc.
Detections 2 / 22 (9 %)
Status SUSPICIOUS

Phishing: Urgent – Your bank card has been blocked

An user has reported us a suspicious email:

Image

Headers:

Received: from sds-16.hosteur.com (sds-16.hosteur.com [217.16.9.166])
Received: from www-data by sds-16.hosteur.com with local (Exim 4.69)
Subject: URGENT - Your bank card has been blocked
From: Banking Service <bankservice@service.fr >
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Sender: www-data <www-data@hosteur.com>

The clickable link “Access to your form” redirects to a new (suspicious) URL:

hxxp://servicevbv.us. tf/

Image

URLVoid report:
http://www.urlvoid.com/scan/servicevbv.us.tf

Report 2011-04-07 16:38:44 (GMT 1)
Website servicevbv.us.tf
Domain Hash 91fa19172a89f4c10b8dc0ca8b0460ec
IP Address 188.40.70.27
IP Hostname static.27.70.40.188.clients.your-server.de
IP Country DE (Germany)
AS Number 24940
AS Name HETZNER-AS Hetzner Online AG RZ
Detections 2 / 22 (9 %)
Status SUSPICIOUS

Analyzing the URL content, we can see suspicious code:

<title>service verified by visa</title>
<link href="/zzz/css.css" rel="stylesheet" type="text/css">
<script type="text/javascript" src="/zzz/gas.js"></script>
<script language="JavaScript" src="/zzz/init.php?D=c2VydmljZXZidi51cy50Zg%3D%3D&L=" type="text/javascript"></script>
<iframe src="hxxp://www.adboost.com/index6.php" frameborder="0" width="486px" height="60px" ></iframe>
<iframe src="hxxp://krystalweb.co.uk/suuport/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/update.php" name="fid1" id="fid1" width="100%" height="100%" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<a href="servicevbv.us.tf">service verified by visa</a>

Why suspicious ?

1) The page title looks like a scam
2) Why CSS style is located in the directory “/zzz/css.css” ?
3) Why Google Analytics (?) code is located in the directory “/zzz/gas.js” ?
4) Why there is an iframe related to adboost. com/index6.php ?
5) Why there is another iframe realted to (long URL) krystalweb. co. uk ?
6) Where is SSL ?

The long URL:

hxxp://krystalweb.co. uk/suuport/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/update.php

Loads the fake form where an user should insert his details. The form will then send (POST) the details to another script that is located in another (suspicious) URL:

action="hxxp://shopkasa.com. br/cgi-bin/CobreBemECommerceDados/HiTman2.php" method=post>

URLVoid analysis:
http://www.urlvoid.com/scan/shopkasa.com.br

Block spam comments in WordPress

Spam comments in WordPress can be a very annoying thing, we use WP-reCAPTCHA to block spam but it is not enough. So we have collected a list of words that are mostly used in spam comments and that if are blacklisted, can help in blocking spam comments. To add this list of blacklisted words in WordPress just open the admin panel, click on left panel “Settings”->”Discussion” and add the list of words (one word per line) in the textarea of “Comment Blacklist”.

Words to blacklist:

porn
sex videos
xxx
valium
viagra
cialis
pharma
xanax
narod.ru
naked
mitriptyline
dapoxetine
keyword service
medicine
box.net/shared/
insurance
make money
freepicbay
loan
medications
buying
purchase
bvlgari
bulgari
perfumes
best seo
alcoholic
escort
cheap
oem software
forex
xrumer
dating
weightloss
orgy
bdsm
bondage
cheap
jailbreak
movies
fetish
stocking
bodysuits
verizonunlock
ass
hotfile
blackjack
gambling
casino
poker
fat
enlargement
sesso
unlock
diet
divorce
videos
lawyer
prescription
buy
hypnosis
shipping
weightloss
loans
vaccination
toxoid
sexgreat
antidepressant
anabolics
jammer
durabolin
muscle
jamming
cigarette
hentai
skirt
dresses
healthcare

This should help you to moderate comments by automatically moving all comments, containing these words, in the spam folder.

Recent Phishing Emails Against Banks and CartaSi

Here are few recent malicious links reported to be phishing pages:

Phishing Page

merklin-baiersbronn. de/components/com_mailto/Bankline.php
mooyekindmakelaars. nl/components/com_contact/Bankline.php
linebanks.dominiotemporario. com/inTerneT/nett/
mellylog.altervista. org/templates/beez/REAL.php
mellylog.altervista. org/templates/beez/Santander.php
163.30.82.2 /~user/www.cartasi.it/index.html
66.7.192.115 /~account/CaraSi.it/gtwpages/index.php?id=
organamattress.com /www/bancodesio/index.html

Malicious Redirect

URLVoid reports:

merklin-baiersbronn. de81.169.145.158
mooyekindmakelaars. nl77.94.248.181
linebanks.dominiotemporario. com187.17.98.37
mellylog.altervista. org – –
163.30.82.2
66.7.192.115 – bored1.reallybored.net
organamattress. com67.15.55.238

You have received a card from a family member

Users have reported us some emails, related to postcards and Hallmark, that contain http links to download executable files with extension as .SCR (Screen Saver). Below there is an example of the email message we have received:

Hallmark

Extracted URLs:

hxxp://82.71.21.54 /postcard.scr
hxxp://212.43.82.11 /postcard.scr

File name: postcard-scr
File size: 1138594 bytes
MD5 hash: 83c4f02ee9cf83fcb6dfb1e4c4d94fca
SHA1 hash: be33a0e5f1008542b96e2342638bedd73b147ee7
Detection rate: 14 on 16 (88%)
Status: INFECTED

The malicious file postcard.scr, when executed, will install a copy of the popular IRC chat client named mIRC, with modified files, in a hidden directory located in the TEMP directory of C:\WINDOWS. The mIRC’s executable has no icon and other files have attributes set to +H (hidden):

C:\WINDOWS\Temp\spoolsv\

Hidden directory:

Hidden Folder

Dropped files:

Files

Windows firewall alert:

WF Alert

Users.ini and remote.ini files content:

Content

A.reg file content, used to write to Windows Registry:

Content

Run.bat file content:

Content

Migre.me Widely Used in Recent Spam Campaigns

We have noticed in recent spam campaigns that the spammers are using the shorten URL service at Migre.me to spread pharmacy links, casino and watches links and other scam-links hidden behind the shortened URL and probably bypassing some anti-spam filters.

Spam message

Note at the bottom of the image above the link to a shortened URL from migre.me service. Using our free tool Extract URL is possible to know where is pointing the shortened URL, as we can see from the image below:

Migre.me URL Extracted

The link extracted, points to a website that looks like to be used to sell fake watches, fake rolex and other false or non existent stuff, definitely a scam site. We tried to visit the website and this is an image of its main homepage:

Watches Scam Website

Using our other free tool URL Dump we could easily understand that it is a scam website that is used to sell fake rolex and fake watches, by searching interesting text on the dumped content, as seen in the image below:

URL Dump in Action

Domain & IP Analysis

daychain .com121.127.133.14

Canadian pharmacy spam is back again

We logged a new massive spam campaign using Yahoo Groups’s users accounts to display clickable images of pharmaceutical products and to redirect users in the fraudolent website. This kind of technique is most probably used to bypass security filters of anti-spam software.

Few links extracted:

hxxp://groups.yahoo .com/group/alandpenberthygy/message
hxxp://groups.yahoo .com/group/yehoshuacobazw/message
hxxp://groups.yahoo .com/group/mcculloughabeitao/message
hxxp://groups.yahoo .com/group/boddusteptoesm/message
hxxp://groups.yahoo .com/group/seennlovelykn/message
hxxp://groups.yahoo .com/group/zevmacconnelldl/message
hxxp://groups.yahoo .com/group/joulouncapperm/message
hxxp://groups.yahoo .com/group/rajeshrelphb/message
hxxp://groups.yahoo .com/group/ilantrevathanny/message
hxxp://groups.yahoo .com/group/dorrelltrinklea/message
hxxp://groups.yahoo .com/group/tebibmatopebj/message
hxxp://groups.yahoo .com/group/danlanaganu/message
hxxp://groups.yahoo .com/group/xenetotsimpkinsqe/message
hxxp://groups.yahoo .com/group/kerncogero/message
hxxp://groups.yahoo .com/group/exrsrlsr/message

All these links contain the same image:

Image

And the malicious pharmaceutical sites promoted are:

hxxp://medicaltopatom .com:8080/
hxxp://superdrugsudden .com:8080/
hxxp://perfectpillcool .com:8080/

Image

Medicaltopatom.com WHOIS:

Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Whois Server: whois.dns.com.cn
Referral URL: http://www.dns.com.cn
Status: clientTransferProhibited

Expiration Date: 2011-07-21
Creation Date: 2010-07-21
Last Update Date: 2010-08-05

Name Servers:
ns1.medicaltopatom.com
ns2.medicaltopatom.com
ns3.medicaltopatom.com
ns4.medicaltopatom.com

Organisation Name…. hong zhongzhen
Organisation Address. shichengdadao29
Organisation Address.
Organisation Address. hangzhou
Organisation Address. 315029
Organisation Address. ZJ
Organisation Address. CN

Admin Name……….. hongzhongzhen
Admin Address…….. shichengdadao29
Admin Address……..
Admin Address…….. hangzhou
Admin Address…….. 315029
Admin Address…….. ZJ
Admin Address…….. CN
Admin Email………. juiajl@yeah.net
Admin Phone………. +86.57158905471
Admin Fax………… +86.57158905471

Superdrugsudden.com WHOIS:

Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Whois Server: whois.dns.com.cn
Referral URL: http://www.dns.com.cn
Status: clientTransferProhibited

Expiration Date: 2011-07-21
Creation Date: 2010-07-21
Last Update Date: 2010-08-04

Name Servers:
ns1.superdrugsudden.com
ns2.superdrugsudden.com
ns3.superdrugsudden.com
ns4.superdrugsudden.com

Organisation Name…. lin xinhao
Organisation Address. xuchangshiliuyilu15hao
Organisation Address.
Organisation Address. xuchang
Organisation Address. 461691
Organisation Address. HA
Organisation Address. CN

Admin Name……….. linxinhao
Admin Address…….. xuchangshiliuyilu15hao
Admin Address……..
Admin Address…….. xuchang
Admin Address…….. 461691
Admin Address…….. HA
Admin Address…….. CN
Admin Email………. dvbdsbebvdb@126.com
Admin Phone………. +86.3742661510
Admin Fax………… +86.3742661510

Perfectpillcool.com WHOIS:

Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Whois Server: whois.dns.com.cn
Referral URL: http://www.dns.com.cn
Status: clientTransferProhibited

Expiration Date: 2011-07-21
Creation Date: 2010-07-21
Last Update Date: 2010-08-06

Name Servers:
ns1.perfectpillcool.com
ns2.perfectpillcool.com
ns3.perfectpillcool.com
ns4.perfectpillcool.com

Organisation Name…. wang jitai
Organisation Address. jiningshichangqinglu7hao
Organisation Address.
Organisation Address. jining
Organisation Address. 273500
Organisation Address. SD
Organisation Address. CN

Admin Name……….. wangjitai
Admin Address…….. jiningshichangqinglu7hao
Admin Address……..
Admin Address…….. jining
Admin Address…….. 273500
Admin Address…….. SD
Admin Address…….. CN
Admin Email………. betty999_cool@yeah.net
Admin Phone………. +86.5372226919
Admin Fax………… +86.5372226919

RubyRoyale Casino Spam

I noticed recently an honeypot reported a very high increase of Casino spam emails that contain links to Casino websites that have all .RU as domain extension and in some cases the links are “obfuscated”, with spaces (ex: www . site . com) or other junk characters to avoid anti-spam filters and to not appear as http links.

I tried to visit one of the Casino links found in the spam emails to analyze the website and to view what there is of dangerous on these links. This is a screenshot of the homepage:

Image

It looks like the objective of the website is to make the user click the button “Download” to install an unknown Casino application in the user’s computer, but if we analyze the executable with multiple Antiviruses, this is the result:

Report date: 2010-07-08 18:25:31 (GMT 1)
File name: RubyRoyaleEN.exe
File size: 366648 bytes
MD5 hash: f413ef95815c3e25e9c256a5fd60a9e4
SHA1 hash: a1a0e5de487ae8b01871df3bda4efd5898500298

a-squared 08/07/2010 5.0.0.7 Riskware.OnlineCasino!IK
F-PROT6 20100707 4.5.1.85 W32/Casino.F.gen!Eldorado
Ikarus T3 08/07/2010 1.1.84.0 Riskware.OnlineCasino
NOD32 5262 4.0.474 Win32/PrimeCasino
TrendMicro 293 9.120-1004 ADW_CASINO

The executable is actually detected as Adware or PUP (Potentially Unwanted Application) by many Antiviruses and it is suggested to not execute these kind of applications in a computer. Here is a list of recent Casino websites the honeypot has reported as spam:

topbestcazinos.ru   (61.222.252.99)
bestcazinos-vip.ru   (61.222.252.99)
cazinosvipbest.ru   (61.222.252.99)
cazinosbesttop.ru   (61.222.252.99)
cazinosbestbonus.ru   (61.222.252.99)
bestid-casinos.ru   (61.222.252.99)
id-bestplay.ru   (61.222.252.99)
idbest-casinos.ru   (61.222.252.99)
playid-best.ru   (61.222.252.99)
casinosvipbest.ru   (61.222.252.99)
luxbest-casinos.ru   (61.222.252.99)
besttopcasinos.ru   (61.222.252.99)
vipcasinosbest.ru   (61.222.252.99)
casinoswebclub.ru   (61.222.252.99)
casinosmyweb.ru   (61.222.252.99)
webmycasinos.ru   (61.222.252.99)
casinosluxweb.ru   (61.222.252.99)
bestplay-lux.ru   (61.222.252.99)
casinosbestweb.ru   (61.222.252.99)
playidbest.ru   (61.222.252.99)
bestlux-casinos.ru   (61.222.252.99)
besttop-casinos.ru   (61.222.252.99)

As we can see, all the Casino related domains are hosted in the same IP Address that is located in TW and has ASN 3462 (HINET Data Communication Business Group): 61.222.252.99 – 61-222-252-99.HINET-IP.hinet.net