Translate

3/29/2014

Just another Spam, from...
www.ratgeberplatz.com:
„Ihre Bewerbung. Ihr Gehalt: bis zu 300 Euro täglich!
(Da müsste ich doch längst Millionär sein bei all diesen Bewerbungen...)“
(„Your application for employment“)

from Australia & Germany (IP: 14.2.24.1)

English:


www.ratgeberplatz.com is a Spamdomain. Just delete those mails. Do not click "unsuscribe Newsletter". If you do so, they only will register that you have read the Mail, and Spamming will become worse ! See Screenshot.

Related Posts:

Just another SPAM-Screenshot from....ratgeberplatz.com

Guten Tag,
Sie wurden ausgewählt! Wir stellen Ihnen jetzt exklusiv Wissen zur Verfügung für Ihren neuen Nebenjob. Ihr Gehalt: bis zu 300 Euro täglich!

Nach Ihrer kostenlosen Anmeldung erhalten Sie sofort gratis Wissen und können starten.

Hier klicken:
http://mailings.ratgeberplatz.com/tracker.php

Für Deutschsprachige Leser:


www.ratgeberplatz.com ist eine eindeutige Spamdomain. Diese Mails sollte man getrost löschen. Bloss nicht auf "Newsletter abbestellen" klicken. Das einzige was anschliessend geschieht, ist dass sie von dieser Domain noch mehr Spam geschickt bekommen, da sie sich durch ihren Klick preisgegeben haben, und die Domain ratgeberplatz.com nun weiss, dass sie die E-Mail gelesen haben! Siehe Screenshot.


IN THIS CASE THE ORIGINATING IP ADRESS IS:
14.2.24.1   (Australia)
  • https://www.virustotal.com/de/url/6671096f3f434b58d889520e044498210faf3944dae80d8a5a084fd47ee0e3a6/analysis/1396003406/
  • http://www.senderbase.org/senderbase_queries/detailip?search_string=14.02.24.01
Second IP:
83.136.83.241   (Germany)
  • https://www.virustotal.com/de/url/248549c14fcab8bb31ebba0e20bc506f52d4070c0eb6fe42fbb7a48ab258dca9/analysis/1396118848/
THAT IS ALSO THE REASON WHY THIS POST (DOMAIN www.ereatvipgame.la) IS CONNECTED TO ratgeberplatz.com, as they use the same SPAM Server:

http://stayaway2.blogspot.com/2014/03/phishing-spam-from-wwwereatvipgamela-in.html

DIES IST DER GRUND WIESO ratgeberplatz.com mit involviert ist im folgenden POST (Casino-Phishing www.ereatvipgame.la) da sie beide die gleiche SPAMSERVER-IP-Adresse nutzen:

http://stayaway2.blogspot.com/2014/03/phishing-spam-from-wwwereatvipgamela-in.html

RECENTLY (RE-)DETECTED:
afristyle.com infected with HEUR:Trojan.Script.Iframer
IP: 160.124.112.100 - SOUTH AFRICA



MALWARE: HEUR:Trojan.Script.Iframer
DOMAIN:
http://afristyle.com/
  • https://www.virustotal.com/de/url/94e4f0d5dec56125cc4ac81ecd1aea5438e8ee9191f9a1ddee5729b370a5ee3f/analysis/1396113676/
HEUR:Trojan.Script.Iframer (PUA, document write)
  • https://www.virustotal.com/de/file/61b5f2266af649aeb40b3c12cb9b437da4c9b09492cff6aaf2fe4c33f46401e0/analysis/1396113489/
IP:
http://160.124.112.100/
  • https://www.virustotal.com/de/url/34dfd6f154e8f0f124b31235af491ff951386a432cf009980d5abed411171b24/analysis/1396114396/
  • https://www.virustotal.com/de/ip-address/160.124.112.100/information/
--->
http://find.uk.to/dns.htm
  • https://www.virustotal.com/de/url/9882d00fcdca159baba47dd3f0b38cb7277532978e54e483d51da98599153adf/analysis/1396114311/
  • https://urlquery.net/report.php?id=1396113767846

3/28/2014

Stop ! This Website Is Not Safe !
Psssst...i am OUTING myself....so, beware...
Not only since Yesterday (This Blog) is stamped as a PHISHING Site (by BD (BitDefender)....This POST (Threat)) will be kept updated.
Sooner or later. And Fortinet jumped into it (Today. The NET).
Riddle: Find out why...it started...! STAY TUNED !

STOP ! THIS WEBSITE is NOT Safe 
  • http://trafficlight.bitdefender.com/info?url=http://stayaway2.blogspot.com
THE BEGINNING: (AS I SAID, SOME (delicate) INFO WILL BE UPDATED). BitDefender is a GERMAN/ROMANIAn "Fusion?"itis.

The more Hacking, the more will publish. The Circle of Life makes not halt in Front of...BD...who is working EAST(Ward)s !!!


The end of defending Bits (or bytes)



Happy Eastern to ALL (and to myself, i almost forgot): But Never Forget: Kaspersky is the RULE !! Is someone heading EAST ? Or WEST ?? Hitchhike.....

And https://www.virustotal.com/de/user/BMonday/

:D

A Lession in Heuristics about the word:
OBFUSCATED, OBFUSCATING, OBFUS.....& SO ON !
QUESTION BEFORE lession (Let us stay POLI(C)T(i)e) (-ZEI):
How many Bad Beard Bandits are outhere ?
Isn´t it time to get a bit more creative ??
These days ???

There is the one of September last year, the Ohio one, Mister Kenneth J. Horsley from Columbus.

It looks like...Horsley first....


...stumbled over his own Beard or what....






....happened to be looking so bruised....? At least he got captured, some specific day.

Then there is Number 2, the Californian Bad Beard Bandit, Mister Gerardo Orozco Lopez (Oreo Cookie). Half Moon if you want, this year (2014):





Now the BAD BEARDS:

    Bad Horse Beard    


    Bad Cookie Beard    


So now there are a few questions that need to be answered (although i do not have the clue, Suggestions are welcomed): How would they have been named (so you can understand the difference), if BBBHorse (1) (Lets keep it short) would not have been captured, and both BBBs would still be(e) on the loose ? Would it be BBB1 & BBB2 ? Or BBBThe realBBB or BBBThe not so(real)BBB ? You see, being surrounded by Obfuscation, makes you think like that: Obfuscated ! Weird, but all so logical. And exactly that is what is happening in the world(s) thinking since 9/11. So, think about it. Its short and also (all so)....hmmmm....Simple ?


Have a nice day ;)

(Bye the way, that FlowerBucket just beside the Bad Beard Bandit....:D.....looks like....French Fries ? Bon Appétit. Folks !

If you KNOW what i mean, or if you do not, check this following Video by VADER ABRAHAM. Maybe then (but only then may May be by May 1st), you understand the Word OBUSCATED more Properly.

Its just all about...Surveillance (and Creativity) ;)


Packed.Win32.Black.d (+ Win32/Injector) @:
windowssoftwaire.eu5.org
(IP: 5.9.106.214)
GERMANY



MALWARE SITE:
1 - Packed.Win32.Black.d
2 - Win32/Injector
3 - HIDDEN IFRAME


DOMAIN:
http://windowssoftwaire.eu5.org/
  • https://www.virustotal.com/de/url/cf360dffa24a58212c44d2340e2aeacac62031d1b06ac3a968f2e13edb33d41e/analysis/1396014984/
---> HIDDEN IFRAME TO
http://ads.yahoo.com/st?ad_type=iframe&ad_size=300x250&site=1580851&section_code=ADO3b
  • https://www.virustotal.com/de/url/639f767bb6de5e8b70499590e7c3a38ca047d1eb77b39e53b94b4aed4333148a/analysis/1396015602/
http://windowssoftwaire.eu5.org/PBDownForce.rar
  • https://www.virustotal.com/de/url/5fdf9ca80cddf232ad2ff32fe776e75eaa91283e858546e6902de39318734e59/analysis/1396014869/
MALWARE:
Packed.Win32.Black.d
  • https://www.virustotal.com/de/file/8f937adfb1ba4f2dcb2554a4a78d579438eec4351301141424f529ff1a17c0c3/analysis/1396014875/
ALSO:
http://windowssoftwaire.eu5.org/KeyText.rar
  • https://www.virustotal.com/de/url/b8dff45c4625e721c13fe7972f0c45ad5eebd3b0e4b7f634c98e155b87346242/analysis/1396016110/
Win32/Injector
  • https://www.virustotal.com/de/file/c5eb9f43af160569196b28476a3b89fcfde89dee6399c06e71766ff39a5763fb/analysis/1396016120/
IP:
5.9.106.214
  • https://www.virustotal.com/de/url/c675d95e168a09cbf8361aef286347b2473c933d8082578acee280d0607dd564/analysis/1396020096/
  • https://www.virustotal.com/de/ip-address/5.9.106.214/information/
BHA: 2.949
  • https://www.projecthoneypot.org/ip_5.9.106.214
HTML CODE CAN BE FOUND HERE:

Document hosting: UploadEdit.com

PHISHING SPAM from:
www.ereatvipgame.la
In Connection with ratgeberplatz.com
AUSTRALIA: 14.2.24.1 IRAN: 217.219.253.210
"Beste deutsche Casinos in 2014" (sercoinfo.com: FRANCE)

Wir haben eine Liste der besten online casinos für Sie zusammengestellt und möchten Ihnen die Möglichkeit geben, ein exklusives Bonusangebot wahrzunehmen, wenn Sie sich in einem dieser Casinos anmelden.
Unzählige Angebote mit Freispielen und Einzahl-Bonussen stehen zur Auswahl.

Melden Sie sich über einen der Links auf unseren Webseiten in einem casino Ihrer Wahl an und sichern Sie sich einen exklusiven Bonus.

Besuchen Sie unsere Webseite hier. http://www.ereatvipgame.la/

Mit freundlichen Grüßen

Carl Barmasser

******************************

***********
Bitte klicken Sie hier, wenn Sie von uns keine E-Mails mehr erhalten wollen:
http://unsubscribe.
ereatvipgame.la/

PHISHING MAIL SCREENSHOT

DOMAIN:

http://www.ereatvipgame.la/
  • https://www.virustotal.com/de/url/7b3bf62ec24c544a9e4b7b53b67d056583bf372543626015ec36fcdcfc4c02ac/analysis/1396002960/

UNSUBSCRIBE LINK:

http://unsubscribe.ereatvipgame.la/
  • https://www.virustotal.com/de/url/bb6c5411fdff163d11176dde943c5d8ea743983fe2ffbab867e6ee046dc6a5a5/analysis/1396003189/

ORIGINATING IPs:
14.2.24.1
  • https://www.virustotal.com/de/url/6671096f3f434b58d889520e044498210faf3944dae80d8a5a084fd47ee0e3a6/analysis/1396003406/
  • http://www.senderbase.org/senderbase_queries/detailip?search_string=14.02.24.01
217.219.253.210
  • https://www.virustotal.com/de/url/af19ac8d166ab0e796dbcb19ce8e9aaded5ddbf78bca8ef42c42a19b0caff8cb/analysis/1396003561/

 SPAMHAUS PBL LISTED:
  • http://www.spamhaus.org/query/bl?ip=217.219.253.210
  • http://www.senderbase.org/lookup/?search_string=217.219.253.210



THROUGH MAILSERVER:

sercoinfo.com
  • https://www.virustotal.com/de/url/0e5a930aab7957867dc351f4678e6d0b854a0a9292d5fdbcb43c14eb0fe33e29/analysis/1396004036/
The reason why ratgeberplatz.com is involved in this one (PHISHING) can be found (seen) at the following Blogpost: They both use the same SPAMSEVER-IP:

http://stayaway2.blogspot.com/2014/03/just-another-spam-from_29.html 

Category MALICIOUS IP:
187.155.38.145 (Tizimín, MEXICO)
SPAMHAUS LISTED (PBL)

Tizimín, MEXICO
OS on IP:  Mac OS X 1083

IP:
187.155.38.145
  • https://www.virustotal.com/de/url/a54d751bc93b7e8e1aeb672da88b1b1deaaa81f44344d240b5c24ce6ec85fe12/analysis/1396001404/
SPAMHAUS LISTED (PBL):

  • http://www.spamhaus.org/query/bl?ip=187.155.38.145


 

3/23/2014

Category MALICIOUS IP:
88.204.199.94 Kokpekty - Kazakhstan
(BLACKLISTED SPAMHAUS PBL)
E-Mail SPAM Server
"Ficken wie ein Weltmeister ?"

88.204.199.94
  • https://www.virustotal.com/de/url/1e2190627aa01f4ab7c3f35c58b11c11355b5aa4404dd381dba9ca0e2277d15a/analysis/1395570556/
E-MAIL SPAM: 69 MAILS SENT FROM THIS IP
  • https://www.projecthoneypot.org/ip_88.204.199.94

LISTED AT SPAMHAUS (PBL):
  • http://www.spamhaus.org/query/bl?ip=88.204.199.94

EMAIL REP.: POOR

http://www.senderbase.org/lookup/?search_string=88.204.199.94