hpHosts Blog

Formspring: 12,595 abusive pages later ....

2012-01-27T19:03:00.000-08:00

It's now been over a week since Formspring last replied (e-mails have been sent since, but no response).As such, I thought I'd list the current tally here again* - same criminals responsible as last time. You'd have thought that would make it easy to filter, especially given the keywords they're using are also exactly the same but alas - it seems they've resigned themselves to doing whatever it

securikai.com: In and out of common sense

2012-01-23T18:17:00.000-08:00

Oh dear, this isn't going to end well. To clarify folks - as securityerrata.org makes clear, there isn't a vulnerability here - it's a simple case of typo-squatting and attempted extortion.Introducing Arthur 'Wesley' Kenzie, aka SecurikaiLate in December of 2011, HD Moore received a curious email from "Arthur (Wesley) Kenzie" notifying him that Kenzie had "important information to discuss with

Formspring abuse: Oh dear ....

2012-01-22T18:23:00.000-08:00

Well, I was hopeful after their last response, that there was finally going to be a reduction, but sadly it appears this isn't the case.As of 2 seconds ago, the abuse is still prolific, and it's STILL the same parties responsible;1. download2d.com2. mSpyI've had no response from Formspring, to the e-mail I sent a few days ago, so god only knows what's going on over there, but until they get a

Formspring continued - this time it's download2d.com as the MITM

2012-01-20T05:55:00.000-08:00

Well, seems they're not keeping on top of it that well, still a few from this morning still active;http://www.formspring.me/kifihiclihttp://www.formspring.me/rytelnucomhttp://www.formspring.me/abarlaforhttp://www.formspring.me/engatreperhttp://www.formspring.me/erlasticenhttp://www.formspring.me/pharigeschlinghttp://www.formspring.me/unelsenlahttp://www.formspring.me/inphabalrahttp://

Formspring.me update

2012-01-19T20:35:00.001-08:00

I am pleased to report, I've been monitoring the Formspring.me abuse and they're now keeping on top of it, so all abusive pages created, are now being taken down relatively quickly.Still seems to be the same IP responsible for at least part of the abuse (188.143.232.113 - IP is well known for comment spam). Whether or not this is the same IP actually creating them in the first place, is something

fSpamlist.com down temporarily

2012-01-19T20:31:00.000-08:00

Due to a power failure yesterday, the fSpamlist.com server was down from approx 21:20 (GMT London) until I woke up (around 40 minutes later) and fixed the issue. Sadly it turned out the power failure had corrupted not only the file system, but the MFT and MBR. This was fixed and the server brought back online.However, further corruption has been found in the PHP installation, preventing the sites

Alert: Eventbee.com abuse

2012-01-18T21:01:00.000-08:00

The formspring.me abuse is continuing, but in the meantime, it looks like they're having a bash on eventbee.com too.http://www.eventbee.com/v/pharm/event?eid=839465373http://www.eventbee.com/v/pharm/event?eid=809069363http://www.eventbee.com/v/pharm/event?eid=830974301http://www.eventbee.com/v/pharm/event?eid=849867363http://www.eventbee.com/v/pharm/event?eid=879564391http://www.eventbee.com/v/

Formspring.me: Second verse, same as the first

2012-01-17T17:18:00.000-08:00

As of this morning, the current tally for 2012 (Formspring were dropped an e-mail yesterday, and will be dropped another one in a few minutes as whatever they're doing to prevent this, evidently isn't working);18/01/2012 01:15 http://www.formspring.me/warphororo18/01/2012 01:12 http://www.formspring.me/derslitemppe18/01/2012 01:08 http://www.formspring.me/heitaistorab18/01/2012 01:05

DomainMonster.com outage

2012-01-17T10:41:00.000-08:00

Looks like there's problems in the DomainMonster.com camp today. Their phones are coming back as temporarily unavailable, and whilst their website is working, mail servers seem to be down. The it-mate.co.uk incoming mail server is through DomainMonster, and sporadically failing, which sadly means I can send e-mails (different server), but can't receive them.I've tried both numbers available for

Formspring.me abuse continuing

2012-01-16T14:13:00.000-08:00

Looks like Formspring still haven't pulled their finger out as the abuse over there is still drastically on-going, with no signs of anything changing.The latest batch includes;http://www.formspring.me/goamithedehttp://www.formspring.me/abteaneebehttp://www.formspring.me/adcommingsyndhttp://www.formspring.me/afodgageshttp://www.formspring.me/aftethenlanghttp://www.formspring.me/agunprosorhttp://

iLivid: Still using highly misleading marketing

2012-01-02T12:03:00.001-08:00

Checking a newly registered site (videocelebritynews.com), I stumbled upon what I thought at first, was going to be the usual fake codec notice that tends to lead to a trojan. Hovering over the image however, immediately pointed to its being an advert, rather than the typical fake codec stuff we're used to seeing.Following the URL led straight to an iLivid executable;1. hxxp://

Happy New Year!

2011-12-31T17:12:00.000-08:00

I know it's not 2012 everywhere yet, but it is here, so happy new year everyone!.2011 has been an exceptionally strange, and sometimes downright frustrating year, and I doubt 2012 will be any different as I don't forsee some of the hosting companies/registrars attitudes changing, nor do I see ICANN or Ripe/Arin et al, getting off their backside and doing their damn job for a change.However, 2011

hpHOSTS - UPDATED 29th December 2011

2011-12-30T01:34:00.000-08:00

The hpHOSTS Hosts file has been updated. There is now a total of 230,392 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 29/12/2011 00:15Last Verified: 28/12/2011 22:33Download hpHosts now!http://hosts-file.net/?s=Download

hpHosts server issues

2011-12-28T18:27:00.000-08:00

Due to technical problems, the hpHosts server including the site and forums, will be down for a few hours.My apologies for any inconvenience.

Ransomware impersonating law enforcement

2011-12-21T12:03:00.000-08:00

Ransomware, the practice of providing fake notifications that “you’re infected” and then selling a fake solution that removes the fake malware they just installed, has been a boon for scammers. Now, they’re taking it a step farther, and throwing in a law enforcement scare.This time, an official-looking banner pops up, purporting to be from various law enforcement agencies, localized by region,

Dear HostNOC - your servers are attacking a friend!

2011-12-09T21:40:00.000-08:00

I am assisting a friend at present, with an issue involving IPs constantly attacking his servers, and noted during one of his recent updates, that alot of them were HostNOC - turns out, there's quite the list of them (ignoring the others from known criminal networks). All are RFI etc, and all are already being blocked by ZBBlock (a script written by my friend Zaphod).The problem here, is HostNOCs

Blackhole exploit: For those wondering, Part 4 - Now its Amazons turn

2011-12-09T12:21:00.000-08:00

This one came in whilst I was asleep, no JS MITMs this time, just the link in the e-mail that uses a meta refresh to redirect you to the domain housing the Blackhole exploit itself;Hello,Shipping ConfirmationOrder # 651-5411744-0155168 Your estimated delivery date is:Tuesday, December 13, 2011Track your package

Blackhole exploit: For those wondering, Part 3 - Fake Facebook e-mail

2011-12-08T22:29:00.000-08:00

This one came in an e-mail claiming to be from Facebook, with the usual social engineering rubbish;facebook Hi,You haven't been back to Facebook recently.You have received notifications while you were gone. 1 message

Fake Firefox e-mail leading to SpyEye trojan

2011-12-08T11:55:00.000-08:00

This little chap arrived in my spam box today, and almost got over-looked (I was checking the newest e-mails leading to the Blackhole exploit (one of which, couldn't decide if it was from LinkedIn or the FDIC)), and not surprisingly, is fake.The Payload, all 593KB of it, infects the unwitting victim with the SpyEye trojan. VT detection is utterly rubbish of course - only 2 vendors detecting

Blackhole exploit: For those wondering, Part 2

2011-12-05T10:01:00.000-08:00

I received a comment to the 2009 blog. This one houses a variation of the MO used that I outlined in part 1 (was not going to be a part 2, but it's got a few changes that warranted it).The MO in this case, is;1. Site A2. ExploitThere's no MITMs this time. There's also a slight change in the code used on the exploit page itself, though curiously, it's even easier to decode than the last one (only

Blackhole exploit: For those wondering

2011-12-05T03:01:00.000-08:00

For those wondering and not yet aware. The latest incarnations coming via e-mail have changed MO - the link to the exploit itself, isn't directly in the e-mail anymore. Instead, it goes via;1. Site A2. 4 x MITMs5. Exploit siteIn this case;cadcamengineers.com/6ebc21/index.html-> napaul.com/statcounters.js-> proplastics.rs/statcounters.js-> rodns.eu/statcounters.js-> sashandbow.com.au/

Eset: Support-Scammer Tricks

2011-11-30T08:39:00.000-08:00

Having been blogging this topic for quite a while, I figure this might be a good time to highlight some of the snippets of information that people have posted on some of those blogs (anonymized, of course). You might also be interested in a resource page I've started here at AVIEN.One prospective victim instructed to connect via the Run window to www.support.me. This turns out to belong to

hpHOSTS - UPDATED November 21st, 2011

2011-11-21T12:12:00.000-08:00

The hpHOSTS Hosts file has been updated. There is now a total of 216,044 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 21/11/2011 18:30Last Verified: 21/11/2011 19:00Download hpHosts now!http://hosts-file.net/?s=Download

up-yours.com - Here we go again

2011-11-15T23:17:00.001-08:00

I thought I'd made this clear, but apparently not. I got an e-mail earlier, from a RoadRunner IP (residential US ISP), using an @up-yours.com address.There's two problems here however;1. It's an invalid address, so can't reply2. The e-mail houses a childish threat, without actually telling me what I did to deserve it*********************************************************************General*****

Lavasoft gone dodgy?

2011-11-13T16:29:00.000-08:00

According to a post at my favorite news site, it looks like Lavasoft' new owners are the infamous chaps behind the well known "Interactive Brands". Should've seen this coming really, given they de-listed the well known malware player, WhenU, some time ago - I know that was 6 years ago, but it can't just be a coincidence, especially given who the new owners are.Anti-spyware company Lavasoft AB is

Internet.bs still not accepting abuse reports

2011-11-11T05:03:00.001-08:00

You may remember, in September I blogged about Internet.BS, well known as a bulletproof provider for domain registrations.Sadly, neither Verisign nor ICANN have done anything, and Internet.bs are still refusing reports (I say refusing because whilst the error is a 450, they were notified months ago and it's still producing the same error, preventing reports going through), courtesy of the Gmail

Facebook Likes and cold-call scams

2011-11-09T13:32:00.000-08:00

Following an article I wrote recently for SC Magazine, Martijn Grooten of Virus Bulletin, who shares my interest in and dislike of support desk scams, contacted me about the web site associated with eFIX, a company claiming to offer online technical support. He and I, along with Steven Burn, who has a great deal of experience of working in this area, have been able to dig out some interesting

webhosting.info compromised

2011-11-01T17:26:00.001-07:00

Look at the image on the left. See anything that shouldn't be there?I'll give you a hint - it's got a black background.I identified this whilst doing a routine enquiry on an IP housing a plethora of fake meds sites. I dropped a note to the sites owner and registrar, who informed me it most definitely should NOT be there.The content in question, is;