Web Security And Awareness towards Cybercriminals: Phishing Risk

Posts mit dem Label Phishing Risk werden angezeigt. Alle Posts anzeigen

5/20/2014

SSH Rootkit Ebury
Category MALICIOUS IP: 203.153.108.227 (INDONESIA)
Listed at SPAMHAUS (CBL)
Linux, FreeBSD or some other form of UNIX

The IP Address 203.153.108.227 is listed in the CBL (Composite Blocking List). It appears to be infected with a spam sending trojan, proxy or some other form of botnet. It was last detected at 2014-05-20 07:00 GMT (+/- 30 minutes), approximately 10 hours ago.

Screenshot of 203.153.108.227

We have detected that this IP is NATting for, or is infected itself, with a Linux (or possibly some other Unix-like system such as FreeBSD) Trojan spam mailer script. This is no joke. This infection is extremely dangerous as it can download anything it wishes, and needs to be removed ASAP.

We do not know how the malware got installed onto the machine, but we know a lot of what it does. The main thing we've seen it doing is sending staggering large volumes of email spam. But it can do a lot more than that, and that is the real danger.

NEW

Of late some of these infections are facilitiated by a SSH Rootkit called "ebury". See this link for more detail.

In most cases, this IP address would be that of a shared hosting environment. If you are a customer of this environment, you will almost certainly not be able to do anything about it, only the administrators of the hosting environment itself can. Please contact your administrators, and refer them to this page. If the administrators are reluctant to do anything please try to convince them, because there is nothing you can do to fix this problem.

For further Info, please read the Screenshots made earlier in the Day (at the End of this Post).

----------------------------------------------------------------------------------------------------------------------------------------------

Analysis:

MALICIOUS IP (PHISH RISK: RouterOS router configuration page):

Heuristic.LooksLike.HTML.Suspicious-URL.E

http://203.153.108.227/

https://www.virustotal.com/de/url/0a964415fc55b5cdc18c0d36636601c5510eb3646d5ecf9a7513698add2a9817/analysis/1400587343/

Heuristic.LooksLike.HTML.Suspicious-URL.E

https://www.virustotal.com/de/file/e23ec81b12a8af1412ab02d126086162b758908f1cf3e26a3f9797c3da242a74/analysis/1400587434/

http://quttera.com/detailed_report/203.153.108.227

http://zulu.zscaler.com/submission/show/4b322c1b6dd9f1d6b3f50243c20b5c37-1400587353

http://www.wpbl.info/cgi-bin/detail.cgi?ip=203.153.108.227

SPAMSERVER & DICTIONARY ATTACKER:

https://www.projecthoneypot.org/ip_203.153.108.227

http://www.senderbase.org/lookup/?search_string=203.153.108.227

LISTED AT SPAMHAUS (CBL):

http://www.spamhaus.org/query/bl?ip=203.153.108.227

CBL LISTED:

http://cbl.abuseat.org/lookup.cgi?ip=203.153.108.227

OTHER MALICIOUS FILE:

http://203.153.108.227/winbox/winbox.exe

https://www.virustotal.com/de/url/d2563f5885fbe8174154ed20d776233135b80220e97d21b3b42b231c38e69311/analysis/1400602467/

https://www.virustotal.com/de/file/dcc31d4643e17d31db636c8ccc7e34d004876f18b5d48828ea37e2e8e5e19bcf/analysis/1400068690/

----------------------------------------------------------------------------------------------------------------------------------------------

4/27/2014

SPAM - SCAM - PHISHING MAIL from:
www.redcappi.com & b-unitd.com
LANSING, MICHIGAN, United States

"Re: Ihre Bestellung"
rechtsanwalt.maiers@gmail.com

First take a look at this post, also from redcappi.com

http://stayaway2.blogspot.com/2014/04/zdf-eiltachtungschockierende-meldung.html

Latest Redcappi Mail Screenshot

ACHTUNG! Sondernewsletter!

Sie haben keine Bestellung bei uns getätigt, werden es aber wie 97,2% unserer Leser nach dieser Mail tun!

Rührende Geschichte bringt Moderatorin von "Raus aus den Schulden" zu weinen!

Arbeitslos und mit über 130.000 Euro verschuldet!

Dieser Mann änderte sein Leben und verdient mit diesem System bis zu 263,69 Euro am Tag!

Bald von hohen Schulden zum Reichtum? RTL2 testete Live im TV!

Die Moderatoren waren verblüfft! Sie können es auch! Uns zwar absolut KOSTENLOS!

Doch es gibt einen Haken! Dieses Patent wird ist leider stark begrenzt.

Denn der Patentbesitzer hat dieses System an eine US Bank verkauft!

Nur Diejenigen, die sich noch rechtzeitig registrieren, dürfen das System lebenslänglichkostenfrei nutzen!

Schauen Sie sich schnell das Video an, das Ihr Leben verändern wird!

HIER GEHT ES ZUM VIDEO

Sollte der Link nicht funktionieren, dann kopieren Sie bitte die Domain in den Browser:

http://b-unitd.com/9uw

----------------------------------------------------------------------------------------------------------------------------------------------

http://www.redcappi.com/

https://www.virustotal.com/de/url/67dc853cd6c065dae93edf295021f261c0c3a2b181cdd28f6780119554a3cfca/analysis/1398617170/

http://b-unitd.com/9uw

https://www.virustotal.com/de/url/3ac985b1b94ecb91cfe388eea0255b6e5f053b72f4648f5f990c9806fbcd9fc2/analysis/

URL after redirects

http://www.projekt95pro.com/?campaign=6739&ft=1&p=jsbfaeyJhIjoiMTAwODg4IiwiYyI6IjEzOTg2MTczMjU0OTgzNzE1MzUiLCJ4IjoicmVkY2FwcGkzMS4wMy4xNC1BZHJlc3NidXRsZXIifQ==

https://www.virustotal.com/de/url/6982efa0dcb5cb5914627017685691708d026cca3f3f4430ddf00e8d8a38d5fc/analysis/

OTHER PARTICULAR LINKS in THE EMAIL HEADER:

http://www.redcappi.com/c/38111/MxgRyfrW5uDADAONCsv15qiM89vMbzudmiJWDSKFgW

http://www.redcappi.com/newsletter/unsubscribe_mail/unsubscribe/338111/MxgRyfrW5uDADAONCsv15qiM89vMbzudmiJWDSKFgW

http://www.redcappi.com/newsletter/clickrate/create/38111/MxgRyfrW5uDADAONCsv15qiM89vMbzudmiJWDSKFgW/1

http://www.redcappi.com/newsletter/clickrate/create/38111/MxgRyfrW5uDADAONCsv15qiM89vMbzudmiJWDSKFgW/2

http://www.redcappi.com/newsletter/clickrate/create/38111/MxgRyfrW5uDADAONCsv15qiM89vMbzudmiJWDSKFgW/3

http://www.redcappi.com/newsletter/powered_by_redcappi/index/38111/MxgRyfrW5uDADAONCsv15qiM89vMbzudmiJWDSKFgW

http://www.redcappi.com/webappassets/images-front/thanks-logo.png

http://www.redcappi.com/newsletter/unsubscribe_mail/unsubscribe/38111/MxgRyfrW5uDADAONCsv15qiM89vMbzudmiJWDSKFgW

http://www.redcappi.com/newsletter/forward_to_friend/index/38111/MxgRyfrW5uDADAONCsv15qiM89vMbzudmiJWDSKFgW

http://www.redcappi.com/newsletter/unsubscribe_mail/read/38111/MxgRyfrW5uDADAONCsv15qiM89vMbzudmiJWDSKFgW

ORIGINATING IP(s):

http://14.3.31.13/ (JAPAN)

https://www.virustotal.com/de/url/666d6c71daa4949cdf56903f33548099340d2ca4d3ba2cb056a4328820b498c4/analysis/1398618595/

http://50.28.15.48/ (Lansing, MICHIGAN)

https://www.virustotal.com/de/url/9608502cf9ac7e4340127003a8b89f7570d61229ce1b67f641f5ff893bba974b/analysis/1398618787/

SPAM MAILSERVER FROM MICHIGAN:

MAILS SENT FROM IP: 144

https://www.projecthoneypot.org/ip_50.28.15.48

4/26/2014

PHISHING: Re: Bestellbestätigung.
"ACHTUNG ! Sondernewsletter !"
FROM:
Snowshoe Spammer mawamalai.com (IPs: 79.124.56.67 - 79.124.56.70)
PUA.JS.Xored
BULGARIA

ACHTUNG! Sondernewsletter!

Sie haben keine Bestellung bei uns getätigt. Sie werden es aber wie 97.2% der Leser tun, wenn Sie diese Mail gelesen haben!
Rührende Geschichte bringt Moderatorin von "Raus aus den Schulden" zu weinen!

Arbeitslos und mit über 130.000 Euro verschuldet!
Dieser Mann änderte sein Leben und verdient mit diesem System bis zu 263,69 Euro am Tag!
Bald von hohen Schulden zum Reichtum? RTL2 testete Live im TV!

Die Moderatoren waren verblüfft! Sie können es auch! Uns zwar absolut KOSTENLOS!
Doch es gibt einen Haken! Dieses Patent wird ist leider stark begrenzt.
Denn der Patentbesitzer hat dieses System an eine US Bank verkauft!

Nur Diejenigen, die sich noch rechtzeitig registrieren, dürfen das System lebenslänglich kostenfrei nutzen!

Schauen Sie sich schnell das Video an, das Ihr Leben verändern wird!

HIER GEHT ES ZUM VIDEO

Sollte der Link nicht funktionieren, dann kopieren Sie bitte die Domain in den Browser: http://b-unitd.com/9uy

Click here to unsubscribe

Mail Screenshot

PHISHING SPAM-DOMAIN:
FROM BULGARIA

http://mawamalai.com/

https://www.virustotal.com/de/url/6896cabd8597b88bada31b7daa824a29a707f6ab3078291cc0fc256bdbdbdf12/analysis/1398514506/

HTML:

https://www.virustotal.com/de/file/dbb6e6caba47b4688bd5a128e57eb8d26620942b13d5b07a0fa51d75fde63d2a/analysis/1398514432/

*********************************************************************************************************************

ANALYSIS IP: 79.124.56.67

http://79.124.56.67/

https://www.virustotal.com/de/url/ef621203c8c566900d8a693072d085991dd8111f907a5a97aa828560f19ede02/analysis/1398517859/

Invalid HTML data

https://www.virustotal.com/de/file/b7bd64ddcc323a81ffc9806c613c863132802289e9bc57f62affcce235d996e9/analysis/1398517950/

https://www.virustotal.com/de/ip-address/79.124.56.67/information/

HOSTNAME:

http://news1.bowntymailer.com/

https://www.virustotal.com/de/url/73c6ee9f15bc9c283a3281fa27d6dc857f8a92ee572d3733bc96ebe6247f05d6/analysis/1398521012/

REDIRECTS TO:

http://79.124.56.67/cgi-sys/defaultwebpage.cgi

https://www.virustotal.com/de/url/aec08d798876325028714570d7ccaedfe9ac44e8c7001c4b7734aaa322657d64/analysis/1398519269/

IP 79.124.56.67 IS BLACKLISTED AT:

1)
SPAMHAUS (SBL): SNOWSHOE SPAMMER

http://www.spamhaus.org/query/bl?ip=79.124.56.67
http://www.spamhaus.org/sbl/query/SBL213606
http://www.spamhaus.org/sbl/listings/telehouse.bg

http://telehouse.bg/

https://www.virustotal.com/de/url/4a0a98bd45413718c532b3128cfc59a15f8b8ba7bc5195fab8c9042cab9d827b/analysis/

2)
WOT:

https://www.mywot.com/en/scorecard/79.124.56.67

3)
spam.abuse.ch:

http://dnsbl.abuse.ch/?ipaddress=79.124.56.67

4)
WEB-REP: POOR
EMAIL-REP: POOR

http://www.senderbase.org/lookup/?search_string=79.124.56.67

*********************************************************************************************************************

Originating PHISHING-MAIL-IP Address: 79.124.56.70

http://79.124.56.70/

https://www.virustotal.com/de/url/94a3d7b252550f754c522cbee1ab45246f8c8ec7d5f69be7165d0f2289ffe12a/analysis/1398519845/
https://www.virustotal.com/de/ip-address/79.124.56.70/information/

Invalid HTML data

https://www.virustotal.com/de/file/b7bd64ddcc323a81ffc9806c613c863132802289e9bc57f62affcce235d996e9/analysis/1398517950/
https://www.virustotal.com/de/ip-address/79.124.56.70/information/

HOSTNAME:

http://news4.bowntymailer.com/

https://www.virustotal.com/de/url/07f76972f4be2bd08f85c65791eb977f9ae1eb70c410ca5a74dabe047c66ea2c/analysis/1398520764/

REDIRECTS TO:

http://79.124.56.70/cgi-sys/defaultwebpage.cgi

https://www.virustotal.com/de/url/1dff6d9729554c1422fd204c39c3c16d202a9ec6ac2822f2eeabfc6e921a7983/analysis/1398520085/

IP 79.124.56.70 IS BLACKLISTED AT:

1)
SPAMHAUS (SBL): SNOWSHOE SPAMMER

http://www.spamhaus.org/query/bl?ip=79.124.56.70
http://www.spamhaus.org/sbl/query/SBL213606
http://www.spamhaus.org/sbl/listings/telehouse.bg

http://telehouse.bg/

https://www.virustotal.com/de/url/4a0a98bd45413718c532b3128cfc59a15f8b8ba7bc5195fab8c9042cab9d827b/analysis/

2)
WOT:

https://www.mywot.com/en/scorecard/79.124.56.70

3)
spam.abuse.ch:

http://dnsbl.abuse.ch/?ipaddress=79.124.56.70

4)
WEB-REP: POOR
EMAIL-REP: POOR

http://www.senderbase.org/lookup/?search_string=79.124.56.70

*********************************************************************************************************************

OTHER LINKS CONNECTED TO THE PHISHING MAIL:

1.0

http://mawamalai.com/link.php

https://www.virustotal.com/de/url/7db23e02d8d6153c472dc14a24fb6a995875b1bb2fb271bf57cd42f78a7196ba/analysis/1398514872/

https://www.virustotal.com/de/file/23d32b79f3e71e41c2eb3d8811f58f72a2b6b5eb04c0981f16f61ab009945054/analysis/1398434545/

1.1

http://mawamalai.com/open.php

https://www.virustotal.com/de/url/dab2df490d9409a591b7b634045eb4699e62a0e15409a21de06efc1b305d456d/analysis/1398514992/
https://www.virustotal.com/de/file/dd5bdccb831d1b19c505bd3e67553f6049cea2e20dba7eb231a02ed0103e521f/analysis/1398169420/

1.2

http://mawamalai.com/unsubscribe.php

https://www.virustotal.com/de/url/e46fa0421bfd53d4679c0d1fd2005a9b877cce218e9773c9302d4bacaa09cb1b/analysis/1398515065/
https://www.virustotal.com/de/file/baefeec3f91b70b39b03c556d29dd1ad4eff87fe7bb0ba91fc3b774e70089281/analysis/1397141557/

2.0 (AS YOU CAN SEE IN THE MAIL-SCREENSHOT)

http://b-unitd.com/9uy

https://www.virustotal.com/de/url/5509e6b6e3a8aea57a3d1f566f2823d2cfea8dc636069e390ac91a7de7985732/analysis/1398515235/

REDIRECTS TO:

http://tracker.regaloptions.com/9uy

https://www.virustotal.com/de/url/f264470eb6d29a18bd40c6451cf1a21ae7341a3db08bf4a34352c799c9cc7c95/analysis/1398515582/

REDIRECTS TO:

http://www.projekt95pro.com/?campaign=6739&ft=1&p=jsbfaeyJhIjoiMTAwODg4IiwiYyI6IjEzOTg1MTUyNjg2NzU0ODY5MDMifQ==

https://www.virustotal.com/de/url/9f7dbb1fb3caa99f8b80908ee4e17c5be0c176938a8953b5f58d66fbaf4c56a7/analysis/

HTML:

https://www.virustotal.com/de/file/876dfcc859ab841d81c38c7ae8195570475b176540797ace7223e0b2af998976/analysis/1398515488/

(FROM 2.0) OR TO !:

http://tracker.cedarfinance.com/

https://www.virustotal.com/de/url/b74481dafb943ce7417addb8795ca57b616850f4cb3b93950c215203b14f95ca/analysis/1398515998/

REDIRECTS TO:

https://www.cedarfinance.com/?ft=1

https://www.virustotal.com/de/url/89eb4f88e14c1c1b12a1ecdba00c72c4b360d70235b10b0db0a18437b79766ad/analysis/1398517210/

OTHER SUSPICIOUS LINK FROM mawamalai:

http://mawamalai.com/admin/includes/js/javascript.js

https://www.virustotal.com/de/url/f1d7cbde38ced99e4fc12d0265eeca61a5bdba41fd3aa60a8f04c36dc57b5e6c/analysis/1398516567/

PUA.JS.Xored

https://www.virustotal.com/de/file/40ea889122eaed21758c286ac2eb832a1f7263abc47e60f538e8360511c009be/analysis/
http://virusscan.jotti.org/de/scanresult/b14d12cc39c2a0ee18b3df555067046fdaa75169

4/04/2014

MALICIOUS ADs:
www.xforex.com (IP: 23.8.245.172)
risking with
Bad Reputation
Scam, Spam, Poor customer experience,
Misleading claims or unethical & Phishing
Cambridge, Massachusetts, USA

FOR WEBMASTERS & BLOGGERS

If you own a Website or a Blog and are affiliated with Google AdSense, in order to your own Reputation, should block the Domain www.xforex.com in your AdSense Dashboard. The Site is potentially Blacklisted. See the following Report:

Screenshot of XForeX.com

MALICIOUS AD: LEADS TO BAD REPUTATION DOMAIN
Domain/host was seen to host badware at some point in time

SEE AS WELL:

Scam
Spam
Poor customer experience
Misleading claims or unethical
Phishing

https://www.mywot.com/en/scorecard/xforex.com

LINK:

http://www.googleadservices.com/pagead/aclk?sa=L&ai=C7kIPTbA-U9r2MqLu7Qa34oGICKiNkI4FiOvztmOE05t5EAEgjsCUI1DHtrnlBmC7A6AB-rD19APIAQKoAwHIA8EEqgTAAU_Q1g4toONI8eh4XQEyxHCFFEpgkD3s3VJSDzQPbzQ47fu8UJOB4_RNiCTdxf4vK_LKSdNczlvgb_vd2pb_mxTanR-wYBEI9aQX6KoWcCLae1OAI277O6w9N3KSo20c9UZMuh_-gNPlGVV7Cd8UnTVHSdTzazgwo_zpaKyeOiXHAgE_vEjWqA83eftbjPMD4XZsdyuLms2tiV8UB_jLN2NEzZjGZpxAkY_b6sFs54LPl8Vc7X3gP2wNAWpUH5NUc4gGAaAGAoAH7s6KCw&num=1&cid=5Gjyw7ojawW0czFIzezfwp9h&sig=AOD64_3DIimc5hTEw20ICdz_UVXHn3iwIQ&client=ca-pub-5585202032329389&adurl=http://www.xforex.com/ForexTradingTL%3Ftlid%3D115069%26src%3DAdWords%26medium%3DPPC%26campaign%3DAdGroupName%26ad%3D26652225616%26SiteTarget%3Dstayaway2.blogspot.com&nm=3&mb=2&bg=!A0TOlq2_SVCfUQIAAAA6UgAAABEqAPHBcvoWfHjKrzYiCXP8K18SMcCKicgztc2N1qFlSFwV-JoauJojxqe0p7gbnlnhPr1_XrKGNVLJLetSDJNw8-oa0_5Atqssh7YnQ1iAdBlL_sYFFUUD661JesYOjpxKL2xo4eHYTOWo8Rrim73oi0rkDTdIRZGqChSPt3--pLJ7IBdbaA1A_zkNhCvgo3w5evKr3lGHbnUQx_2lr0G5SiJf0SH6miR9ZfMSWPvWE39JGjUiQZ4OP8BHNHCJG-LK8EdzB4Dbu2JQ-RgdA0zCRBcrIEHy5EXJQ4vFdMaulhVEaD_q7cAC5jDhxi5Vtn-lDj5O

https://www.virustotal.com/de/url/d2a5d5d9bf918228e5cb654ae3798e09b8256ed110d5f633f18d60da82c56ded/analysis/1396617728/

URL after REDIRECT:

http://www.xforex.com/cms/lp/GSplit_FR/?cid=45&tid=115069&lid=fr&pubid=-1&reqt=1396617729225

https://www.virustotal.com/de/url/29ee4b6d441d8430c95f6f01b58c0eabbd1b3677f00cef5b6fd4a2faeb8d8d79/analysis/

DOMAIN ITSELF:

http://www.xforex.com/

https://www.virustotal.com/de/url/da5478eab00be730cd930a7dce16ecc2666df8586a018d366c83e8856d6064b5/analysis/

IP:

http://23.8.245.172/ (Cambridge, Massachusetts)

https://www.virustotal.com/de/url/28c450178989e65f572bff524c8cd114bdaf81864c8a5e9de52c89950428fceb/analysis/1396618830/

https://www.virustotal.com/de/ip-address/23.8.245.172/information/

3/07/2014

MALICIOUS Visitor to THIS Blog:
www.helptool.co.uk (IP: 74.119.233.25)
SCAM/SPAM/PHISHING
Microsoft Internet Explorer remote code execution via option element
UNITED STATES

POTENTIALLY MALICIOUS
(SPAM/SCAM/PHISH) DOMAIN:
Microsoft Internet Explorer remote code execution via option element

VISITING DOMAIN:

http://www.helptool.co.uk/

https://www.virustotal.com/de/url/ac74ead641b92d866114b1be1f06dd82013e72a80560ecd1f2357b65b2f072e3/analysis/1394194891/

Microsoft Internet Explorer remote code execution via option element

https://urlquery.net/report.php?id=9809294

https://urlquery.net/report.php?id=9809290

https://urlquery.net/report.php?id=9809296

https://urlquery.net/report.php?id=9809291

SPECIFIC VISITING LINK:

http://www.helptool.co.uk/monogram-empreinte-wallets.html

https://www.virustotal.com/de/url/e0b9d0118bf9302ea8cc2757944df40f923aa75700f0dd6ce12fdc36eece362b/analysis/1394194885/

Microsoft Internet Explorer remote code execution via option element

https://urlquery.net/report.php?id=9809297

https://urlquery.net/report.php?id=9809298

--->

http://www.realypay-checkout.com/risk/index.js

https://www.virustotal.com/de/url/918164e05db230153e1e0d41bbcf1a4d41a569ff91ca63883bb8e24fd7067484/analysis/

https://www.virustotal.com/de/file/dcd00dcc6e406be2b2b271abbbf16a59d7efb76a1942e74b2cad5d2e9f8f5938/analysis/1393880237/

http://threatlog.com/search/realypay-checkout.com/domain/

https://www.mywot.com/en/scorecard/realypay-checkout.com

--->

http://www.mallpayment.com/risk/index.js

https://www.virustotal.com/de/url/e1a3b4508777564232d8ef062eb682a3e236bc997af4338a20cd8d46f423e346/analysis/1394196268/

https://www.virustotal.com/de/file/91ef2b7aa8e485fe44e489e0ae574d00552af458200ec03e0373863f5f060a40/analysis/1394196273/

--->

http://pcookie.cnzz.com/app.gif?&cna=SqigC3Hpk2oCAYBvMAyTGMVT

https://www.virustotal.com/de/url/b56a92a571d24fb7480aed4f263678c886a3f3f6981a4f5809a0d2daedf7d7f3/analysis/1394196462/

https://www.virustotal.com/de/file/cf4724b2f736ed1a0ae6bc28f1ead963d9cd2c1fd87b6ef32e7799fc1c5c8bda/analysis/1393805553/

3/03/2014

POTENTIALLY MALICIOUS DOMAIN: danaearhartlitif.discovermangosteen.com & descubramangostan.com
Hex Obfuscation of document.write % Encoding
(UNITED STATES)

SUSPICIOUS/MALICIOUS DOMAIN:
Obfuscation of document.write % Encoding

DOMAIN:

http://danaearhartlitif.discovermangosteen.com/

https://www.virustotal.com/de/url/8d60d054384c8961ee45cbb34bc5f3d41c16aaefec0af1223c9a3c7f1dc5b7ef/analysis/1393851554/

http://danaearhartlitif.discovermangosteen.com/goland3

https://www.virustotal.com/de/url/61d343cfbb29a32d27a54489b3d7f887164d7f2bda2d2c01bd0fc2c6ed80db07/analysis/1393844797/

https://urlquery.net/report.php?id=9750352

Obfuscation of document.write % Encoding

(SEE: http://jsunpack.jeek.org/?report=655d39915efe7e0ad9d7598684efabb10ede91ff )

http://www.discovermangosteen.com/preenroll.php?uname=danaearhartlitif&nopop=&er=1&firstname=&lastname=&firstin=1&email=&phonenumber=&promocode=goland3

https://www.virustotal.com/de/url/2328a244e313f7d2586c5a74cabc5508ca1124ec5046917f8672e0665ef14ef0/analysis/1393846412/

https://urlquery.net/report.php?id=9750525

LISTED AT hpHosts:

http://hosts-file.net/?s=discovermangosteen.com

FULL REPORT:

3/01/2014

MALICIOUS BLOG VISITOR (to this Blog & other ones):
www.diecrema.de (IP: 83.169.18.105)
Germany PHISHING
Microsoft Internet Explorer remote code execution via option element CVE-2011-1996

MALICIOUS DOMAIN: Microsoft Internet Explorer remote code execution via option element

http://www.diecrema.de/

https://www.virustotal.com/de/url/304393da60a41d90a1c1e81e097f7a65b930ef02d49131972a56c77153ef524e/analysis/1393697717/

HTML

https://www.virustotal.com/de/file/1129a906ac309bc8791ab0fc5554f0daa8ea5ad0cfeaa3d809e077de0d94c490/analysis/

Microsoft Internet Explorer remote code execution via option element

https://urlquery.net/report.php?id=9729333

https://urlquery.net/report.php?id=9729329

https://urlquery.net/report.php?id=9729331

INFORMATION ON THIS SECURITY THREAT:

2/27/2014

New Malware Code found on IRANIAN Blogsite (involved in Phishing):
model-irani.mihanblog.com infected with
Trojan.JS.StartPage.eg (Former HEUR:Trojan.Script.Generic)
(IP: 5.144.133.146)

FOLLOWUP:
New Malicious Code:
From: HEUR:Trojan.Script.Generic
To: Trojan.JS.StartPage.eg

MALWARE: HEUR:Trojan.Script.Generic (PHISHING ACTIVITIES) IRAN

DOMAIN:

http://model-irani.mihanblog.com/

https://www.virustotal.com/de/url/87e504b01108edfe5de0f78bee9f91b014661af9abf0bcbb8625b88ceeb18258/analysis/1393498401/

INFECTION:

HEUR:Trojan.Script.Generic

https://www.virustotal.com/de/file/9ad90edf6be055ce40cdc01608f58783e6aa45bed1453e760b1afbfbbcb025b0/analysis/1393498623/

--->

http://static.mihanblog.com//public/scripts/run/g.other.v3.js

https://www.virustotal.com/de/url/0bdd1749892dbca59d44f29f3d008f5639aeb8be37ec4deb6873ada600e84505/analysis/1393498967/

PUA.Script.Packed-2

https://www.virustotal.com/de/file/9c7e6c2ebd2ac2b10978a8627e31d1cd287aa43f19e5a8233b018103dad507d2/analysis/1393498970/

FOR THE FULL REPORT CLICK THE .txt ICON:

1/31/2014

adrfish.com
PHISHING, SCAM, SPAM SITE:
"Recevez de l'argent pour repondre a des email"
("Receive Money for answering E-Mails") (COSTA RICA)

J'ai decouvert un concept tellement incroyable que
vous n'allez pas en revenir tellement il est simple de
faire de l'argent depuis le confort de son domicile.

Description de votre journee de travail:

-Vous verifiez vos mails depuis votre ordinateur.
-Vous recevez automatiquement 49,90EUR par mail.
-Vous faites suivre les informations contenues dans le Pack

Et c'est Tout!

Rendez-vous maintenant sur cette page
http://adrfish.com/link.php

Gros revenus possible si travailleur.

Screenshot Phishing Mail

MALICIOUS PHISHING, SCAM, SPAM DOMAIN:

adrfish.com

https://www.virustotal.com/de/url/1ba30caae863c2e2161a960bc415e1e24f396d623337aa2e295a650ea604333f/analysis/1391182156/

LISTED AT SPAMHAUS:

http://www.spamhaus.org/query/domain/adrfish.com

LISTED AT SURBL:

http://www.surbl.org/surbl-analysis

SEE ALSO:

https://www.mywot.com/en/scorecard/adrfish.com

http://www.urlvoid.com/scan/adrfish.com/

IP:

181.174.168.10

https://www.virustotal.com/de/url/2040501af8a661b329843b3c3791d3a622243dc219a5a5a906b8de52d4539968/analysis/1391184275/

IP LISTED AT SPAMHAUS:

http://www.spamhaus.org/query/bl?ip=181.174.168.10

1/28/2014

SPAM:
www.globalcitybusiness.com (LISTED AT DBL SPAMHAUS) &
www.streamlife.de (GERMANY)

Dieser Newsletter ist kein SPAM. Sie erhalten ihn, weil Sie bei
ihrer Anmeldung bei uns bzw. auf unserer Partnerseite dem
Newsletterempfang zugestimmt haben.

Die Angebote sind Anzeigen der jeweiligen Werbekunden, die für den Inhalt verantwortlich sind. Bei Fragen zum Inhalt, wenden Sie sich bitte an den Anbieter und nicht an die Adress Butler Ltd. da diese ausschliesslich der technische Versender dieser Nachricht ist!

Bitte antworten Sie nicht direkt auf diese E-Mail, da diese nicht zugestellt werden kann.

Technischer Versender der E-Mail ist die AdressButler Ltd,
Karl-Heinz-Beckurts-Str. 13, 52428 Jülich
Selbstverständlich können Sie der Nutzung Ihrer Daten jederzeit wiedersprechen. Sie wünschen keine weiteren Informationen,
klicken Sie bitte hier um sich abzumelden.

http://www.globalcitybusiness.com/unsubscribe.php

POTENTIALLY MALICIOUS SPAM DOMAIN(s):
SCAM, PHISHING ETC. (LISTED AT SPAMHAUS)

www.globalcitybusiness.com

https://www.virustotal.com/de/url/111618ab5b6305880338fff2038a6dbdd5007efe2b7ae7886a91a25fb04cc1d9/analysis/1390927191/

www.globalcitybusiness.com/link.php

https://www.virustotal.com/de/url/352dbbd057b010a71041a76563b676358c7b98297fba1fda87b24f0386bb7b24/analysis/1390927504/

https://www.virustotal.com/de/file/23d32b79f3e71e41c2eb3d8811f58f72a2b6b5eb04c0981f16f61ab009945054/analysis/1386786113/

www.globalcitybusiness.com/open.php

https://www.virustotal.com/de/url/7a7a15b5d7f022340d21f099685c49ea8ff4f291b190d7ecb5cdd6417c8fa46d/analysis/1390927570/

https://www.virustotal.com/de/file/dd5bdccb831d1b19c505bd3e67553f6049cea2e20dba7eb231a02ed0103e521f/analysis/1390580473/

www.globalcitybusiness.com/unsubscribe.php

https://www.virustotal.com/de/url/a52381179dbe95f686a83ef039f938f62d3ddd1ac90c0898d1ed898f4cbf3745/analysis/1390927632/

https://www.virustotal.com/de/file/baefeec3f91b70b39b03c556d29dd1ad4eff87fe7bb0ba91fc3b774e70089281/analysis/1386768007/

http://www.urlvoid.com/scan/globalcitybusiness.com/

LISTED AT SPAMHAUS (DBL):

(and not without reason, as they state in the e-mail: THIS IS NO SPAM)

http://www.spamhaus.org/query/domain/globalcitybusiness.com

E-Mail SS (ScreenShot)

www.streamlife.de

https://www.virustotal.com/de/url/87771b9dd41a23e777709022835837a7f32da2b361c54e3f6805bc6a9c554312/analysis/1390934550/

https://www.mywot.com/en/scorecard/streamlife.de

http://www.urlvoid.com/scan/streamlife.de/

1/26/2014

MALICIOUS SITE: rukiyehayran.com
(PHISHING, MALWARE, SCAM, SEO SPAM)
TURKEY (Rogue Medications - Zymbiotix)

MALICIOUS SITE: PHISHING, MALWARE, SCAM, SEO SPAM (Zymbiotix Cleanse)

"Are you sure you don\'t want to take advantage of the Garcinia Cambogia offer?\n\nDon\'t forget - it will only be available for a LIMITED TIME.

Since this offer is so cheap, there is no risk to you. You can also give them away if you\'d like. Or give it a shot, and get Garcinia Cambogia.\n\nIf you are wondering why this offer is so cheap, the simple answer is because the manufacturer is confident that their products will help you, and that you will continue to use their products, and refer friends and family.

Celebrities like Kim Kardashian and Britney Spears have lost a
signifcant amount of body fat with just these 2 diet cleanses. The duo
cleanse is clinically proven to flush out all the junk in your body and
melt away body fat without harming your immune system. Keep reading and
you'll find out why we created this report."

DOMAIN:

rukiyehayran.com

https://www.virustotal.com/de/url/2f6ab6c39c5b436e410ec66f2f62be5d8f1156c38b48b63c8d5062128605e9f2/analysis/1390758337/

HTML

https://www.virustotal.com/de/file/1f1218e4661f525ee1fcd70a043b7c0a3709ab33b39af313ffec819f59e24ffa/analysis/1390751239/

LINK 2

rukiyehayran.com/likeit.php

https://www.virustotal.com/de/url/6ebf42c21c420e1b2d377bbd335ed3b3317373a895c8e29566deb40650e4bfe3/analysis/

HTML

https://www.virustotal.com/de/file/70c6546a370ccedbdbf101bfd0124adc537fc4cccb7c022a0300071c3f09afcd/analysis/

http://jsunpack.jeek.org/dec/getfile?hash=3585/7a7fe26eb28c4a47ccd31474b3944cefef41

LINK 3 (SPECIFIC)

rukiyehayran.com/likeit.php?nwqmqztem1151qapb

https://www.virustotal.com/de/url/9f589ceabb55b17f43769500f860b201ff60715e36bff0cc6422728b93b92232/analysis/1390758346/

HTML

https://www.virustotal.com/de/file/70c6546a370ccedbdbf101bfd0124adc537fc4cccb7c022a0300071c3f09afcd/analysis/

POSSIBLE ORIGINATING IP ADRESS: 108.166.43.117

Screenshot of E-Mail Scam from rukiyehayran.com

1/23/2014

Beware of such FAKE FACEBOOK PROFILE(s):
www.facebook.com/Gertruda
(PHISHING & MALICIOUS ACTIVITIES (BLOGSPYING AND -PROVOKING))

SUSPICIOUS TO MALICIOUS - FAKE FACEBOOK PROFILE: (PHISHING & MALICIOUS ACTIVITIES (BLOGSPYING AND PROVOKING))

www.facebook.com/Gertruda

https://www.virustotal.com/de/url/a1a5dc8ee81ab63a5e78376d7649cfa38290e74649389b01d0c1bffb85457f4e/analysis/1390505891/
https://www.virustotal.com/de/file/63179ad2dff2e4a1745f05650007bb54630c83c49127101bd474fa054144a64c/analysis/1390509908/

Gert ? Gertruda ?

Is this Gert...


...or is HE GERTRUDA ???

MALICIOUS DOMAIN: top100blogs.4you.cloudns.us
(PHISHING & Paid Links - Netherlands)

POTENTIALLY MALICIOUS DOMAIN:

top100blogs.4you.cloudns.us

https://www.virustotal.com/de/url/113d96e224923eceebeb484e92aacd0f6d929d81b79f014503a3c8276fb852e8/analysis/

http://www.browserdefender.com/site/top100blogs.4you.cloudns.us/

http://quttera.com/detailed_report/top100blogs.4you.cloudns.us

http://sitecheck.sucuri.net/results/top100blogs.4you.cloudns.us

http://www.urlvoid.com/scan/top100blogs.4you.cloudns.us/

1/07/2014

Category MALICIOUS DOMAIN & IP: www.7secretsearch.com - Referrer-Bot - Spam-Bot - (IP: 192.157.253.9 - United States)

Potentially Malicious Spam (PHISHING, REFERRER) Domain:

SECRET SPAM

How To Control Visits From Referring Bots Such as Vampirestat, 7secretsearch and Adsensewatchdog ?

Have you ever been annoyed by these sites which increases your visits in your blog and no visits appear in Google Analytics? Or the infamous Whos.amung.us toolbar ? The anonymous robot visits from Vampirestat or Adsensewatchdog and www.7secretsearch.com. Neither Adsensewatchdog nor any other of these Bots have anything whatsoever to do with Google or Google AdSense and are simply spam sites that use automated traffic to blogs to attract clicks to their own sites from blog owners such as you.

Stay away. Traffic from these sites won't affect your standing with the real Adsense, so just ignore them.

Follow the next steps to get these bots under contol and to reduce their traffic:

Never click on the referred Domain links in your Blog or Webmaster Satistics, or visit their site.

Instead make a post (like this one) on your blog, with a negative review. On the long run their reputation will fall down to negative. Reputation is all that makes them lose.

Go to Virus Total (you can stay there anonymous), scan the URL of that Malware Domain, and give em a red flag. If you register you can also post your meaning giving a review. On my blog, if you look through deeply enough, there are enough referring Lookup-Domains for getting information (good or bad) upon a suspicious link or Domain.

Additionally, you also can submit a SPAM report to Google (Webmastertools) here.

Vampirestat whois info can be found here:

http://whois.domaintools.com/7secretsearch.com

DOMAIN:

www.7secretsearch.com

https://www.virustotal.com/de/url/739a8261db4d68ae323ed83cfbc607b660a24b795f8303556f69a16ff8401d3d/analysis/1389109170/
https://www.mywot.com/en/scorecard/7secretsearch.com

www.7secretsearch.com also LINKS TO THESE MALICIOUS DOMAINS (either directly or indirectly):

widgets.amung.us

https://www.virustotal.com/de/url/7d7680eeb36197872a2ece324606e7743b74fd3a8e9630c6c368a3e1e21750b3/analysis/1389106363/
https://www.mywot.com/en/scorecard/widgets.amung.us

ad.yieldmanager.com

https://www.virustotal.com/de/url/e0a975001a88f4f74a9d2b665d51f2926c2419314d71064df9154651e39cf4a3/analysis/1389106564/
https://www.mywot.com/en/scorecard/ad.yieldmanager.com

content.yieldmanager.edgesuite.net

https://www.virustotal.com/de/url/e6800829b1dc059b832b190918b88a3bf2a9e3abec2ec851fd97f1ef0cae3d5f/analysis/1389106685/
https://www.mywot.com/en/scorecard/content.yieldmanager.edgesuite.net

i.imgur.com

https://www.virustotal.com/de/url/342cf1310c26da63f694aa634371ad46b4eca8e3a872cf6fa57580da670b3f18/analysis/1389110141/
http://www.urlvoid.com/scan/i.imgur.com/
https://www.mywot.com/en/scorecard/i.imgur.com

ads1.qadabra.com

https://www.virustotal.com/de/url/12a7166afab22285b29fbb66a049ff087a12cc15de8946c14c8f854a32753030/analysis/1389110286/
https://www.mywot.com/en/scorecard/ads1.qadabra.com

******************************************
IP:
www.7secretsearch.com = 192.157.253.9

https://www.virustotal.com/de/url/53855973d65537bd71949729a1f4d4d0e8cb9abb1a4cf483e3cbabaa00b3b0ed/analysis/1389106168/
https://www.virustotal.com/de/ip-address/192.157.253.9/information/

Fwd/Rev DNS Match: No

http://www.senderbase.org/lookup/?search_string=192.157.253.9

Category MALICIOUS DOMAIN & IP: www.vampirestat.com - Referrer-Bot - Spam-Bot - (IP: 192.157.253.9 - United States)

Potentially Malicious Spam (PHISHING, REFERRER) Domain:

How To Control Visits From Referring Bots Such as Vampirestat and Adsensewatchdog ?

Have you ever been annoyed by these sites which increases your visits in your blog and no visits appear in Google Analytics? Or the infamous Whos.amung.us toobbar ? The anonymous robot visits from Vampirestat or Adsensewatchdog. Neither Adsensewatchdog nor any other of these Bots have anything whatsoever to do with Google or Google AdSense and are simply spam sites that use automated traffic to blogs to attract clicks to their own sites from blog owners such as you.

Stay away. Traffic from these sites won't affect your standing with the real Adsense, so just ignore them.

Follow the next steps to get these bots under contol and to reduce their traffic:

Never click on the referred Domain links in your Blog or Webmaster Satistics, or visit their site.

Instead make a post (like this one) on your blog, with a negative review. On the long run their reputation will fall down to hell. Reputation is all that makes them lose.

Go to Virus Total (you can stay there anonymous), scan the URL of that Malware Domain, and give em a red flag. If you register you can also post your meaning giving a review. On my blog, if you look through deeply enough, there are enough referring Lookup-Domains for getting information (good or bad) upon a suspicious link or Domain.

Additionally, you also can submit a SPAM report to Google (Webmastertools) here.

Vampirestat whois info can be found here:

http://whois.domaintools.com/vampirestat.com

DOMAIN:

www.vampirestat.com

https://www.virustotal.com/de/url/351a5e04578dbede25165617ca14aa393ee229efdc533bae6a1f0960af976edf/analysis/1389105156/

https://www.mywot.com/en/scorecard/vampirestat.com

http://www.urlvoid.com/scan/vampirestat.com/

www.vampirestat.com also LINKS TO THESE MALICIOUS DOMAINS (either directly or indirectly):

widgets.amung.us

https://www.virustotal.com/de/url/7d7680eeb36197872a2ece324606e7743b74fd3a8e9630c6c368a3e1e21750b3/analysis/1389106363/
https://www.mywot.com/en/scorecard/widgets.amung.us

ad.yieldmanager.com

https://www.virustotal.com/de/url/e0a975001a88f4f74a9d2b665d51f2926c2419314d71064df9154651e39cf4a3/analysis/1389106564/
https://www.mywot.com/en/scorecard/ad.yieldmanager.com

content.yieldmanager.edgesuite.net

https://www.virustotal.com/de/url/e6800829b1dc059b832b190918b88a3bf2a9e3abec2ec851fd97f1ef0cae3d5f/analysis/1389106685/
https://www.mywot.com/en/scorecard/content.yieldmanager.edgesuite.net

******************************************
IP:
www.vampirestat.com = 192.157.253.9

https://www.virustotal.com/de/url/53855973d65537bd71949729a1f4d4d0e8cb9abb1a4cf483e3cbabaa00b3b0ed/analysis/1389106168/
https://www.virustotal.com/de/ip-address/192.157.253.9/information/

Fwd/Rev DNS Match: No

http://www.senderbase.org/lookup/?search_string=192.157.253.9

Category MALICIOUS DOMAIN & IP: www.adsensewatchdog.com - Referrer-Bot - Spam-Bot - (IP: 62.116.143.21 - GERMANY)

Potentially Malicious Spam (PHISHING, REFERRER) Domain:

How To Control Visits From Referring Bots Such as Vampirestat and Adsensewatchdog ?

Have you ever been annoyed by these sites which increases your visits in your blog and no visits appear in Google Analytics? Or the infamous Whos.amung.us toolbar ? The anonymous robot visits from Vampirestat or Adsensewatchdog. Neither Adsensewatchdog nor any other of these Bots have anything whatsoever to do with Google or Google AdSense and are simply spam sites that use automated traffic to blogs to attract clicks to their own sites from blog owners such as you.

Stay away. Traffic from these sites won't affect your standing with the real Adsense, so just ignore them.

Follow the next steps to get these bots under contol and to reduce their traffic:

Never click on the referred Domain links in your Blog or Webmaster Satistics, or visit their site.

Instead make a post (like this one) on your blog, with a negative review. On the long run their reputation will fall down to negative. Reputation is all that makes them lose.

Go to Virus Total (you can stay there anonymous), scan the URL of that Malware Domain, and give em a red flag. If you register you can also post your meaning giving a review. On my blog, if you look through deeply enough, there are enough referring Lookup-Domains for getting information (good or bad) upon a suspicious link or Domain.

Additionally, you also can submit a SPAM report to Google (Webmastertools) here.

Adsense Watchdog whois info can be found here:

http://whois.domaintools.com/adsensewatchdog.com

DOMAIN:

www.adsensewatchdog.com

https://www.virustotal.com/de/url/921112e01ece904b7e24283c7ec7ef528e7a3dc1ac245b8f587e6433436ce107/analysis/1389090321/

http://zulu.zscaler.com/submission/show/fe117411f30d42cb7739f297064075f2-1389090365

https://www.mywot.com/en/scorecard/adsensewatchdog.com

http://www.urlvoid.com/scan/adsensewatchdog.com/

adsensewatchdog also LINKS TO MALICIOUS DOMAIN:

g.ateway.net/scripts/js3caf.js

https://www.virustotal.com/de/url/0b99952398ba93d977c9cc1e2643ceafe173bfabe3457b2ab3e625458dbc983e/analysis/1389090678/

*************************************
IP:
www.adsensewatchdog.com = 62.116.143.21

https://www.virustotal.com/de/url/39f28e85728fbfeaa15bee84c353657140821d8e8b77585f1e57bbd8628ebf60/analysis/1389091150/

http://www.urlvoid.com/ip/62.116.143.21

Web Reputation: Poor

http://www.senderbase.org/lookup/?search_string=62.116.143.21
https://www.virustotal.com/de/ip-address/62.116.143.21/information/

Translate

5/20/2014

4/27/2014

4/26/2014

4/04/2014

3/07/2014

3/03/2014

3/01/2014

2/27/2014

1/31/2014

1/28/2014

1/26/2014

1/23/2014

1/07/2014

How To Control Visits From Referring Bots Such as Vampirestat, 7secretsearch and Adsensewatchdog ?

How To Control Visits From Referring Bots Such as Vampirestat and Adsensewatchdog ?

How To Control Visits From Referring Bots Such as Vampirestat and Adsensewatchdog ?