Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 26 June 2012

Dear Bloxx (and InfoSec)

I've asked your company several times now, both via phone and via email, to STOP spamming and cold-calling me. The last cold-call was less than 20 mins ago, and I asked her to put in a report to the company CEO regarding it. As I suspect the report isn't going to get to the Bloxx CEO, let us see if this reaches you ....

STOP SPAMMING ME!

Oh and to the chaps responsible for InfoSec, perhaps next time, you can warn those attending, that the barcodes on their badges, are going to be used to allow companies to spam and cold-call us - as this was certainly not a warning I received prior to, or after, registering.

For those that would like to pre-emptively block Bloxx spam, simply block the following;

*@bloxx.com

The last number they called from was 01506 426 976

Monday, 11 June 2012

Blackhat SEO: edisonresearch.co.uk + domain-parking.net (aka freeparking.co.uk)

Many criminals attempt blackhat SEO, most in attempts to push up the value of their domains prior to selling them. Others, in an attempt to boost their value to prospective advertisers.

Unfortunately in this case, it appears the owner of edisonresearch.co.uk, has chosen to try and use the vURL server, to boost their domains value. They've done this by pointing the A record for the domain, to the vURL servers IP address;

82.165.40.133

Unfortunately for them, identifying and preventing such abuse, is very simple - simply require host headers for sites on your web servers (e.g. so your server can't be accessed via http://{IP}).

What is curious in this case, is their registrar, freeparking.co.uk. This particular site, which claims to be ICANN accredited (and if that's true, I'm disgusted). This particular registrar is owned by US based, domain-parking.net, which have seen fit not only to exclude phone numbers for their website, but to provide a completely invalid number in their WhoIs records - itself a violation of ICANN rules.

Domain Name.......... domain-parking.net
Creation Date........ 1999-05-27
Registration Date.... 2001-05-13
Expiry Date.......... 2013-05-27
Organisation Name.... ActiveBytes Software LLC
Organisation Address. 2530 Channin Drive
Organisation Address.
Organisation Address. Wilmington
Organisation Address. 19810
Organisation Address. DE
Organisation Address. UNITED STATES

Admin Name........... na Domain Admin
Admin Address........ 2530 Channin Drive
Admin Address........
Admin Address........ Wilmington
Admin Address........ 19810
Admin Address........ DE
Admin Address........ UNITED STATES
Admin Email.......... domadmin@domain-parking.net
Admin Phone.......... +44.18001231234
Admin Fax............ +44.18001231234

Tech Name............ Admin Domain
Tech Address......... ActiveBytes Software LLC
Tech Address......... UK Telephone Support Line
Tech Address......... 0905 2340911
Tech Address......... DE19810
Tech Address......... DE
Tech Address......... UNITED STATES
Tech Email........... domadmin@domain-parking.net
Tech Phone........... 44 905 2340911
Tech Fax............. 44 905 2340911
Name Server.......... ns3.ukdnsservers.co.uk
Name Server.......... ns4.ukdnsservers.co.uk


To make matters worse, these chaps have also seen fit to rip off those that do try calling the only VALID number in the WhoIs, by using the premium rate 0905 number (note the Tech Phone).

Domain name:
freeparking.co.uk

Registrant:
Fibranet Services Ltd

Registrant type:
Unknown

Registrant's address:
PO Box 95
2A Lord Street
Douglas
Isle of Man
IM99 1HP
Isle Of Man

Registrar:
Fibranet Services Ltd [Tag = FIBRANET]
URL: http://www.freeparking.co.uk

Relevant dates:
Registered on: 08-Jan-1999
Expiry date: 08-Jan-2013
Last updated: 11-Jan-2012

Registration status:
Registered until expiry date.

Name servers:
ns3.ukdnsservers.co.uk 72.1.201.151
ns4.ukdnsservers.co.uk 72.1.216.99

WHOIS lookup made at 02:21:24 12-Jun-2012


So to recap, it's a US company claiming to be a German company (ref the presence of "DE" in the address), claiming to be a UK company, using a fake US phone number (+44.1800), and trying to rip people off by using a premium rate number for the only valid number in the WhoIs records. And these guys are ICANN accredited???

The edisonresearch.co.uk WhoIs records isn't much help either.

Domain name:
edisonresearch.co.uk

Registrant:
Edison Investment Research

Registrant type:
Unknown

Registrant's address:
5 Newby Street
London
A1 1AA
United Kingdom

Registrar:
Fibranet Services Ltd [Tag = FIBRANET]
URL: http://www.freeparking.co.uk

Relevant dates:
Registered on: 20-Jun-2003
Expiry date: 20-Jun-2013
Last updated: 07-Jul-2011

Registration status:
Registered until expiry date.

Name servers:
ns3.ukdnsservers.co.uk 72.1.201.151
ns4.ukdnsservers.co.uk 72.1.216.99

WHOIS lookup made at 02:19:56 12-Jun-2012


Oh and no, the address in this one isn't valid either - A1 is a motorway, not a valid postcode in the UK. The correct postcode for 5 Newby Street, London, is SW8 3BQ.

/Edit

Keep forgetting Google have completely messed up the editor on Blogspot. I've now added the line breaks, sorry folks.

Fake meds spoofing IMDB

Looks like it's the turn of the IMDB to be spoofed. Same gang responsible, not surprisingly.



Return-Path: <ticket@dutchman.dk>
Delivered-To: [REMOVED]
X-Spam-Flag: YES
X-Spam-Score: 14.747
X-Spam-Level: **************
X-Spam-Status: Yes, score=14.747 tagged_above=-9999 required=1.3
tests=[BAYES_50=0.8, DATE_IN_FUTURE_12_24=3.199,
DKIM_ADSP_NXDOMAIN=0.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989,
MIME_HEADER_CTYPE_ONLY=0.717, MIME_HTML_ONLY=0.723,
RAZOR2_CHECK=0.922, RCVD_IN_BL_SPAMCOP_NET=1.347,
RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_PSBL=2.7] autolearn=spam
Received: from ns1-110.psychodev.net (ns1-110.psychodev.net [122.155.10.125])
by [REMOVED] (Postfix) with SMTP id D97EC39846D
for <[REMOVED]>; Mon, 11 Jun 2012 15:59:38 +0100 (BST)
Subject: [SPAM] Your password is too short
Content-Type: text/html; charset="utf-8"
To: [REMOVED]
From: IMDb User Protection <do-not-reply-here@change-imdb.com>
Message-Id: <20120611215942.C11DBDCEA0A@imdb-pro-online-0376.iad6.amazon.com>
Date: Mon, 11 Jun 2012 21:59:42 -0700 (PDT)


In this case, the link leads to;

loekieschroder.nl/up/load/

Which redirects to;

Host: herbalchemistsshop.com
IP: 91.238.180.92
IP PTR: Resolution failed
ASN: 197071 91.238.180.0/23 INTERWERK INTERWERK - Rotorfly Europa GmbH & Co. KG

Domain Name: HERBALCHEMISTSSHOP.COM

Registrant:
Ilmari Karlsson
Ilmari Karlsson (jovanovic@08mail.com)
Siikajoentie 85
Revonlahti
Revonlahti,92350
FI
Tel. +358.0408663029

Creation Date: 08-Jun-2012
Expiration Date: 08-Jun-2013

Domain servers in listed order:
ns1.herbalchemistsshop.com
ns2.herbalchemistsshop.com

Administrative Contact:
Ilmari Karlsson
Ilmari Karlsson (jovanovic@08mail.com)
Siikajoentie 85
Revonlahti
Revonlahti,92350
FI
Tel. +358.0408663029

Technical Contact:
Ilmari Karlsson
Ilmari Karlsson (jovanovic@08mail.com)
Siikajoentie 85
Revonlahti
Revonlahti,92350
FI
Tel. +358.0408663029

Billing Contact:
Ilmari Karlsson
Ilmari Karlsson (jovanovic@08mail.com)
Siikajoentie 85
Revonlahti
Revonlahti,92350
FI
Tel. +358.0408663029


Other domains seen on this IP (you can also keep up with them via the hpHosts website)

abacirnyo.net
acefsynqe.com
ailanthoidolherbal.com
ailanthoidolwelness.com
aircanadarx.com
ajohn.dietrxpills.ru
ajryfdewett.com
allcialisrx.com
allied.couponkidrugstore.com
amwafudicbia.com
amwafudicbia.net
androidcanadatablet.mobi
androidmedical.com
androidrugstoretablet.com
androidtratablet.com
anticaretab.com
appstabletsrx.com
aronpharmacylevitra.com
arontrapharmacy.com
arontrapill.mobi
arontraprescription.com
arontratablet.com
arontraviagra.com
assayslnesshealthcare.com
athaxpyqs.com
awakeninglevitra.com
awsanimmag.com
badgeshealthcare.com
badgestabmedicine.com
baetevzuo.com
bataviagracialis.com
bdauzzyus.com
bdelwiac.com
bdocleyle.com
beliciamelisande.com
bestmedicinepharma.ru
betterhealthpills.com
bildunterschriftpills.com
biologicalpill.mobi
biolpharm.com
biolpharmacy.com
blockbusterstore.net
blonfipa.com
boisviagra.com
boquihcu.net
bosnialispharm.eu
bplispill.com
bplispills.com
breiclorn.com
brokusvexva.com
brylzaox.com
buygenericsmeds.com
buygenericspills.com
buygenericswelness.com
buyviagracialis.com
bygjeqworw.com
bzawivuck.com
bziwsinowebr.com
cadnuzque.com
caifkytce.com
canadapillgroup.com
canadaprescriptiongroup.com
canadatabtablet.mobi
canadatrevali.com
canadianelnesscanada.com
canadiantabcanada.com
carehealthmeds.com
carehealthrxtablets.net
caremarkviagra.com
caremedicalpharmacy.com
carepharmedical.com
carepharmkildee.com
carepillsgroup.com
caretabgalaxy.com
careviagra.com
careviagrahealth.mobi
careviagras.com
carewelbizness.com
carewelloch.com
carmelitakelly.com
carotenoidsherbal.be
cecbitpa.com
celebrex200mg.org
cellwelness.mobi
cialispillerie.com
cialispillsbp.com
cialistabletgroup.com
cialistkvue.com
cialisttypeab.com
cialisviagracounterpunch.com
cialiswelbizness.com
cialiswelpakistan.com
cialiswichi.com
cnadkuxnif.com
cnajzepsok.com
cnajzepsok.net
comptablevitra.com
contabcialis.com
contabgenerics.com
contabmedicare.com
contabsale.com
counterpunchgenerics.com
counterpunchviagra.com
counterpunchviagramedicine.com
counterpunchwelness.com
couponkidrugstore.com
cvityasmiy.com
dakbenranul.com
daksuzwuw.com
debtpharm.com
dedwiccew.com
derunherta.com
dexfaifmev.com
dfdohf.ru
dfhjds.ru
dfjkd.ru
dfnsmf.ru
dfsmnf.ru
dhfjsf.ru
dietabletgroup.com
dietmedscalories.com
dietpharmacyeat.com
dietpharmacyweight.com
dietpharmgroup.com
dietpilldrugstore.com
dietpillgenerics.com
dietpillgroup.com
dietpillmed.com
dietpillmedicare.com
dietpillsdrugstore.com
dietpillsgenerics.com
dietpillsgroup.com
dietpillsherbal.com
dietprescriptionfat.com
dietprescriptiongroup.com
dietsperm.com
dietwelfat.com
dietwichi.com
dietwiski.com
digitalmediaset.com
djfhf.ru
doypdaficea.com
drugenericswiki.com
drughealthcareprescription.com
drugmedpill.com
drugpillcialis.com
drugpillsgenerics.com
drugpillsherbal.com
drugscvspharmacy.com
drugsmedsmedical.com
drugsprescriptionlevitra.com
drugstoreandroid.com
drugstorebirth.com
drugstoredoctor.com
drugstoredrugstorehealth.ru
drugstorehealthmedscare.net
drugstorehealthmedsinsurance.net
drugstorehomerxmeds.net
drugstorehospital.net
drugstorepause.com
drugstorepharmacydrug.com
drugstorepharmacyretailers.com
drugstorepharmacywalgreens.com
drugstorepilldrug.com
drugstorepillsandroid.net
drugstorerxbronzer.com
drugstorerxhealthinsurance.net
drugstorestrauss.com
drugstoretabinc.com
drugstoretabletgroup.com
drugstoretabletsmed.com
drugstoretabletsnook.net
drugstoreviagragroup.com
drugstorewelloch.com
drugstorewelness.com
drugstorewelnessgroup.com
drugstorewichi.com
drugtorehealthcare.com
drugtorehealthtabletsmedicare.net
drugtorepharmacytabletsomma.net
drugtoretabletshealth.net
drykveffum.com
dukyoxcymo.com
dunnvillepill.com
dvocmiojha.com
dymevaga.bestmedicinepharma.ru
dynuldauc.com
dzepojkarny.com
dzovhodryts.com
dzovhodryts.net
eaheuwdufpi.net
eatdietmeds.com
eatingmeds.com
eatpharmdiet.com
eatpill.mobi
ebjoknubih.com
eckingerrx.com
ecstasyherbal.com
ejcibweof.com
ejpythoufah.com
elsevkatja.com
eovurvainso.com
epanfaftue.com
epwyphafqe.com
esfixmovizqe.com
eskunpoa.com
ettoicbynn.net
evkasryb.com
fndmsf.ru
fnsmfs.ru
goscandata.com
gugyhpymka.com
hibaqyro.bestmedicinepharma.ru
igjfmd.ru
jatijogu.bestmedicinepharma.ru
jhfsfd.ru
jvhjaq.ru
kjckv.ru
kjvkxd.ru
mail.dfjkd.ru
mail.dietrxpills.ru
mail.fkvjgx.ru
miravalmed.eu
mypharmcialis.com
mywelnesslevitra.com
newcialispharmacy.com
newhealthmeds.com
newpillshealth.com
newrxmedical.com
nokitore.bestmedicinepharma.ru
ns1.baetevzuo.com
ns2.baetevzuo.com
pharmmednew.com
rubed.ru
tylubita.bestmedicinepharma.ru
xamonixe.bestmedicinepharma.ru
zeu.drugstorerxmedsfast.ru
zuxudasi.bestmedicinepharma.ru


And I've no doubt there's more I'm not yet aware of.

Email text;

This is an automatic message from the Internet Movie Database (IMDb) registration system.
Our system detected your password is too weak. Short passwords are easy to guess.

Please follow this link :

https://secure.imdb.com/password_detect/imdb/73922755903363027203

If you use this password at any other sites, you'll need to change those passwords as well.

Regards,
IMDb User Protection help
http://imdb.com/register/


The link of course, doesn't lead to secure.imdb.com, which if you're sensible and have HTML email turned off, will be immediately obvious to you. Instead, it leads to the loekieschroder.nl domain, and then to the fake meds domain.

Still trying to determine which botnet is responsible for these.

References

Fake meds spam spoofing Microsoft
http://hphosts.blogspot.co.uk/2012/06/fake-meds-spam-spoofing-microsoft.html

Alert: Fake meds spam impersonating Digg
http://hphosts.blogspot.co.uk/2012/06/alert-fake-meds-spam-impersonating-digg.html

Sunday, 10 June 2012

Fake meds spam spoofing Microsoft

Looks like the fake meds gang have started to spoofing Microsoft too. I've received 5 of these bad boys so far, nothing particularly special about them, and they're certainly nowhere near convincing, which in itself is unusual (those impersonating Microsoft previously, whether leading to fake meds or malware, have usually been a lot more convincing than this).

They've included individual URLs so far;

altab.cl/up/load/
rezb.com/up/load/
paprecision.com/up/load/
brafdesign.com/up/load/

But predictably, have only led to one of two domains;

medicinepillsgroup.com
wichimedical.com

Both domains belong to a couple of IPs that are well known for housing fake meds domains, so this is also no surprise. You'd have thought they'd have switched to something a little less predictable by now.

91.205.74.218
IP PTR: 91-205-74-218.arpa.teredo.pl
ASN: 41508 91.205.72.0/22 PL-IWACOM-AS IWACOM Sp. z o.o.

37.230.212.19
IP PTR: Resolution failed
ASN: 2819 37.230.212.0/24 GTSCZ GTS NOVERA (GTS CZ)

The headers for these;

Return-Path: <ticket@enright.ie>
Delivered-To: [REMOVED]
X-Spam-Flag: YES
X-Spam-Score: 11.439
X-Spam-Level: ***********
X-Spam-Status: Yes, score=11.439 tagged_above=-9999 required=1.3
tests=[BAYES_50=0.8, FH_FROMEML_NOTLD=1.082,
FSL_HELO_NON_FQDN_1=0.001, HELO_LOCALHOST=3.828, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.723, RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_XBL=0.375,
RDNS_NONE=0.793, SPF_NEUTRAL=0.779, URIBL_WS_SURBL=1.608] autolearn=no
Subject: [SPAM]
Microsoft notification
From:
"Windows Live" <noreplay-live.com>
To: [REMOVED] <[REMOVED]>
List-Unsubscribe: <https://profile.live.com/options/notifications/>
X-HM-NotificationScenario: 33557
X-HM-SenderCID: -1953486829893903145
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Message-ID: <BAY0-OMC1-S52gfFwS5PzP9nC0E@bay0-omc1-s52.bay0.hotmail.com>
Date: Sun, 10 Jun 2012 18:13:52 -0700

*********************************************************************************************

Return-Path: <ticket@microj.com>
Delivered-To: [REMOVED]
X-Spam-Flag: YES
X-Spam-Score: 10.143
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.143 tagged_above=-9999 required=1.3
tests=[BAYES_50=0.8, DATE_IN_FUTURE_06_12=1.947, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.723, RAZOR2_CF_RANGE_51_100=0.5,
RAZOR2_CF_RANGE_E8_51_100=1.886, RAZOR2_CHECK=0.922, RCVD_IN_PSBL=2.7,
SPF_HELO_PASS=-0.001, SPF_SOFTFAIL=0.665] autolearn=no
Received: from server.elsistech.com (server.elsistech.com [89.107.224.242])
by [REMOVED] (Postfix) with SMTP id 3A1A1398434
for <[REMOVED]>; Sun, 10 Jun 2012 17:14:43 +0100 (BST)
Subject: [SPAM]
Microsoft notification
From:
"Windows Live" <notification@live-windows.com>
To: [REMOVED] <[REMOVED]>
List-Unsubscribe: <https://profile.live.com/options/notifications/>
X-HM-NotificationScenario: 73015
X-HM-SenderCID: -6264914321449266347
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Message-ID: <BAY0-OMC1-S213s5SdYLcgyKvuz@bay0-omc1-s21.bay0.hotmail.com>
Date: Sun, 10 Jun 2012 19:11:21 -0700

*********************************************************************************************

Return-Path: <ticket@prohosting.com>
Delivered-To: [REMOVED]
X-Spam-Flag: YES
X-Spam-Score: 10.714
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.714 tagged_above=-9999 required=1.3
tests=[BAYES_50=0.8, DATE_IN_FUTURE_06_12=1.947,
FH_FROMEML_NOTLD=1.082, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723,
RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_BRBL_LASTEXT=1.449,
RCVD_IN_PSBL=2.7, SPF_SOFTFAIL=0.665] autolearn=no
Received: from marvin.uplink.cz (marvin.uplink.cz [93.170.18.39])
by [REMOVED] (Postfix) with SMTP id 1A639398447
for <[REMOVED]>; Sun, 10 Jun 2012 18:27:26 +0100 (BST)
Subject: [SPAM]
Microsoft notification
From:
"Windows Live" <microsoft-notification.com>
To: [REMOVED] <[REMOVED]>
List-Unsubscribe: <https://profile.live.com/options/notifications/>
X-HM-NotificationScenario: 60062
X-HM-SenderCID: -735258105463640151
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Message-ID: <BAY0-OMC1-S29r5lxjG2Q0FvEq8@bay0-omc1-s29.bay0.hotmail.com>
Date: Sun, 10 Jun 2012 19:27:29 -0700

*********************************************************************************************

Return-Path: <ticket@classicbasements.ca>
Delivered-To: [REMOVED]
X-Spam-Flag: YES
X-Spam-Score: 10.684
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.684 tagged_above=-9999 required=1.3
tests=[BAYES_50=0.8, FH_FROMEML_NOTLD=1.082, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.723, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_PSBL=2.7,
RCVD_IN_SBL=0.141, TO_NO_BRKTS_HTML_ONLY=1.022, T_SURBL_MULTI1=0.01,
URIBL_JP_SURBL=1.25, URIBL_WS_SURBL=1.608] autolearn=spam
Received: from servicios.qnet.com.pe (servicios.qnet.com.pe [200.31.110.166])
by [REMOVED] (Postfix) with SMTP id CFEFC39843D
for <[REMOVED]>; Sun, 10 Jun 2012 20:45:33 +0100 (BST)
Subject: [SPAM]
Microsoft notification
From:
"Windows Live" <noreplay-microsoft.com>
To: [REMOVED]
List-Unsubscribe: <https://profile.live.com/options/notifications/>
X-HM-NotificationScenario: 06570
X-HM-SenderCID: -9672573908892897013
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Message-ID: <BAY0-OMC1-S03zYqSFk5TR8rP9x@bay0-omc1-s03.bay0.hotmail.com>
Date: Sun, 10 Jun 2012 14:52:03 -0700

*********************************************************************************************

Return-Path: <ticket@tatraklubbrno.cz>
Delivered-To: [REMOVED]
X-Spam-Flag: YES
X-Spam-Score: 12.71
X-Spam-Level: ************
X-Spam-Status: Yes, score=12.71 tagged_above=-9999 required=1.3
tests=[BAYES_50=0.8, DATE_IN_FUTURE_06_12=1.947,
FH_FROMEML_NOTLD=1.082, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723,
RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886,
RAZOR2_CHECK=0.922, RCVD_IN_BRBL_LASTEXT=1.449,
RCVD_IN_SORBS_WEB=0.77, TO_NO_BRKTS_HTML_ONLY=1.022,
URIBL_WS_SURBL=1.608] autolearn=no
Received: from homenet.com.ua (homenet.com.ua [193.151.12.132])
by [REMOVED] (Postfix) with SMTP id B4A0A39843A
for <[REMOVED]>; Sun, 10 Jun 2012 21:55:35 +0100 (BST)
Subject: [SPAM]
Microsoft notification
From:
"Windows Live" <live-notification.com>
To: [REMOVED]
List-Unsubscribe: <https://profile.live.com/options/notifications/>
X-HM-NotificationScenario: 08952
X-HM-SenderCID: -679787259136459798
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Message-ID: <BAY0-OMC1-S36D1sIpIxGuwcn78@bay0-omc1-s36.bay0.hotmail.com>
Date: Sun, 10 Jun 2012 23:55:36 -0700

Wednesday, 6 June 2012

hpHosts: Updated 7th June 2012

This is an interim update due to reports indicating some have been having difficulty with the last full file update. The hpHOSTS Hosts file has been updated. There is now a total of 186,474 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 07/06/2012 01:15
  2. Last Verified: 01/06/2012 02:00/li>
Download hpHosts now!
http://hosts-file.net/?s=Download

ALERT: Using LinkedIn? Change your password asap!

If you're using LinkedIn, you'll want to change your password asap folks. It would seem miscreants have compromised the LinkedIn databases; http://nakedsecurity.sophos.com/2012/06/06/millions-of-linkedin-passwords-reportedly-leaked-take-action-now/

Monday, 4 June 2012

Alert: Fake meds spam impersonating Digg

Not content with fake meds and exploit etc spam impersonating the likes of Facebook, Twitter, Google and countless others, it seems the fake meds gangs have decided to impersonate Digg now too. Quite why is a bit puzzling, but likely "just because they can". If like me, you have email only displayed in plain text, then you'll see what it is and where its taking you, straight away, else the original HTML version of the email is as per the screenshot on the left.

I've had 3 of these so far, all with different URLs in the emails;

hxxp://rodrigomarchena.com/up/load/
hxxp://nlpguides.com/up/load/
hxxp://elite.edu.pk/up/load/

All leading to the same domain, in this case;

dietpilldrugstore.com

Domain Name: DIETPILLDRUGSTORE.COM

Registrant:
    Nikolay Stolbikov
    Nikolay Stolbikov        (tudor@osmail.net)
    ulitsa Marshala Kazakova d.1 k.2 kv.360
    Sankt-Peterburg
    Sankt-Peterburg,198302
    RU
    Tel. +7.8123274547

Creation Date: 23-May-2012
Expiration Date: 23-May-2013

Domain servers in listed order:
    ns1.dietpilldrugstore.com
    ns2.dietpilldrugstore.com

Administrative Contact:
    Nikolay Stolbikov
    Nikolay Stolbikov        (tudor@osmail.net)
    ulitsa Marshala Kazakova d.1 k.2 kv.360
    Sankt-Peterburg
    Sankt-Peterburg,198302
    RU
    Tel. +7.8123274547

Technical Contact:
    Nikolay Stolbikov
    Nikolay Stolbikov        (tudor@osmail.net)
    ulitsa Marshala Kazakova d.1 k.2 kv.360
    Sankt-Peterburg
    Sankt-Peterburg,198302
    RU
    Tel. +7.8123274547

Billing Contact:
    Nikolay Stolbikov
    Nikolay Stolbikov        (tudor@osmail.net)
    ulitsa Marshala Kazakova d.1 k.2 kv.360
    Sankt-Peterburg
    Sankt-Peterburg,198302
    RU
    Tel. +7.8123274547

Status:LOCKED


Spam has only originated from 2 IPs so far (doubt that's all that is involved, more likely more origins will pop up once more of their spam comes in), as usual.

195.54.2.18 - deimos.surnet.ru - 3239 - 3239 195.54.0.0/20 RU-SURNET Uralsvyazinform, Chelyabinsk branch
213.229.102.22 - server.furnitureinfashion.net - 29550 - 29550 213.229.64.0/18 SIMPLYTRANSIT Simply Transit Ltd

Headers:

Return-Path: <confirm@dealerday.it>
Delivered-To: webhostingunleashed_com@it-mate.co.uk
X-Spam-Flag: YES
X-Spam-Score: 10.737
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.737 tagged_above=-9999 required=1.3
    tests=[BAYES_50=0.8, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001,
    MIME_HTML_ONLY=0.723, RCVD_IN_BL_SPAMCOP_NET=1.347,
    RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_SBL=0.141, RCVD_IN_SORBS_WEB=0.77,
    RDNS_NONE=0.793, TO_NO_BRKTS_NORDNS=0.001, URIBL_DBL_SPAM=1.7,
    URIBL_WS_SURBL=1.608] autolearn=spam
Received: from server.furnitureinfashion.net (unknown [213.229.102.22])
    by mail4.emailconfig.com (Postfix) with SMTP id DAE1D39819A
    for <webhostingunleashed_com@it-mate.co.uk>; Mon, 4 Jun 2012 07:57:56 +0100 (BST)
Date: Mon, 4 Jun 2012 07:57:56 -0000
From: "Digg Support" <noreply@e.digg.com>
Message-Id: <4amttet3vqn5sd40eepxtkxnyu0ccw@ebm2.cheetahmail.com>
Mime-Version: 1.0
Subject: [SPAM] Digg Verification
To: webhostingunleashed_com@it-mate.co.uk
Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset=ISO-8859-1


Return-Path: <confirm@dealerday.it>
Delivered-To: webhostingunleashed_com@it-mate.co.uk
X-Spam-Flag: YES
X-Spam-Score: 10.737
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.737 tagged_above=-9999 required=1.3
    tests=[BAYES_50=0.8, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001,
    MIME_HTML_ONLY=0.723, RCVD_IN_BL_SPAMCOP_NET=1.347,
    RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_SBL=0.141, RCVD_IN_SORBS_WEB=0.77,
    RDNS_NONE=0.793, TO_NO_BRKTS_NORDNS=0.001, URIBL_DBL_SPAM=1.7,
    URIBL_WS_SURBL=1.608] autolearn=spam
Received: from server.furnitureinfashion.net (unknown [213.229.102.22])
    by mail4.emailconfig.com (Postfix) with SMTP id DAE1D39819A
    for <webhostingunleashed_com@it-mate.co.uk>; Mon, 4 Jun 2012 07:57:56 +0100 (BST)
Date: Mon, 4 Jun 2012 07:57:56 -0000
From: "Digg Support" <noreply@e.digg.com>
Message-Id: <4amttet3vqn5sd40eepxtkxnyu0ccw@ebm2.cheetahmail.com>
Mime-Version: 1.0
Subject: [SPAM] Digg Verification
To: webhostingunleashed_com@it-mate.co.uk
Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset=ISO-8859-1


Return-Path: <confirm@levinpr.com>
Delivered-To: webhostingunleashed_com@it-mate.co.uk
X-Spam-Flag: YES
X-Spam-Score: 13.216
X-Spam-Level: *************
X-Spam-Status: Yes, score=13.216 tagged_above=-9999 required=1.3
    tests=[BAYES_50=0.8, DATE_IN_FUTURE_12_24=3.199,
    HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723,
    RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_PSBL=2.7, RCVD_IN_SBL=0.141,
    RCVD_IN_SORBS_WEB=0.77, SPF_NEUTRAL=0.779, URIBL_JP_SURBL=1.25]
    autolearn=spam
Received: from deimos.surnet.ru (deimos.surnet.ru [195.54.2.18])
    by mail4.emailconfig.com (Postfix) with SMTP id 407A4398199
    for <webhostingunleashed_com@it-mate.co.uk>; Sun, 3 Jun 2012 23:28:18 +0100 (BST)
Date: Mon, 4 Jun 2012 04:28:20 -0700
From: "Digg Support" <noreply@e.digg.com>
Message-Id: <3l2u8vcemcxv0ehidtcn90wj6h8gvt@ebm2.cheetahmail.com>
Mime-Version: 1.0
Subject: [SPAM] Digg Verification
To: webhostingunleashed_com@it-mate.co.uk
Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset=us-ascii


A quick check on the IP the fake meds site resides at, shows around 395 domains that are known to have resided there recently (running a check as I write this, but likely some have already moved elsewhere, indeed a quick glance at the results so far, shows some have moved to 91.238.180.91 for example).

I'll pop a copy of the results on here once the validation has finished, but the list of domains in the meantime;

hospitaltab.be
mywelnessasale.be
myprescriptioncialis.be
viagradietfat.be
mastersdegreerx.be
familymedicineviagra.com
leibypharmacylevitra.com
vikingsnotdead.com
dietpillmed.com
contabhealthcare.com
newpillscare.com
afterword.couponkidrugstore.com
astarte.couponkidrugstore.com
dietpilldrugstore.com
hightramplate.com
cialisviagracounterpunch.com
mypillhealth.com
newpillshealth.com
drugstorewichi.com
healthwichi.com
ecstasyherbal.com
pillshealthmedical.com
prescriptionmental.com
herbalwiailanthoidol.com
medwibiol.com
altruism.familymedicinepharm.com
herbalwiendotoxin.com
herbalviagragroup.com
carepharmgroup.com
healthviagras.com
bataviagracialis.com
buygenericspills.com
arontratablet.com
newherbaltablet.com
digitalmediaset.com
medslevitraleiby.com
eaheuwdufpi.net
xchjha.ru
nokitore.bestmedicinepharma.ru
pesid.ru
bestpharmacyonline.ru
cjzkef.ru
sdhfg.ru
mail.sdhfg.ru
sdhfg.ru
sdfjgh.ru
df8vh.ru
lupp.ru
cvnmr.ru
mail.cvnmr.ru
cvnmr.ru
sdfhgs.ru
glfkgs.ru
medicinerxtablets.ru
ns1.medicinerxtablets.ru
ns2.medicinerxtablets.ru
blkfts.ru
mail.blkfts.ru
blkfts.ru
plew.ru
thow.ru
maimy.ru
mail.maimy.ru
maisqucqe.com
malariameds.com
marijuanaviagra.com
marijuanawelness.com
matiestoup.com
mechanisticmed.com
mechanisticmeds.com
medcockburn.mobi
medcontab.com
medcounterpunch.com
medicalhealthpills.com
medicalmedicinerx.com
medicalpharmhospital.com
medicalpharmpatients.com
medicalphurt.com
medicalpillgroup.com
medicalrxgroup.com
medicalspillshealth.com
medicalviagragroup.com
medicalwelloch.com
medicalwelnessmedicine.com
medicareherbalprescription.com
medicarelisprescription.com
medicaremedsgroup.com
medicarepanel.com
medicarepharmdebt.com
medicarepharmgroup.com
medicarepharmtax.com
medicarepillsdrugstorehealth.net
medicareprescriptiongroup.com
medicareprescriptionrepublican.com
medicarerdebt.com
medicarerxdebt.com
medicarerxtax.com
medicaresupplementtablet.com
medicareviagragroup.com
medicarewelbizness.com
medicarewelloch.com
medicarewelnessdebt.com
medicinecell.com
medicineclinical.com
medicinepatient.com
medicinepharmacygroup.com
medicineprescriptionbiological.mobi
medicinerxdoctor.com
medicinetablet.com
medicinetabpause.com
medicinewelmedical.com
medidajkat.com
mednewpharm.com
medpharmcounterpunch.com
medphurt.com
medpillawakening.com
medpillsbirth.com
medpillsgroup.com
medprescriptiondrugs.com
medprescriptiongroup.com
medscanadahalfmile.com
medsciali.com
medscialisgroup.com
medsdebt.com
medsdiabetes.com
medsdiet.com
medsdieteat.com
medsdietgroup.com
medsdose.com
medsdruggroup.com
medsdrugstoregroup.com
medsfat.com
medsfitness.com
medsgenericsbiol.com
medsgenericssexual.com
medshalfmile.com
medshealthpatients.com
medshealthplan.com
medsignaling.com
medslevitraleiby.com
medsmedicaid.com
medsmedicare.com
medsmedicaregroup.com
medsmedicinegroup.com
medsphysicians.com
medspillsdrugstorewalgreens.net
medsrxhealthcare.net
medtabpause.com
medtabsamsung.com
medwelawakening.com
medwelbizness.com
medwelcounterpunch.com
medwelpatients.com
medwibiol.com
medzimbra.com
megapixelmedicare.com
mejhiphy.com
mentalprescriptionhealth.com
mentalviagrahealth.com
mibojmuzz.com
mihdushy.com
milktrawelness.com
miqwajeaj.com
miscarriagepills.com
mlnpillssale.com
mlnsale.com
mnirecvyp.com
mnokzeiwma.com
mnyejwylas.com
mommeds.com
movietestworld.com
mretitmufu.com
mroirnafyaf.com
muhylrezzo.com
mulixuimo.com
multimediaaid.com
multimediafix.com
myargoivmyt.com
mycanadatablet.com
mycanadaviagra.com
mycarepill.com
mycaretab.com
mycialismeds.com
mydbyjniqn.com
mydietablet.com
myhealthcarerx.com
myhealthmeds.com
myherbaltab.com
myherbaltablet.com
mylevitrapills.com
mymedicalpharmacy.com
mymedicaltablet.com
mymedicaremeds.com
mymedicarepills.com
mymedicarepills.mobi
mymedicareprescription.com
mymedpharm.com
mymedsdrugstore.com
mymedshealth.com
mypharmacydrugstore.com
mypharmacyherbal.com
mypharmacylevitra.com
mypharmcanada.com
mypharmcialis.com
mypharmed.com
mypharmedical.com
mypharmedicare.com
mypharmedicine.com
mypharmhealthcare.com
mypilldrugstore.com
mypillhealthcare.com
mypillmed.com
mypillmedical.com
mypillmedicare.com
mypillsale.com
mypillsdiet.com
mypillsgenerics.com
mypillshealth.com
mypillsmedical.com
myprescriptiongenerics.com
myprescriptionmedicine.com
myrxhealthcare.com
myrxhealthcare.mobi
myrxmedical.com
myrxmedicare.com
mysalepharmacy.com
mysalerx.com
mysaletab.com
mysaletablet.com
mytabdiet.com
mytabdrugstore.com
mytabherbal.com
mytabletdiet.com
mytablethealth.com
mytabletherbal.com
mytabletlevitra.com
mytabletsale.com
mytabmed.com
mytabsale.com
myviagrahealthcare.com
myviagralevitra.com
myviagramedicine.com
myviagrasale.com
mywelnessasale.com
mywelnesscare.com
mywelnessgenerics.com
mywelnesshealthcare.com
mywelnessmed.com
mywelnessmedicare.com
nahrohtyup.com
nakcihrowys.com
nautolqunjo.com
negojanyf.com
neohdijbijl.com
newcanadarx.com
newcanadatablet.com
newcanadaviagra.com
newcialismeds.com
newcialispharmacy.com
newdietrx.com
newhealthprescription.com
newhealthtablet.com
newherbalpharmacy.com
newherbaltab.com
newherbaltablet.com
newlevitrapills.com
newmedicaltablet.com
newmedicarepills.com
newmedpharm.com
newmedpharmacy.com
newmedpills.com
newmedtab.com
newpharmacycare.mobi
newpharmacydrugstore.com
newpharmacymed.com
newpharmacymedicare.com
newpharmacymedicine.com
newpharmdiet.com
newpharmed.com
newpharmedicine.com
newpilldiet.com
newpillevitra.com
newpillherbal.com
newpillmedical.com
newpillmedicare.com
newpillscare.com
newpillscialis.com
newpillshealth.com
newprescriptioncare.com
newprescriptiondrugstore.com
newprescriptiongenerics.com
newprescriptionhealth.com
newprescriptionlevitra.com
newprescriptionmedicine.com
newrxgenerics.com
newrxhealth.com
newrxmedical.com
newrxmedicine.com
newsaletablet.com
newtabcare.com
newtabdiet.com
newtabletcare.com
newtabletdrugstore.com
newtablethealthcare.com
newtabmed.com
newviagracanada.com
newviagradrugstore.com
newviagraherbal.com
newviagramedicare.com
newviagramedicine.com
newviagrasale.com
newwelnessmedicine.com
newwikimed.com
nigliopl.com
nilonsauk.com
nookdrugstoretablets.net
nookdrugtorehealthtablets.com
nookhealthmedstablets.net
nookpillstablets.net
nooktabletsrx.com
nooktoremedstablets.net
nooktoretabletsrx.net
nrekzedja.net
nrydwetovu.com
nursingwikihealth.com
nutritionviagra.com
nyadpill.com
nyctyckap.com
octybtuph.net
odiojbuafa.com
ogsoslezyks.com
ogtaekluc.com
ohloustyd.com
ohmachoufa.com
oivisbilja.com
olwesfocka.com
ommadrugstorepharmacy.com
ommahealthtablets.net
ommapharmacyrx.net
onevoicevitrawelness.com
onkulbyns.com
onogpyddie.com
optimuspharmacy.com
opylpuzry.net
oqulhisfa.com
oqwyucsawhy.com
oraipnuac.com
ordykodad.com
otrowqusu.com
ottawacanadapharm.com
ovuljedumvi.com
oypoyvhesdau.com
ozfiokaxmy.com
painpillstablets.com
pakistancialis.com
pakistanicialis.com
pakistanlismeds.com
pakistanlispharmacy.com
pakistanlnesscialis.com
patientpillmedicine.com
patientrxmedical.com
patientsarmedicine.com
patientscarepharmacy.com
patientsdrugsmedicine.com
patientselnessmedical.com
patientshealthpill.com
patientshealthtablet.com
patientskimedicine.com
patientslnessmedical.com
patientslnessmedicine.com
patientsmedicinepharm.com
patientspharmacymedicine.com
patientspillcare.com
patientspillmedicare.mobi
patientspillmedicine.com
patientspillsmedicine.com
patientsprescriptionmedical.com
patientstabhealthcare.com
patientstablethealthcare.com
patientstabmedicine.com
patientsviagracare.com
patientswelnessmedicine.com
patientsxmedicine.com
pausecanada.com
pausehealthcaretab.com
pausetabgenerics.com
pausetabmed.com
pausetratab.com
pcipharm.com
pctpills.com
pcttab.com
pctviagrasale.mobi
petraeuselnesscialis.com
pharhospital.com
pharmacyawakening.com
pharmacycarepatients.com
pharmacycialisprescription.com
pharmacycifrazier.com
pharmacydebt.com
pharmacydrugstorefda.com
pharmacyfitnessrx.com
pharmacyfood.com
pharmacyhealthcarepatients.com