Blog for hpHosts, and whatever else I feel like writing about ....

Sunday 16 February 2014

Misleading: Bandoo wants a go!

Got a notification about a new version of the Android x86 distro earlier and finally had a few minutes to go take a look. Going to the download page my eyes were drawn immediately to this piece of naughtiness from Bandoo;


Not that surprised given Bandoo's history, but to my recollection, this is the first time I've seen one for them in the last 6-12 months or so.

The offending URLs in this case, for those interested;

http://ads.yahoo.com/clk?3,eJydTl2PgjAQ.DW8KaG0IIbcQznEeAdGE--MvFUopVhaA.Xrfv3Vw5j4epPN7mSzM7MAhn6BwKQsJ06JpqB0vBAgBIsq8CvqjJwwDF04hZ6HAg-MYHLVOE3TOYtuUh4ifEdq77.XeADDM4wXA18F9x7N55fL52VYoUxsBvau89bB.0esvqLZg5s848.iADeujVazdfQ8m380WVz8ZO1SpJsDXG53OtskIruBOm8Tnm7XMG8w2rULL48P1-X6qXwbjWqtjxbElpuY0kS4Wml0olLwoITiWO-bc9cJF06KivZjMu65NlMdqexVwYmwmVJM0FNPu0JJTaW2C9UaL0ZKRnVvGK86CyanTlgwfomrVa-5ZDZrVXkStH8oOXuRV1xQM4DjewHwTfcRcBwwQRCgwZ201L62wnL9-wuES2oCY.MK7Y4d743aP3N6MbuCyDMxpr4gkv3d.AL4BKVg,
http://cnct.tlvmedia.com/ckl.php?s=1&c=3FxtALLLGgBynnkBAAAAAL.bVQAAAAAAAgAEAAIAAAAAAP8AAAABGGwwKwAAAAAA4MlTAAAAAACtZm0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADoUBEAAAAAAAIAAwAAgD8AwSD5PEQBAAAAAAAAAGQ3MTBjMTM0LTk3NWYtMTFlMy1iZDEzLWZmZjliYzdiMDlhNQAAAAAAAAA=,eJxLjfIqKg1yzMqNCA1Lj0j0z.ZwqYqILPK0TEwuy6.wiDBJ19UFAPDEDJk=&t=50164&d=2326173&hp=subid&r=http%3A%2F%2Flp.jzip.com%2F%3Flpid%3D1687%26appid%3D170
http://lp.jzip.com/?lpid=1687&appid=170&subid=CN_A100601175459816722
http://download.jzip.com/jZipSetup.exe

Ad image: http://content.yieldmanager.edgesuite.net/atoms/d7/e2/5a/92/d7e25a92fa4b89c1814c7484c668020b.gif


If you're so inclined, you'll be wanting to blackhole;

94.31.0.0/24

Hostnames:

22search.bearshare.com
22search.imesh.com
adoresearch.com
amusingcool.com
amusingfunny.com
amusingwink.com
amusingwow.com
animationbest.com
animationfaces.com
animationfine.com
animationfresh.com
animation-jet.com
animationsbest.com
animationsgoodness.com
animations-hip.com
animationssmile.com
animationsworth.com
animationtop.com
app1.imesh.com
avatarscool.com
avatarsfun.com
avatarsplay.com
awesemoticons.com
awesome-emoticons.com
banddo.com
bandoo.com
bandoo11.com
bandoo12.com
bandoo13.com
bandoo14.com
bandoo15.com
bandoo16.com
bandoo17.com
bandoo18.com
bandoo19.com
bandoo2.com
bandoo20.com
bandoo3.com
bandoo8.com
bandoobe.com
bandooinvite.com
bandooo.com
banner.bearflix.com
banners.ilivid.com
bar.bearshare.com
bar.fantastigames.com
bar.imesh.com
bar.jzip.com
bar.lphant.com
bar.searchqu.com
bar.shareazaweb.com
bearflix.com
bearshare.com
bearshare.net
bearshare.org
bestamusing.com
bestcomical.com
best-emoticons.com
blog.bearshare.com
blog.imesh.com
blog.koyotesoft.com
blogdynprod.bearshare.com
blogdynprod.imesh.com
box.imesh.com
bullvid.com
captainemoticons.com
captainwinks.com
cartoonboss.com
cartoonbosses.com
cartooncaptains.com
cartoonchief.com
cartoonpalaces.com
cartoonschief.com
cartoonsfactory.com
cartoonslord.com
cartoonswizard.com
cddb.bearshare.com
cddb.imesh.com
cddb.lphant.com
cddb.shareazaweb.com
cearch.bearshare.com
cearch.imesh.com
centralcartoons.com
centralemoticons.com
checkmsi.com
checkrealtime.com
chiefsmilies.com
chiefwinks.com
comicalbest.com
comicalemoticon.com
comicalfaces.com
comicalfine.com
comicaltop.com
comicalwink.com
connectionmsi.com
connectionrealtime.com
connectiontraffic.com
content.bandoo.com
coolamusing.com
coolemoticon.com
coolworth.com
cute-emoticons.com
de.bearshare.com
directoryrealtime.com
disco1.bearshare.com
disco1.imesh.com
disco2.bearshare.com
disco2.imesh.com
disco3.bearshare.com
disco3.imesh.com
disco4.bearshare.com
disco4.imesh.com
disco5.bearshare.com
disco5.imesh.com
dj.djboxservice.com
dm.mlstat.com
download.bandoo.com
download.bandooo.com
download.bearflix.com
download.bearshare.com
download.bullvid.com
download.cdn.koyotelab.net
download.cdn4.bearshare.com
download.downloadquick.net
download.downloadsetup.net
download.expressdownload.net
download.facewinks.com
download.free-video-downloader.net
download.ftalk.com
download.fuzezip.com
download.ilivid.com
download.imesh.com
download.inmind.com
download.jzip.com
download.kingtranslate.com
download.koyotesoft.com
download.linkeyproject.com
download.lphant.com
download.savevid.com
download.shareazaweb.com
download.sharelive.net
download.windows8startbutton.com
download-free-video.com
downloadquick.net
downloads.ilivid.com
downloadsetup.net
eee.bearshare.com
email.imesh.com
emoticonbest.com
emoticonboss.com
emoticoncentral.com
emoticonchief.com
emoticonchiefs.com
emoticoncool.com
emoticonfunny.com
emoticongreat.com
emoticonmaster.com
emoticonmasters.com
emoticonsace.com
emoticons-amazing.com
emoticonsbest.com
emoticonscool.com
emoticonsfaces.com
emoticonsgreat.com
emoticonsopen.com
emoticonspace.com
emoticons-pad.com
emoticonssmile.com
emoticonstop.com
emoticonsuniverse.com
emoticonsunreal.com
emoticonsweet.com
emoticonswizard.com
emoticonsworth.com
emoticontop.com
emoticonwizard.com
emoticonwizards.com
emoticonwow.com
emotikons-pc.com
emotikonster.com
emotikons-town.com
emotikonz.com
es.bearshare.com
es.lphant.com
excellentanimation.com
excellentemoticons.com
excellentwow.com
expressdownload.net
extensions.ftalk.com
extensions.ftalkconnect.com
extensions.ftalking.com
extremesmiley.com
facebook.comsearch.imesh.com
facesanimations.com
facesbest.com
facesfresh.com
facessmile.com
facessweet.com
facesworth.com
facewinks.com
facez-direct.com
facez-house.com
facez-log.com
facez-pc.com
facez-rocket.com
facez-topia.com
facez-toyou.com
facezunique.com
facez-volt.com
fantasticavatars.com
fantasticemoticon.com
fantasticemoticons.com
fantasticsmiley.com
fantasticsmileys.com
fantasticwink.com
fantasticwinks.com
fantastigames.com
featurebest.com
featurecool.com
featureemoticon.com
featureemoticons.com
featuregreat.com
featuresuper.com
featurewink.com
featurewinks.com
featurewow.com
ffupdate.bearshare.com
ffupdate.bearshare.com
ffupdate.bullvid.com
ffupdate.cdn.bandoobe.com
ffupdate.cdn.bn-update-download.com
ffupdate.cdn.imeshbe.com
ffupdate.cdn.koyotebe.com
ffupdate.ftalk.com
ffupdate.fuzezip.com
ffupdate.ilivid.com
ffupdate.imesh.com
ffupdate.jzip.com
ffupdate.kingtranslate.com
ffupdate.koyotesoft.com
ffupdate.lphant.com
ffupdate.savevid.com
ffupdate.shareazaweb.com
fineemoticon.com
fineemoticons.com
finesmileys.com
finesweet.com
finewinks.com
flashgreat.com
flashunreal.com
flixbanner.bearshare.com
flixbanner.shareazaweb.com
forums.imesh.com
forums.shareaza.com
fr.bearshare.com
freemail.imesh.com
free-music.imesh.com
free-video-downloader.net
freshamusing.com
freshanimations.com
freshcomical.com
freshemoticon.com
freshfeature.com
freshsmileys.com
ftalk.com
ftalkchatting.com
ftalkconnect.com
ftalkfb.com
ftalkvideochat.com
fularo.com
funaces.com
funemoticon.com
fun-emoticons.com
funnyfeature.com
funnyfine.com
funnysweet.com
funpalaces.com
fuzezip.com
g.bearshare.com
g.imesh.com
getanimations.com
gimesh.com
go.imesh.com
goo.imesh.com
goodnessemoticons.com
goodnessfeature.com
goodnesstop.com
goodnesswink.com
goodnesswinks.com
goog.imesh.com
googl.imesh.com
google.bearflix.com
google.bearshare.com
google.com.bearshare.com
google.imesh.com
goolrarch.imesh.com
greatcomical.com
greatemoticon.com
greatemoticons.com
great-emoticons.com
greatwink.com
gwww.bearshare.com
help.bearshare.com
help.lphant.com
home.jzip.com
httpswww.bearshare.com
httpwww.bearshare.com
httwww.bearshare.com
htwww.bearshare.com
hwww.bearshare.com
icon-special.com
iconz-touch.com
i-facez.com
i-icons.com
i-icons-blast.com
i-iconsteel.com
i-iconz.com
ikons-century.com
ikons-specials.com
ilivid.com
images.ilivid.com
imageupload.bearshare.com
imageupload.imesh.com
imageupload.lphant.com
imageupload.shareazaweb.com
imap.imesh.com
imesh.com
imesh.net
imeshbe.com
inmind.com
internetmsi.com
ip.ilivid.com
ip.imesh.com
isatap.imesh.com
isearch.fantastigames.com
it.bearshare.com
jzip.com
jzip.com
kingtranslate.com
koyotebe.com
koyotelab.net
koyotesoft.com
lb.bearshare.com
limewire.bearshare.com
linkeyproject.com
listmsi.com
listrealtime.com
lp.bearshare.com
lp.bullvid.com
lp.downloadquick.net
lp.downloadsetup.net
lp.expressdownload.net
lp.free-video-downloader.net
lp.ftalk.com
lp.fuzezip.com
lp.ilivid.com
lp.ilivid.com
lp.imesh.com
lp.jzip.com
lp.kingtranslate.com
lp.koyotelab.net
lp.koyotesoft.com
lp.lphant.com
lp.shareazaweb.com
lp.sharelive.net
lphant.com
lphant.net
m.bearshare.com
mail1.bearshare.com
mail2.bearshare.com
mail3.bearshare.com
mail4.bearshare.com
masteremoticons.com
mastersmilies.com
me.bearshare.com
mediabar.bearshare.com
mediabar.imesh.com
mlstat.com
mp3.bearshare.com
msicheck.com
msiconnection.com
ms-iconz.com
msidirectory.com
msirealtime.com
msitraffic.com
music.bearshare.com
musiclab.co.il
musiclab-llc.com
mx.imesh.com
niceamusing.com
niceanimations.com
niceemoticon.com
nicesmileys.com
niceworth.com
nl.bearshare.com
openavatars.com
openemoticon.com
openemoticons.com
opensmileys.com
people-roulette.com
pics.bearshare.com
pics.imesh.com
pics.shareazaweb.com
pl.bearshare.com
playavatars.com
playemoticons.com
playsmiley.com
playsmileys.com
playwinks.com
plentyofavatars.com
plentyofemoticons.com
plentyofsmileys.com
pointemoticon.com
pointemoticons.com
pop.imesh.com
pop3.imesh.com
preved.bandoobe.com
preved.checkmsi.com
preved.checkrealtime.com
preved.connectionmsi.com
preved.connectionrealtime.com
preved.connectiontraffic.com
preved.directorymsi.com
preved.directoryrealtime.com
preved.imeshbe.com
preved.internetmsi.com
preved.koyotebe.com
preved.listmsi.com
preved.listrealtime.com
preved.mmp.imesh.com
preved.msicheck.com
preved.msiconnection.com
preved.msidirectory.com
preved.msirealtime.com
preved.msitraffic.com
preved.programinternet.com
preved.programmsi.com
preved.programrealtime.com
preved.realtimedirectory.com
preved.realtimemsi.com
preved.realtimeprogram.com
preved.systemmsi.com
preved.systemrealtime.com
preved.trafficmsi.com
primesmilies.com
primewinks.com
program.ilivid.com
programinternet.com
programmsi.com
programrealtime.com
providers.ilivid.com
pt.bearshare.com
realemoticons.com
realtimedirectory.com
realtimemsi.com
realtimeprogram.com
relay.imesh.com
search.bearflix.com
search.bearshare.com
search.bearshare.net
search.fantastigames.com
search.ilivid.com
search.imesh.com
search.imesh.net
search.jzip.com
search.lphant.com
search.lphant.net
search.mlstat.com
search.searchqu.com
search.shareazaweb.com
search.shareazaweb.net
searchnu.com
searchqu.com
searchsheet.com
secure.imesh.com
secure.lphant.com
secure.shareazaweb.com
secured.bearshare.com
service.bandoobe.com
service.checkmsi.com
service.checkrealtime.com
service.connectionmsi.com
service.connectionrealtime.com
service.connectiontraffic.com
service.directorymsi.com
service.directoryrealtime.com
service.imeshbe.com
service.internetmsi.com
service.koyotebe.com
service.listmsi.com
service.listrealtime.com
service.msicheck.com
service.msiconnection.com
service.msidirectory.com
service.msirealtime.com
service.msitraffic.com
service.programinternet.com
service.programmsi.com
service.programrealtime.com
service.realtimedirectory.com
service.realtimemsi.com
service.realtimeprogram.com
service.systemmsi.com
service.systemrealtime.com
service.trafficmsi.com
shareaza.com
shareazaweb.com
sharelive.net
smileanimations.com
smilecomical.com
smilewinks.com
smileygreat.com
smileyopen.com
smileypalace.com
smileysbest.com
smileyscool.com
smileysfeature.com
smileysfine.com
smileysgreat.com
smileysopen.com
smileysplay.com
smileyssweet.com
smileystop.com
smileysunreal.com
smileyswink.com
smileysworth.com
smileyunreal.com
smileywizard.com
smiliesace.com
smiliesfactory.com
smiliesmaster.com
smiliespoint.com
smiliesspot.com
smiliesuniverse.com
smtp.imesh.com
smtp1.bearshare.com
smtp2.bearshare.com
smtp3.bearshare.com
smtp4.bearshare.com
songs.bearshare.com
special-icons.com
spicyemoticons.com
spicywinks.com
startpage.comsearch.imesh.com
stats2.ilivid.com
supercomical.com
superemoticon.com
superlaughable.com
superwinks.com
sweetcomical.com
sweetemoticon.com
sweetexcellent.com
sweetfeature.com
sweetfunny.com
symbol-special.com
systemmsi.com
systemrealtime.com
t.imesh.com
topamusing.com
topemoticon.com
top-emoticons.com
totalanimations.com
tr.bearshare.com
tra.imesh.com
trafficmsi.com
tran.imesh.com
tranl.imesh.com
tranla.imesh.com
tranlat.imesh.com
tranlate.imesh.com
triggers.wp.bandoo.com
u00252fwww.imesh.com
ultimatefeature.com
ultimatesweet.com
ultimatewink.com
unique-facez.com
unrealavatars.com
unrealemoticons.com
unrealsmiley.com
unrealwink.com
unrealwinks.com
update.bearshare.com
update.jzip.com
update.jzip.com
update.shareaza.com
w.ilivid.com
wa.bearshare.com
wa.imesh.com
wa.lphant.com
wa.shareazaweb.com
wiki.shareaza.com
windows8startbutton.com
winkaces.com
winkboss.com
winkchief.com
winkcomical.com
winkcool.com
winkextreme.com
winkfeature.com
winkfine.com
winkfree.com
winkfresh.com
winkopen.com
winkpalace.com
winkpalaces.com
winkplaces.com
winkpoint.com
winksace.com
winksbest.com
winksboss.com
winkscaptain.com
winkscetral.com
winkscomical.com
winkscool.com
winksextreme.com
winksfeature.com
winksfine.com
winksfresh.com
winksfun.com
winksgreat.com
winkslaughable.com
winksmaster.com
winksopen.com
winkspalace.com
winksplay.com
winkssmile.com
winksspace.com
winksspot.com
winkssweet.com
winkstop.com
winks-top.com
winksuniverse.com
winksunreal.com
winksweet.com
winkswizard.com
winkultimate.com
winkuniverse.com
winkunreal.com
winkwizards.com
wizardemoticons.com
wizardsmilies.com
worthanimation.com
worthanimations.com
worthbest.com
worthcool.com
worthemoticon.com
worthemoticons.com
worthfaces.com
worthfeature.com
worthfresh.com
worthgreat.com
worthsmile.com
worthsmileys.com
worthsweet.com
worthwinks.com
wowamusing.com
wowanimations.com
wowemoticon.com
wowemoticons.com
wowgoodness.com
wowsmileys.com
wowwinks.com
wp.bandoo.com
ww.bearshare.com
ww.ilivid.com
ww.imesh.com
ww1.imesh.com
www.adoresearch.com
www.bandoo.com
www.bearshare.com
www.bearshare.net
www.bullvid.com
www.earch.imesh.com
www.flv.comwww.ilivid.com
www.flv.cowww.ilivid.com
www.flv.cwww.ilivid.com
www.flvwww.ilivid.com
www.flwww.ilivid.com
www.ftalk.com
www.fwww.ilivid.com
www.ilivid.com
www.imesh.com
www.imesh.net
www.kingtranslate.com
www.kingtranslate.com
www.koyotelab.net
www.koyotesoft.com
www.lphant.com
www.m.imesh.com
www.mlstat.com
www.mlstat.com
www.searchnu.com
www.searchnu.com
www.searchqu.com
www.searchsheet.com
www.shareaza.com
www.shareazaweb.com
www.sharelive.net
wwww.bearshare.com
wwww.ilivid.com
wwww.imesh.com
wwwww.ilivid.com
wwwwww.ilivid.com
xn--ch-p0ca8000g8k2g.bearshare.com
xn--ch-qed879d7q4n2x8c.bearshare.com
yluviwww.imesh.com
yluvizrealwww.imesh.com
yluvizreawww.imesh.com
yluvizrewww.imesh.com
yluvizrwww.imesh.com
yluvizwww.imesh.com
yluvwww.imesh.com
yluwww.imesh.com
ylwww.imesh.com
ywww.imesh.com

Spyware Sucks: Dear Google and Microsoft

This alert appeared in Google Chrome today. I have no idea why. Dear Google: how am I meant to know if this is a “real” Skype extension? There’s no information about the provider/developer on that screen and if I close the dialogue because I don’t want to install something unexpected unless I know it is legit I lose the opportunity to install (there’s nothing in the Extensions window – even disabled – and the prompt to enable disappears from the Customize dropdown).


Read more http://msmvps.com/blogs/spywaresucks/archive/2014/02/15/1985636.aspx

Updated: Spambot Search Tool

My apologies for the length of time this has taken, I'm afraid I quite simply forgot about it.

v0.55
Updates:

* Fixed a couple typos
* Corrected errors in function calls (due() in check_spammers_plain.php should have been die() and "IsvalidIP()" call should have been "IsValidIP()")

You can download the update at the usual places;

http://support.it-mate.co.uk/?mode=Products&act=DL&p=spambotsearchtool&g=check_spammers.zip
http://www.montanamenagerie.org/hostsfile/downloads/check_spammers.zip
http://issviews.com/hphosts/downloads/check_spammers.zip
http://downloads.mysteryfcm.co.uk/?f=Spambot_Search_Tool
http://fspamlist.com/checkspammers/check_spammers.zip

You'll probably notice it's icon is still the hpHosts icon, this will be changing obviously. I'm planning a competition to have a new one designed, more on that later.

Friday 7 February 2014

Alert: Fake Evernote malspam leading to Angler EK

Received 78 of these little chaps so far, all leading to a compromised site that then leads to two others, which finally leads to the EK itself.

Offending URLs so far:

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 09:36:34
--------------------------------------------

Link: hxxp://cluster014.ovh.net/~planetexh/1.html
    Domain: cluster014.ovh.net
    IP: 213.186.33.87 [ cluster014.ovh.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 09:49:05
--------------------------------------------

Link: hxxp://keyways.pt/~keyways/1.html
    Domain: keyways.pt
    IP: 94.23.79.17 [ cluster006.ovh.net ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 09:46:10
--------------------------------------------

Link: hxxp://www.lccl.org.uk/1.html
    Domain: www.lccl.org.uk
    IP: 67.231.249.62 [ s62.EXCALIBURHOST.COM ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 09:52:18
--------------------------------------------

Link: hxxp://www.neweraftp.com/1.html
    Domain: www.neweraftp.com
    IP: 184.154.233.8 [ ns1.siteground282.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 10:03:28
--------------------------------------------

Link: hxxp://cs2-dallas.accountservergroup.com/~atfxsyst/1.html
    Domain: cs2-dallas.accountservergroup.com
    IP: 50.23.239.111 [ cs2-dallas.accountservergroup.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 10:16:31
--------------------------------------------

Link: hxxp://j2m-communication.com/~jmcommun/1.html
    Domain: j2m-communication.com
    IP: 213.186.33.40 [ cluster011.ovh.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 10:23:27
--------------------------------------------

Link: hxxp://nt-associates.com/1.html
    Domain: nt-associates.com
    IP: 213.171.218.52 [ server213-171-218-52.livedns.org.uk ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 10:29:36
--------------------------------------------

Link: hxxp://yourdoompoker.com/1.html
    Domain: yourdoompoker.com
    IP: 50.87.172.214 [ 50-87-172-214.unifiedlayer.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 10:31:05
--------------------------------------------

Link: hxxp://intaii.com/1.html
    Domain: intaii.com
    IP: 217.76.130.169 [ sirio.servidoresdns.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 10:31:05
--------------------------------------------

Link: hxxp://intaii.com/1.html
    Domain: intaii.com
    IP: 217.76.130.169 [ sirio.servidoresdns.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 10:37:27
--------------------------------------------

Link: hxxp://per-nunker.dk/1.html
    Domain: per-nunker.dk
    IP: 94.231.108.60 [ web20.123hotel.dk ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 10:45:54
--------------------------------------------

Link: hxxp://d1054130-28095.cp.blacknight.com/1.html
    Domain: d1054130-28095.cp.blacknight.com
    IP: 78.153.216.42 [ PEMLINWEB133.blacknight.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 10:52:08
--------------------------------------------

Link: hxxp://portraitphotographygroup.com/~lorijill/1.html
    Domain: portraitphotographygroup.com
    IP: 192.185.46.31 [ Resolution failed ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 10:51:52
--------------------------------------------

Link: hxxp://nestorconsulting.net/1.html
    Domain: nestorconsulting.net
    IP: 74.50.25.155 [ chaos.lunarbreeze.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 11:01:17
--------------------------------------------

Link: hxxp://cluster014.ovh.net/~planetexh/1.html
    Domain: cluster014.ovh.net
    IP: 213.186.33.87 [ cluster014.ovh.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 11:21:14
--------------------------------------------

Link: hxxp://91.99.102.154/1.html
    Domain: 91.99.102.154
    IP: 91.99.102.154 [ 91.99.102.154.parsonline.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 11:30:40
--------------------------------------------

Link: hxxp://mylabsrl.com/1.html
    Domain: mylabsrl.com
    IP: 46.28.6.113 [ Resolution failed ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 11:37:54
--------------------------------------------

Link: hxxp://taroniehaus.com/1.html
    Domain: taroniehaus.com
    IP: 81.94.203.180 [ plesk-xen01.jannar.host4africa.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 11:44:33
--------------------------------------------

Link: hxxp://d1054130-28095.cp.blacknight.com/1.html
    Domain: d1054130-28095.cp.blacknight.com
    IP: 78.153.216.42 [ PEMLINWEB133.blacknight.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 12:06:18
--------------------------------------------

Link: hxxp://ozzysixsixsix.web.fc2.com/1.html
    Domain: ozzysixsixsix.web.fc2.com
    IP: 208.71.106.61 [ hps13.fc2.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <julielevy@it-mate.c
Received: 07/02/2014 12:06:16
--------------------------------------------

Link: hxxp://vostel.info/1.html
    Domain: vostel.info
    IP: 212.1.210.225 [ srv210-225.hosting24.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <julielevy@it-mate.c
Received: 07/02/2014 12:06:16
--------------------------------------------

Link: hxxp://vostel.info/1.html
    Domain: vostel.info
    IP: 212.1.210.225 [ srv210-225.hosting24.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <julielevy@it-mate.c
Received: 07/02/2014 12:06:16
--------------------------------------------

Link: hxxp://vostel.info/1.html
    Domain: vostel.info
    IP: 212.1.210.225 [ srv210-225.hosting24.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <julielevy@it-mate.c
Received: 07/02/2014 12:06:16
--------------------------------------------

Link: hxxp://vostel.info/1.html
    Domain: vostel.info
    IP: 212.1.210.225 [ srv210-225.hosting24.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <julielevy@it-mate.c
Received: 07/02/2014 12:06:16
--------------------------------------------

Link: hxxp://vostel.info/1.html
    Domain: vostel.info
    IP: 212.1.210.225 [ srv210-225.hosting24.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <julielevy@it-mate.c
Received: 07/02/2014 12:06:16
--------------------------------------------

Link: hxxp://vostel.info/1.html
    Domain: vostel.info
    IP: 212.1.210.225 [ srv210-225.hosting24.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <julielevy@it-mate.c
Received: 07/02/2014 12:06:16
--------------------------------------------

Link: hxxp://vostel.info/1.html
    Domain: vostel.info
    IP: 212.1.210.225 [ srv210-225.hosting24.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <julielevy@it-mate.c
Received: 07/02/2014 12:06:16
--------------------------------------------

Link: hxxp://vostel.info/1.html
    Domain: vostel.info
    IP: 212.1.210.225 [ srv210-225.hosting24.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <burn[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <julielevy@it-mate.c
Received: 07/02/2014 12:06:16
--------------------------------------------

Link: hxxp://vostel.info/1.html
    Domain: vostel.info
    IP: 212.1.210.225 [ srv210-225.hosting24.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 12:49:02
--------------------------------------------

Link: hxxp://ejconstruction.net/~ejconstr/1.html
    Domain: ejconstruction.net
    IP: 213.186.33.17 [ cluster006.ovh.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>,    <[REMOVED]>
Received: 07/02/2014 12:41:56
--------------------------------------------

Link: hxxp://alisat.biz/1.html
    Domain: alisat.biz
    IP: 211.43.212.39 [ linux39.gabia.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 12:35:02
--------------------------------------------

Link: hxxp://109-204-26-16.netconnexion.managedbroadband.co.uk/1.html
    Domain: 109-204-26-16.netconnexion.managedbroadband.co.uk
    IP: 109.204.26.16 [ 109-204-26-16.netconnexion.managedbroadband.co.uk ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 12:49:02
--------------------------------------------

Link: hxxp://ejconstruction.net/~ejconstr/1.html
    Domain: ejconstruction.net
    IP: 213.186.33.17 [ cluster006.ovh.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 12:45:14
--------------------------------------------

Link: hxxp://zu-yuan.com/1.html
    Domain: zu-yuan.com
    IP: 202.190.181.149 [ Resolution failed ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>,    <[REMOVED]>
Received: 07/02/2014 12:41:56
--------------------------------------------

Link: hxxp://alisat.biz/1.html
    Domain: alisat.biz
    IP: 211.43.212.39 [ linux39.gabia.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 12:35:02
--------------------------------------------

Link: hxxp://109-204-26-16.netconnexion.managedbroadband.co.uk/1.html
    Domain: 109-204-26-16.netconnexion.managedbroadband.co.uk
    IP: 109.204.26.16 [ 109-204-26-16.netconnexion.managedbroadband.co.uk ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 12:35:02
--------------------------------------------

Link: hxxp://109-204-26-16.netconnexion.managedbroadband.co.uk/1.html
    Domain: 109-204-26-16.netconnexion.managedbroadband.co.uk
    IP: 109.204.26.16 [ 109-204-26-16.netconnexion.managedbroadband.co.uk ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 13:15:45
--------------------------------------------

Link: hxxp://nestorconsulting.net/1.html
    Domain: nestorconsulting.net
    IP: 74.50.25.155 [ chaos.lunarbreeze.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:06:31
--------------------------------------------

Link: hxxp://cs2-dallas.accountservergroup.com/~atfxsyst/1.html
    Domain: cs2-dallas.accountservergroup.com
    IP: 50.23.239.111 [ cs2-dallas.accountservergroup.com ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 13:15:45
--------------------------------------------

Link: hxxp://nestorconsulting.net/1.html
    Domain: nestorconsulting.net
    IP: 74.50.25.155 [ chaos.lunarbreeze.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:14:23
--------------------------------------------

Link: hxxp://combers-uk.com/~schumug/1.html
    Domain: combers-uk.com
    IP: 217.168.145.10 [ mcl10.mclweb.co.uk ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 13:13:09
--------------------------------------------

Link: hxxp://www.c9972855.myzen.co.uk/1.html
    Domain: www.c9972855.myzen.co.uk
    IP: 82.71.204.28 [ shcp04.hosting.zen.net.uk ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:09:31
--------------------------------------------

Link: hxxp://www.nothingcompares.co.uk/1.html
    Domain: www.nothingcompares.co.uk
    IP: 82.165.204.223 [ kundenserver.de ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:07:09
--------------------------------------------

Link: hxxp://ip-182-50-129-164.ip.secureserver.net/1.html
    Domain: ip-182-50-129-164.ip.secureserver.net
    IP: 182.50.129.164 [ ip-182-50-129-164.ip.secureserver.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:06:31
--------------------------------------------

Link: hxxp://cs2-dallas.accountservergroup.com/~atfxsyst/1.html
    Domain: cs2-dallas.accountservergroup.com
    IP: 50.23.239.111 [ cs2-dallas.accountservergroup.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:06:18
--------------------------------------------

Link: hxxp://cluster013.ovh.net/~bgfiban/1.html
    Domain: cluster013.ovh.net
    IP: 213.186.33.24 [ cluster013.ovh.net ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 13:05:23
--------------------------------------------

Link: hxxp://d1054130-28095.cp.blacknight.com/1.html
    Domain: d1054130-28095.cp.blacknight.com
    IP: 78.153.216.42 [ PEMLINWEB133.blacknight.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:02:01
--------------------------------------------

Link: hxxp://ip-182-50-129-164.ip.secureserver.net/1.html
    Domain: ip-182-50-129-164.ip.secureserver.net
    IP: 182.50.129.164 [ ip-182-50-129-164.ip.secureserver.net ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 13:00:27
--------------------------------------------

Link: hxxp://baskadesign.com/1.html
    Domain: baskadesign.com
    IP: 213.171.219.4 [ server213-171-219-4.livedns.org.uk ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 12:57:55
--------------------------------------------

Link: hxxp://arnoldlanecars.co.uk/~thedrake/1.html
    Domain: arnoldlanecars.co.uk
    IP: 64.37.48.20 [ era.superdomainzone.com ]

--------------------------------------------
E-mail subject: Image has been sent <burn[REMOVED]>
Received: 07/02/2014 12:55:35
--------------------------------------------

Link: hxxp://users173.lolipop.jp/~lolipop.jp-204f9d446b7f9eb/1.html
    Domain: users173.lolipop.jp
    IP: 210.157.22.62 [ users173.phy.lolipop.jp ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 12:53:38
--------------------------------------------

Link: hxxp://indepth-registration.net/~indept18032/1.html
    Domain: indepth-registration.net
    IP: 217.72.181.181 [ linux3.cloud.hotchilli.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 12:53:36
--------------------------------------------

Link: hxxp://littlepandaexpress888.com/1.html
    Domain: littlepandaexpress888.com
    IP: 192.185.171.172 [ ns965.websitewelcome.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 12:53:33
--------------------------------------------

Link: hxxp://cluster015.ovh.net/~orabenin/1.html
    Domain: cluster015.ovh.net
    IP: 213.186.33.3 [ cluster015.ovh.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>
Received: 07/02/2014 13:40:03
--------------------------------------------

Link: hxxp://91.99.102.154/1.html
    Domain: 91.99.102.154
    IP: 91.99.102.154 [ 91.99.102.154.parsonline.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>
Received: 07/02/2014 13:40:03
--------------------------------------------

Link: hxxp://91.99.102.154/1.html
    Domain: 91.99.102.154
    IP: 91.99.102.154 [ 91.99.102.154.parsonline.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>
Received: 07/02/2014 13:40:03
--------------------------------------------

Link: hxxp://91.99.102.154/1.html
    Domain: 91.99.102.154
    IP: 91.99.102.154 [ 91.99.102.154.parsonline.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>,    <[REMOVED]>
Received: 07/02/2014 13:40:03
--------------------------------------------

Link: hxxp://91.99.102.154/1.html
    Domain: 91.99.102.154
    IP: 91.99.102.154 [ 91.99.102.154.parsonline.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:35:54
--------------------------------------------

Link: hxxp://42.96.151.54/1.html
    Domain: 42.96.151.54
    IP: 42.96.151.54 [ AY130729150259Z ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:28:59
--------------------------------------------

Link: hxxp://raysoftindia.com/1.html
    Domain: raysoftindia.com
    IP: 205.178.152.48 [ w2k3-web48.prod.netsolhost.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:26:18
--------------------------------------------

Link: hxxp://zu-yuan.com/1.html
    Domain: zu-yuan.com
    IP: 202.190.181.149 [ Resolution failed ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 13:25:25
--------------------------------------------

Link: hxxp://cluster014.ovh.net/~planetexh/1.html
    Domain: cluster014.ovh.net
    IP: 213.186.33.87 [ cluster014.ovh.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 13:22:40
--------------------------------------------

Link: hxxp://alexandria90.etcserver.com/~psychica/1.html
    Domain: alexandria90.etcserver.com
    IP: 50.23.98.194 [ alexandria90.etcserver.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 14:03:30
--------------------------------------------

Link: hxxp://nortonfire.co.uk/1.html
    Domain: nortonfire.co.uk
    IP: 82.165.213.55 [ kundenserver.de ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 14:16:34
--------------------------------------------

Link: hxxp://hrdcvn.com.vn/1.html
    Domain: hrdcvn.com.vn
    IP: 123.30.184.132 [ vdc184-132.vmms.vn ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 14:15:40
--------------------------------------------

Link: hxxp://lespeulons-auxerre.com/~lespeulo/1.html
    Domain: lespeulons-auxerre.com
    IP: 213.186.33.87 [ cluster014.ovh.net ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 14:23:10
--------------------------------------------

Link: hxxp://finnhair.co.uk/1.html
    Domain: finnhair.co.uk
    IP: 208.123.212.48 [ wp03.yeg.alentus.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 14:26:46
--------------------------------------------

Link: hxxp://littlepandaexpress888.com/1.html
    Domain: littlepandaexpress888.com
    IP: 192.185.171.172 [ ns965.websitewelcome.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 14:25:52
--------------------------------------------

Link: hxxp://finnhair.co.uk/1.html
    Domain: finnhair.co.uk
    IP: 208.123.212.48 [ wp03.yeg.alentus.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 14:32:42
--------------------------------------------

Link: hxxp://arnoldlanecars.co.uk/~thedrake/1.html
    Domain: arnoldlanecars.co.uk
    IP: 64.37.48.20 [ era.superdomainzone.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 14:28:16
--------------------------------------------

Link: hxxp://forjiran.co/1.html
    Domain: forjiran.co
    IP: 87.247.179.35 [ Resolution failed ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 14:41:13
--------------------------------------------

Link: hxxp://advancetec.co.uk/1.html
    Domain: advancetec.co.uk
    IP: 212.48.68.157 [ atfx.atfx-systems.co.uk ]

--------------------------------------------
E-mail subject: [SPAM] Image has been sent <[REMOVED]>
Received: 07/02/2014 14:40:51
--------------------------------------------

Link: hxxp://www.wwwfel.org.ng/1.html
    Domain: www.wwwfel.org.ng
    IP: 173.230.248.116 [ 116.248.230.173.securenet-server.net ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 14:50:54
--------------------------------------------

Link: hxxp://www.neweraftp.com/1.html
    Domain: www.neweraftp.com
    IP: 184.154.233.8 [ ns1.siteground282.com ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 15:11:11
--------------------------------------------

Link: hxxp://s15411540.onlinehome-server.info/1.html
    Domain: s15411540.onlinehome-server.info
    IP: 82.165.141.157 [ s15411540.onlinehome-server.info ]

--------------------------------------------
E-mail subject: Image has been sent <[REMOVED]>
Received: 07/02/2014 15:10:08
--------------------------------------------

Link: hxxp://tamilcm.com/1.html
    Domain: tamilcm.com
    IP: 67.227.152.196 [ windows2.india-to.net ]

--------------------------------------------


You'll find a copy of the emails here;

http://temp.it-mate.co.uk/Evernote_malspam-07022014.3.7z

The MITM URLs are;

hxxp://epsommalevoicechoir.org.uk/1.txt
hxxp://www.t-gas.co.uk/1.txt

Which lead so far, to;

hxxp://jolygoestobeinvester.ru:8080/tqdeeuwf4n
IPs:

54.254.203.163    ec2-54-254-203-163.ap-southeast-1.compute.amazonaws.com    38895    38895 54.254.128.0/17 AMAZON-AS-AP Amazon.com Tech Telecom
78.108.93.186    static.78.108.93.186.clients.majordomo.ru    29076    29076 78.108.92.0/23 CITYTELECOM-AS Filanco LTD
78.129.184.4    Failed resolution    20860    20860 78.129.128.0/17 IOMART-AS Iomart
140.112.31.129    ecns1.csie.ntu.edu.tw    17716    17716 140.112.0.0/17 NTU-TW National Taiwan University
202.22.156.178    compta.corail.nc    56089    56089 202.22.128.0/19 OFFRATEL-AS-AP OFFRATEL
31.222.178.84    31-222-178-84.static.cloud-ips.co.uk    15395    15395 31.222.128.0/18 Rackspace Ltd.
37.59.36.223    ks398186.kimsufi.com    16276    16276 37.59.0.0/16 OVH OVH Systems

Alert: traffichold.com compromised (again)

traffichold.com appears to have been compromised again, and is leading to the Angler exploit kit.

exactly the same as October 30 – traffichold.com hacked and leading to Angler EK

http://cs.traffichold .com/www/delivery/afr.php?zoneid=109&cb=INSERT_RANDOM_NUMBER_HERE&wm=16495&pr=4319255&prd=300×250&ts=failover&tsd=banner&prm=rev <== iframe to panafrika http://cs.traffichold .com/www/delivery/fl.js

rotator : http://offline.panafrika.net/pagead/show_ads.js


Read report:
http://www.malekal.com/2013/10/14/reveton-malvertising-campaign/2/#S526hRkXwikFyUuO.99

Alert: Large-scale DNS redirection on home routers for financial theft

In late 2013 CERT Polska received confirmed reports about modifications in e-banking websites observed on… iPhones. Users were presented with messages about alleged changes in account numbers that required confirmation with mTANs. This behavior would suggest that some Zeus-like trojan had been ported to iOS. As this would be the first confirmed case of such malware targeting the platform, and at the same time it targeted Polish e-banking users, it immediately attracted our attention. Internally we have come up with several scenarios of how it might have happened, but unfortunately were not able to gather enough first-hand data about the case to rule out any options.

The key to the riddle was in recent reports about vulnerabilities in home routers allowing attackers to remotely modify their configuration. After DNS servers settings are changed on a router, all queries from inside the network are forwarded to rogue servers. Obviously the platform of a client device is not an issue, as there is no need for the attackers to install any malicious software at all. How was the webpage content altered, then?

First, let’s understand the implications of DNS hijacking. The most obvious consequence is invasion of privacy, as miscreants can profile users based on DNS queries they make. However, this is just where the problem begins. Being in control of DNS serves, criminals can send arbitrary IP addresses in response, effectively redirecting traffic to hosts under their control. This is called a man-in-the-middle attack.


Read report:
http://www.cert.pl/news/8019/langswitch_lang/en

Amazon spam, BuyURL Ltd.

Won't be long until we see Valentines malspam, happens every year, but in the meantime, some of those selling on Amazon, seem to be resorting to spam to peddle their wares.

I received a couple on the 1st, and have another one this morning. In all 3 cases, the spam was sent via my sites contact form (and yes, I actually like receiving spam before someone tells me I should be filtering it);

*********************************************************************
General
*********************************************************************
Ref: PI0021323817513
Reason for message: Feedback Notification
Sent from Server: mysteryfcm.co.uk
Date submitted: 07 February 2014
Time submitted: 08:14:50
Submitted by: 213.238.175.13
Referring page: hxxp://mysteryfcm.co.uk/?mode=Contact
*********************************************************************
Details
*********************************************************************
Name: harryanaaron
E-mail: accuratephysici6MQ85@outlook.com
How did you find us?: Not provided
... Other: Not provided
Site navigation: Not provided
Comments:

Let's just say it appeared he used cordless drill consumer reports for sale. Sometimes these problems can be quite as easy bit changes. Accidents due to quick control. [url=hxxp://powerpak445.livejournal.com/ ]power-pak 445 [/url] This particular gigantic internet retailers provides the following few maintenance practices, the scratches. Also, a rotisserie basket would make the tool and accessories, such as refrigerators will go down. By grilling from top and bottom of the drill and a heavier-duty performance for shareholders.

This manufacturer pioneered the technology does have to leave the oven below it. The lumen side of the main metros. While you use them. hxxp://www.cssforest.org/blog/index.php?id=164
hxxp://www.club-natation-romont.ch/index.php?option=com_jambook&Itemid=21&task=add
hxxp://www.lucyophoto.com/blog/happy-monday#comment-251047
hxxp://sangbleu.com/2014/01/31/pretty-vacant-the-graphic-language-of-punk/comment-page-1/#comment-1383991
hxxp://tmisource.com/2013/11/27/watch-actors-talk-unique-fighting-styles-in-the-mortal-instruments-city-of-bones/#comment-96045
If it comes to implementing our strategic growth plan. By using the drill, saw or a coal stoker. Twist right and perfect for all products. A 12v drill driver.


All 3 came from the same IP too, 213.238.175.13;

inetnum: 213.238.175.0 - 213.238.175.255
netname: BuyURL-NET
descr: BuyURL Ltd.
remarks: http://www.buyurl.net
country: EU
admin-c: IHAC2-RIPE
tech-c: IHAC2-RIPE
mnt-by: IDEALHOSTING-MNT
org: org-ihsi1-ripe
status: ASSIGNED PA
source: RIPE # Filtered
remarks: ###################################
remarks: Abuse & intrusion reports should
remarks: be sent to: abuse@buyurl.net
remarks: ###################################

organisation: ORG-IHSI1-RIPE
org-name: IDEAL HOSTING SUNUCU INTERNET HIZM. TIC. LTD. STI
descr: iDeal Hosting Network Coordination Center
address: Nish Istanbul D Blok No 84
address: 34196 Bahcelievler, Istanbul - TR
org-type: Other
phone: +90 (212) 706 0300
fax-no: +90 (212) 706 0301
abuse-mailbox: abuse@idealhosting.net.tr
admin-c: trl-ripe
admin-c: ihac2-ripe
abuse-c: ihac2-ripe
tech-c: fy203-ripe
mnt-ref: idealhosting-mnt
mnt-by: idealhosting-mnt
source: RIPE # Filtered

role: iDeal Hosting Administrative Contact Role
remarks: iDeal Hosting Sunucu Int. Hizm. Tic. Ltd. Sti.
address: Nish Istanbul D Blok No:84
address: 34196 Bahcelievler, Istanbul - TR
phone: +90 (212) 706 0300
fax-no: +90 (212) 706 0301
abuse-mailbox: abuse@idealhosting.net.tr
admin-c: to1680-ripe
tech-c: fy203-ripe
nic-hdl: IHAC2-RIPE
mnt-by: idealhosting-mnt
org: org-ihsi1-ripe
source: RIPE # Filtered

route: 213.238.168.0/21
descr: iDeal Hosting Tic. Ltd. Sti.
origin: AS60897
mnt-by: IHLASNET-MNTNER
mnt-routes: IHLASNET-MNTNER
source: RIPE # Filtered


AS was notified, but not surprisingly, there's been no response. In the case of the latest, the paths are;

hxxp://powerpak445.livejournal.com/
-> hxxp://productreviewsblog.org/blog/go/universal-power-pak-445/
--> hxxp://www.amazon.com/gp/product/B003UO1DLS?ie=UTF8&tag=begiyoga-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=B003UO1DLS

The previous 2;

hxxp://hitachic8fb2.page.tl
-> hxxp://productreviewsblog.org/blog/go/hitachi-c8fb2
--> hxxp://www.amazon.com/gp/product/B0000223L2?ie=UTF8&tag=begiyoga-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=B0000223L2

hxxp://husqvarna450.livejournal.com
-> hxxp://productreviewsblog.org/blog/go/husqvarna-450
--> hxxp://www.amazon.com/gp/product/B001DO1OMK?ie=UTF8&tag=begiyoga-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=B001DO1OMK

Monday 3 February 2014

hpHosts: Updated 03/02/2014

The hpHOSTS Hosts file has been updated. There is now a total of 358,269 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 03/02/2014 23:07
  2. Last Verified: 02/02/2014 14:00
Download hpHosts now!
http://hosts-file.net/?s=Download

Saturday 1 February 2014

INFO: hpHosts update

Finally got back from Mexico (though looking forward to going back there later this year*), and amongst the things I missed, were my fibre lines (the others being my son, and driving (they drive like lunatics over there!)).

I'm planning on pushing a new hpHosts update (full files that is) tomorrow, for those wondering what happened (I've been in the US and Mexico almost the entire month).

As an aside, the hotel we stayed at was the Hotel Imperial, and whilst the staff were fantastic, the room/hotel could've been better (want internet - forget it! (they've got 60Mbps WiFi but you've got little chance of it's actually staying connected more than 5 mins, and an even smaller chance of it's reaching above 1Mbps)), and as for the room - at least 2 of the sockets were falling off the wall (phone line had screws - it just forgot there was a wall there, leaving the wires wondering what happened)), and the shower had less power to it than I do when I'm going to the toilet!.

Oh and if you're over there and like me, love steak - get yourself to the Lionessa (on Insurgentes, two streets behind the mall)! (has an opera singer there most nights, who learnt "Barcelona" (Freddie Mercury and Montserrat Caballe) for me, the night before I came back (needless to say, I was tipping anyway, but gave a huge tip for that alone!)).

But anyway, I digress .....

* For those in Mexico, please do let me know if there's an ISP you can suggest that does FTTP (don't mind paying for it to be installed!).