FYI...Something evil on 188.8.131.52/28
3 Feb 2014 - "Another OVH Canada range hosting criminal activity, 184.108.40.206/28
is being used for several malicious .pw domains being used to distribute malware
(as used in this attack*). The malware domains seem to rotate through subdomains very quickly, possibly in an attempt to block analysis of their payload. This block is carrying out the same malicious activity that I wrote about a few days ago**. OVH have suballocated this IP block to an entity that I believe is connected with black hat host r5x .org.
CustName: Private Customer
Address: Private Residence
City: Penziatki ...
RegDate: 2014-01-24 ...
These IPs are particularly active:220.127.116.11
There is nothing of value in this /28 block and I recommend that you -block- the entire IP range plus the following domains (which are all already flagged as being malicious by Google)
.."(Long list of .pw domains at the dynamoo URL above.)
___Something evil on 18.104.22.168/27
3 Feb 2014 - "22.214.171.124/27
is a range of IP addresses belonging to Network Operations Center Inc in the US and suballocated to a customer which is currently being used in malware attacks
as an intermediate step in sending victims to this malicious OVH range*.You can see an example of some of the badness in action here**. The range was formerly used by a company called TixDepot but may have been hijacked or reassigned
. NOC report the following contact details for the block:
network:country: US ...
About -half- the domains in this /27 have been flagged as -malicious- by Google, concentrated on the three IP addresses:126.96.36.199
I would recommend -blocking- the entire /27, but this is the breakdown by IP address with domains tagged by Google highlighted (there's a plain list here***)"
___Something evil on 188.8.131.52/28
3 Feb 2014 - "More badness hosted by OVH Canada, this time 184.108.40.206/28
which contains pretty much the same set of evil described here*. Here is a typical IP flagged by VirusTotal** and a failed resolution by URLquery*** which frankly gives enough information to make it suspicious. However, the key thing is the registrant details which have been used in -many- malware attacks before
CustName: Private Customer
Address: Private Residence
I can see the following .pw domains active in this range:basecoach .pw
All those domains are flagged by Google as malicious and I recommend that you block them along with 220.127.116.11/28
___Fake inTuit/TurboTax/IRS Refund Notice
2/3/14 - "People are receiving -fake- emails
with the title "IRS Refund Notice":
This is the end of the -fake- email.
Steps to Take Now: Do -not- open the attachment
in the email.
-Delete- the email..."
___ German email accounts hacked - Scams circulate
Feb 3, 2014 - "Recently, the German Federal Office for Information Security disclosed that the email accounts of up to 16 million users had been compromised. The computers of these users were infected with information-stealing malware which were used to steal these login credentials. The German government has set up a page where users can check if their email accounts have been compromised*. We recommend that users in Germany check their accounts, as we’re seeing a re-occurrence of certain -scams- which rely on compromised email accounts...
Protecting email accounts should be a top priority, considering the amount of sensitive information stored in them and the other accounts that can be controlled via password resets. Users should remember a few key safety tips:
• Always use different complex passwords or passphrases for different accounts. Password managers can help create and manage multiple online accounts.
• Opt for two-factor authentication when possible.
• Only log in using secure and trusted devices. Think twice before logging in from public devices such as Internet cafes.
• Users can also opt for encryption services for added protection."
___ANZ 'Upgrade to New System' Phish
Feb 3, 2014 - "Email pretending to be from large Australian and New Zealand bank ANZ claims that customers must click a link to upgrade to a new system technology designed to give users maximum protection... The email is a phishing scam that tries to trick users into divulging their personal information to criminals. The "Log on" button opens a -bogus- website designed to steal the user's ANZ account login details...
According to this email, which purports to be from the ANZ bank, customers are required to upgrade to a new system by logging into their accounts. The message claims that the new system will offer maximum protection and invites users to click a "Log on" button. The email is formatted with ANZ's logo and colour scheme to make it appear more genuine... the message is -not- from ANZ and the claim that users must login due to a system upgrade is untrue. The email is a simple phishing scam
designed to grab account login credentials from unsuspecting ANZ customers... If users enter their customer number and password on the fake page and click the "Log on" button, they will be automatically redirected to the genuine ANZ site. They may believe that they have successfully "upgraded" to the new system and may remain unaware that they have been scammed until the next time they try to login... ANZ has published information about phishing scams on its website*..."
___Fake Evernote - Malware Email
Feb 2, 2014 - "Email purporting to be from note taking application Evernote claims that an image has been sent and invites users to click a link to view the image... Evernote did not send the email and has no connection to it. The message is a criminal ruse designed to trick people into downloading and installing malware
According to this email, which purports to be from popular note taking application Evernote, an image addressed to the recipient has been sent. The message includes a clickable "Go to Evernote" button. The name of the supposed image is also clickable. However, Evernote did not send the email. Nor did it send an image as claimed. Clicking the links in the message will not open an image stored in Evernote as suggested in the message. Both links lead to a compromised website that harbours -malware-