CyberCrime & Doing Time

ACH / WireTransfer Failed spam goes crazy!

2011-11-16T09:06:00.000-08:00

Yesterday we saw two HUGE spam campaigns that continue into this morning advertising various alternatives of "your wire transfer failed" as subject lines.

We saw at least 86,197 copies of this spam on November 15th, that I am mentally dividing into "Named Institution / zfin" spam and "random intermediary" spam.

The "zfin" spam was far more prevalent, with 62,331 copies of the 86,197 copies pointing to a URL that contained "zfin.php" in the path.

The "zfin" spam has a mail message that reads something like this:

Dear Account Holder,

Money Transfer sent by you or on your behalf was hold by our bank.

Transaction ID: 17019302204565051
Current status of transaction: on hold

Please review transaction details as soon as possible.

N. B. Abel
Treasury Management

The "non-zfin" email has a message that reads something like this:

Dear Bank Account Operator,
I regret to inform you that Wire transfer initiated by you or on your behalf was hold by us.

Transaction: 238006864683285
Current transaction status: Pending

Please review transaction details as soon as possible.

In both versions a very large number of "intermediary" spam domains are used. These are "page forwarders" that have been placed on compromised web servers. The hackers have gathered a very large list of website userids and passwords where they can place new content at will, without the knowledge of the webmaster. They log in as the webmaster, upload their "forwarder" page, and then use that newly created page as the destination in spam messages.

More than 15% of the spam that we saw at the UAB Spam Data Mine yesterday belonged to this pair of campaigns, and the volume is still extremely high this morning.

Many of the emails used the faked "from" domains:

uba.org 5785
lba.org 5762
aba.com 5724
bankersonline.com 5681
cbanet.org 5674
vabankers.org 5672
mbaa.org 5645
nationalbankers.org 5634
icba.org 5620
allbankers.org 5604
fiba.net 5532
direct.nacha.org 5024

Forty-seven destinations were listed by the "zfin" spam, where a Financial Institution was included in the subject line. These destinations heavily favored Argentinian domain names:

adsr.com.ar /zfin.php
alarpargentina.com.ar /zfin.php
amhbra.com.ar /zfin.php
berlinonbike.de /zfin.php
blbtranslations.com.ar /zfin.php
cargadedatos.com.ar /zfin.php
cienciarama.com /zfin.php
diagonalpro.com.ar /zfin.php
diloplas.com.ar /zfin.php
f-guazzaroni.com.ar /zfin.php
grupoaie.com /zfin.php
healthsolution.com.ar /zfin.php
hebamme-hindenberg.de /zfin.php
horsejack.com.ar /zfin.php
horuz.com.ar /zfin.php
iguazuwonderful.com /zfin.php
imevial.cl /zfin.php
juliancortary.com /zfin.php
mecanicamm.zzl.org /zfin.php
mikromesh.de /zfin.php
mileycyrusdaily.com /zfin.php
monialberti.com.ar /zfin.php
ohoven.de /zfin.php
onpacker.de /zfin.html
picturereport.net /zfin.php
playamarinaestates.com /zfin.php
regionalvanesaduran.com.ar /zfin.php
saboresdecordoba.com /zfin.php
safarisfotograficos.com.ar /zfin.php
schoss-objekt.de /zfin.php
sindy.com.ar /zfin.php
sindy-arg.com.ar /zfin.php
tamandua-transporte.com.ar /zfin.php
vanessahudgens.bz /zfin.php
video-professionell.de /zfin.php
visiondelnoroeste.com.ar /zfin.php
viveroelparaiso.com.ar /zfin.php
whitehorsemedia.de /zfin.php
www.ava-kunden.de /zfin.php
www.bx000471.ferozo.com /zfin.php
www.enpuntasdepie.com.ar /zfin.php
www.profileinformatica.com.ar /zfin.php
www.samavi.com.ar /zfin.php
www.seebek.com.ar /zfin.php
www.tecnosistemas.com.ar /zfin.php
www.tecnotrucos.com.ar /zfin.php
www.tetraisotopos.com /zfin.php

By mixing a "prefix" with an "institution name" more than 10,000 unique subject lines were created. 702 Financial Institutions have been named so far . . .

The prefix for the subject is selected from this list:

ACH debit transfer was hold by
ACH debit transfer was not accepted by
ACH payroll payment was hold by
ACH payroll payment was not accepted by
ACH Transfer was hold by
ACH Transfer was not accepted by
Bill Payment was hold by
Bill Payment was not accepted by
Domestic Wire Transfer was hold by
Domestic Wire Transfer was not accepted by
Funds transfer was hold by
Funds transfer was not accepted by
Money Transfer was hold by
Money Transfer was not accepted by
Payment was hold by
Payment was not accepted by
Wire Transfer was hold by
Wire Transfer was not accepted by

and then suffixed with a financial institution name from the list found at the end of this email. . . .

The "non-zfin" form of the list uses one of these subjects: (Random number use is notated by #RND#)

ACH payment canceled
ACH payment rejected
ACH transaction canceled
ACH Transfer canceled
ACH transfer rejected
ACH transfer was hold by our bank
Declined Direct Deposit payment
Direct Deposit payment ID #RND# rejected
Direct Deposit payment was cancelled
Direct Deposit payment was declined
Direct Deposit payment was rejected
Disallowed Direct Deposit payment
Fwd: Wire Transfer (#RND#)
Fwd: Wire Transfer Confirmation
Fwd: Wire Transfer Confirmation (FED #RND#)
Fwd: Your Wire Transfer
Notification about the rejected Direct Deposit payment
Payment ID #RND# rejected
Re: your Direct Deposit payment ID #RND#
Regarding your Direct Deposit via ACH
Rejected ACH payment
Rejected ACH transaction
Rejected ACH transfer
Urgent notice about your electronic payments
Your ACH transaction
Your ACH transfer
Your Direct Deposit payment ID #RND# was declined
Your Direct Deposit payment via ACH was declined
Your Direct Deposit payments were disallowed
Your Direct Deposit payments were rejected

These spam messages directed users to one of 1962 unique URLs that all SEEM to be compromised websites, with the exception of some "free hosting" sites, and a handful of URL shortening services. That list is presented below, with the list reduced to 671 instances by eliminating all but a single example URL per host computer:

015cc13.netsolhost.com /7o1otl/index.html
119.245.150.188 /
163.30.58.134 /
164.125.9.9 /~kimjw/gigl.php
173.193.15.56 /~assalamt/13xwph/index.html
193.59.73.242 /
194.51.85.73 /~tlariviere/zmtg.html
195.244.192.61 /
200.13.224.125 /
200.58.114.11 /
202.43.73.66 /
203.174.34.130 /
210.239.8.82 /~kenmin/akatx.php
212.110.96.163 /
213.191.128.17 /
216.172.186.5 /~peacock/9f46fnr/index.html
38.103.167.38 /
4a.4b.354a.static.theplanet.com /~playcas/5be1urt/index.html
60.251.4.82 /
62.193.216.26 /
62.233.121.21 /
62.233.121.25 /
66.133.129.5 /~nsmarc1166/gbsmofb.html
74.86.158.236 /
82.140.32.161 /
82.223.150.99 /
83.243.20.173 /
84.32.77.200 /
87.98.187.244 /
90plan.ovh.net /~aventureo/1k87cy0/index.html
a.md /9Q6
abandonedontario.ca /
abbastravel.com /
ad.f8.5546.static.theplanet.com /~outdoors/0nnpob/index.html
adagadoxig.freecities.com /acjxur.html
adamant.az /deuhgi.html
adanovan968.100megsfree5.com /oduarg705.html
adi-tobyfatud.fcpages.com /oprirtir.html
ady-ufodopyrub.envy.nu /bezuvee0.html
afucezox706.bigheadhosting.net /nofloudabuse.html
agrooyl.ro /inlcude.html
airteksystems.com /
airworkscompressors.com /
ajubecujal-tope.freewebsitehosting.com /lrosperousneslaa08.html
akapela.gr /7as4xe/index.html
akat-tech.com /
alahpe.notlong.com /
alasimipi-akad.maddsites.com /poadkh.html
ale-jygowesop.lookseekpages.com /leonijii785.html
aleksrdest.com /
alfra-tools.be /contents/index11.html
alfra-tools.nl /
alided-isig.freewebportal.com /noninfecluoufyy45.html
all-expo.eu /0uktna/index.html
alphametal.info /
alphashop.nl /
alugiceb34.lookseekpages.com /pptopwaner.html
alzmetall.be /shared_files/index11.html
alzmetall.nl /contents/index11.html
amanibap105.envy.nu /pdiasamd.html
amidopysud.greatnow.com /pytacinc.html
amolijuza795.freewaywebhost.com /novdurabbebii57.html
amylo.ca /
annelotte.com /
anu-efitodose.maddsites.com /pinuda.html
anwaltskanzlei-apw.de /dxocq8/index.html
apibopeco-isex.maddsites.com /pammtqqaw.html
apnea-creativa.net /
apollox.net /
aqas-rijaxatoc.virtue.nu /polivlex.html
aqo-awiwyzyhot.lookseekpages.com /phaxa12.html
aquastats.nl /
ariane-services.com /~ph_laura/1trr7oh/index.html
asewad722.freewebsitehosting.com /petrqeisec.html
askara.ca /
assilphone.com /46in4f/index.html
assistantarea.com /0dt038i/index.html
astola.com.au /03ajwnt/index.html
athmajothi.com /2kejqlu/index.html
atlas.nseasy.com /~athmajot/995rxv/index.html
atomicdigitalcapture.com /4srpft/index.html
atscaf.fr /0w019w/index.html
audier.nl /1vz1hs/index.html
aunesty.com /34n6z2t/index.html
aurorabraces.com /
autodc.fr /5s82w4/index.html
auvalon.sk /0wffuo/index.html
aviorr.com /0jlklp6/index.html
axux-oxylule.s-enterprize.com /nikeuu5.html
aze-seqyqan.dreamstation.com /rorihigotikano.html
aziatische-ingredienten.nl /52n8pw/index.html
azuma.co.th /
babytake.com /7r7hr4p/index.html
badcompanyeredar.ba.ohost.de /2m23xd6/index.html
balconesdelparque.com /3sdl39/index.html
baldimanuela.it /inlcude.html
bandzaagmachine.nl /
banyanchildrenlibrary.com /qbbxnth/index.html
barpetra.com /hsldl6/index.html
bb4f.net /0pwbvz/index.html
bedrijftekooptiel.nl /
bedrijftekoopzetten.nl /
benice.pytalhost.de /8ir8he9/index.html
berufskolleg-brilon.de /2jt3oy/index.html
beststockbook.com /21jrj7g/index.html
bidenurefu-upi.servetown.com /nixqczzn.html
bifapuniho-nyna.digitalzones.com /jypajpa.html
birchip.com /c2xollw/index.html
biru.web.id /nemi5k/index.html
bi-vent.de /51kk7o/index.html
bizalgerie.com /92usm9/index.html
bjay12.com /2pamuex/index.html
blog.forumfan.pl /
blog.tedinet.com /kissnza/index.html
boatbooks.ca /
boatlicences.com.au /msp9nc/index.html
boncukhaliyikama.com /echhgst/index.html
boroth.servers.rbl-mer.misp.co.uk /~attract/3vpite/index.html
bosokovemi1800.maddsites.com /wizim.html
bosugixe.sdhost.tk /ugisogu.html
brouze.fr /inlcude.html
brutalfun.net /0p4tl4/index.html
bumblebeeman.enixns.com /~bookmi/726d5mn/index.html
buwynobolo.freehostyou.com /wlrbo.html
buzeqok.222mb.tk /aruvivy.html
byqopoveni-apyl.fcpages.com /redberunnez290.html
c2.16.344a.static.theplanet.com /~peterfur/hqrgv4/index.html
caddcentre.org /1do876d/index.html
caddcentre.ws /4yeqtja/index.html
cadokeduzi207.100freemb.com /paxhokuh.html
cafeamerika.de /2n7a13/index.html
cahev.com /
caqiwy-mora.greatnow.com /pgonham.html
casinospoker-online.info /3z0ugvx/index.html
casu-urenywyje.lookseekpages.com /sasg0211.html
cazonof1845.greatnow.com /nisolicoo8933.html
celluloidtamil.com /inlcude.html
cgworkshops.net /inlcude.html
ChaitanyaHolidays.in /
champagne-ruelle-pertois.com /
chateau-haut-gachin.com /
chilp.it /496e27
ciata.be /
cihawuva.webclot.org /yruwevu.html
cim-byzowofy.freewaywebhost.com /polairs.html
citydibo1446.exactpages.com /protenluuu41.html
citynewsservice.de /g5nfpqn/index.html
cizomixo.freehosting.bg /uxicutov.html
classicknits.co.in /6j3o6e/index.html
click1.goshadowshopping.com /iyyvyncqkbpwvhkcwbmpkwtnthwhmyhthfmyfkmynymzmc_lkhdmzdwhjzw.html
clickandclaimcouk.site.securepod.com /5n4uxw/index.html
cm.digiportal.com /php/CR/cmregister.php%3Fdata=cR2NA4mi3ED%2B9KZ3KbHZoLUlSJRqo2hCZWTTw7FA86yfesTTa7T5mz8nIfQIsOEJqCYEjlrSL2Kb22pt1bCNT9YgXTqnV9Hq0szMhVjmIj7KYTbpAXf8d9rdvs9EUK7IwIuiNhR4mho%3D
cocynuvoxo.virtue.nu /pabter255.html
cojojibi.4sql.net /amematy.html
conred.com /65q7jj/index.html
contimac.eu /
copofude.freehost.artonat.com /ugisogux.html
cornwell.cz /f.html
cos-ovaxyrex.mindnmagick.com /pashtetdqivuz.html
cp05.digitalpacific.com.au /~austraqc/6g6dif/index.html
crm.ndr.it /
cukydyvu.exactpages.com /uu3920.html
cuzihyket1405.bigheadhosting.net /dosf882.html
cygnus.inc.cl /~planhost/jgf5m7/index.html
cyta-qorizatovy.greatnow.com /onarban303.html
czester.freehost.pl /
dab-gynyto.1accesshost.com /ofyt745.html
dachshund.ru /
dahlih.nl /
dashramspa.com /79q2h6/index.html
daxilymapo-ymeg.exactpages.com /atextn858.html
degogoyi.hosto2.info /ruvivyfu.html
deko-bett.de /04eozwl/index.html
dembs.com /
denohifi.builtfree.org /xqibitaa90.html
desmidspijk.nl /inlcude.html
dhseminars.com /5zn712w/index.html
dialog-translations.com /00kzr4/index.html
diamanza.50webs.com /
dirimukysu.1accesshost.com /polarbead7610.html
disasterrecovery.org /
djxcube.com /
dollysgroceries.com /
domuxurasu.envy.nu /pyia234.html
dos-ykyratih.fcpages.com /lromisemyngerii62.html
douglasgwynnsmith.com /
dubimajis1142.bigheadhosting.net /noncallapsabmeyy05.html
durl.me /mikas
dykutimopa.servetown.com /nanablelutionuu14.html
edenindustries.ca /
egifat-kysi.maddsites.com /wlsejenro.html
ehykigicos1194.freehostyou.com /plogmafter111.html
eishohwa.notlong.com /
eja-upigewary.fcpages.com /nokh529.html
ekuin.notlong.com /
ekuxylylak-zowo.100freemb.com /osazatu.html
em003.czechian.net /
enafej1554.digitalzones.com /jity890.html
enfantsdoprata.org /
enyqypuhys.lookseekpages.com /pvopyliticii404.html
eqywazogif-uno.lookseekpages.com /paniauu96.html
eterysam.1accesshost.com /deipmus.html
europa-haus-leipzig.de /7k75p9/index.html
evil-knievel.gmxhome.de /
evy-evaqahup.freewebsitehosting.com /odbug.html
ewamosy1959.freewaywebhost.com /mttygesyy87.html
ewivisabec-jig.envy.nu /opium206.html
ewoutjonker.nl /
exirevoka.builtfree.org /kfhyra.html
eyeicu.notlong.com /
ezexezeba703.100megsfree5.com /sawv636.html
ezomusic.ez.funpic.de /
ezuwaqi-zoqa.1accesshost.com /wereipacd.html
fej-anepyveruw.fcpages.com /paradyseii170.html
f-guazzaroni.com.ar /
finsko.hostuju.cz /
fiwawax.10gb.tk /uhezivog.html
france-azur.nl /
fullmex.iblogger.org /inlcude.html
fyparor1321.freecities.com /rushantassdanov.html
galaxy.host-care.com /~perthbe1/fmkvw3/index.html
gia-jp.net /
gibobe1829.freewebportal.com /mutmitchell.html
gihujakabu.greatnow.com /promutzeis.html
giloziz-ijub.envy.nu /rorf.html
gofipipy-syg.100freemb.com /olofjolindur.html
goksenmuhendislik.com /
gozaqoba.eg.vg /nezivogo.html
gtpikes.com /6cqmid/index.html
gud-exonad.lookseekpages.com /nizibc.html
gulohr.notlong.com /
guptaservices.com /
guwe-syginyn.100megsfree5.com /fapux250.html
gyk-yrubecata.digitalzones.com /gacezoo7.html
halliemgt.com /59ybsd/index.html
hamibukike-qan.builtfree.org /sonyxplosivoee56.html
hammerrassebande.de /8jz5glg/index.html
harmonie-travaux.com /1lvsq8k/index.html
hax1234.ha.funpic.de /
hepidyzozo.1accesshost.com /ppoisee90.html
hero.host-care.com /~pin/9es7srf/index.html
hetigy-kyju.builtfree.org /urangahoua.html
himalayanweavers.org /
hipuhaq.simik.net /nezivog.html
hiralix.mblogger.info /vozalah.html
hiranobag.co.jp /
hitcombo.com /inlcude.html
hitechcsi.com /
hiz-ysupyso.100megsfree5.com /pbiccehc.html
hockeydykeincanada.ca /images/main.html
hoepner-lacke.de /89fj0g/index.html
hoguzud.blogerpa.com /nezivog.html
hokifuxu.greatnow.com /outsmature.html
homesatthebeach.ca /
honestlawyer.ca /
honkafusion.ch /o55zj1/index.html
honkafusion.es /bpmxh6/index.html
honkafusion.fr /1h0wgog/index.html
honmononoyosa.sakura.ne.jp /
hotelkayisi.com /inlcude.html
hsh-sh.de /04y855/index.html
icppo.ic.funpic.de /
icyryxure.digitalzones.com /paracletasiz.html
iduposywa.freewebsitehosting.com /pumilaoo62.html
iheartmypet.ca /
ihoje.notlong.com /
ijicuzajy-esu.arcadepages.com /ppkboris.html
ijy-ymexegahix.freewebsitehosting.com /nintwove.html
ikiwulete.mindnmagick.com /jordert1711.html
ikylec1342.o-f.com /bobico.html
ilidavy-pow.mindnmagick.com /zilku.html
ilipinyqez1193.fcpages.com /rickaa3447.html
inkwellgraphics.ca /
inteligus.pl /0xp8fz/index.html
interasia.co.in /
iphoneipadexperts.com /
ipigipo-ese.lookseekpages.com /nocregs.html
iqiturixug1179.lookseekpages.com /baljk891.html
iqodew493.o-f.com /bonsaa93.html
iqopuc-himi.100freemb.com /nurlajidealmarky.html
iru-ynonywecid.mindnmagick.com /rutipog.html
is.gd /2vNBBj
i-sites.hu /inlcude.html
ivywej69.s-enterprize.com /purtygmress.html
iwefedoj.dreamstation.com /viomondas.html
iwynokybar-ovu.virtue.nu /phantomnrue.html
ixoboqyqe-eme.greatnow.com /pajvar.html
jabowabi.zbyte.org /edoruvyh.html
japodubyj254.envy.nu /alexee94.html
japuseny.fcpages.com /paasoz.html
jaylau.com /
jel-acofuhagi.envy.nu /gapereno7210.html
jemadab1072.exactpages.com /owylfrudu.html
jeqy-qogiqyw.100megsfree5.com /qeeml.html
jimpruden.com /html/main11.html
jixucewa.arcadepages.com /hrovidableoo414.html
joakimdo.com /main11.html
johannessendesign.com /
john-adams.ca /main11.html
johnspassmonsterkingfish.com /
jozacupub.mindnmagick.com /proliderousnyaa88.html
ju-kreis-olpe.de /13z229/index.html
jup-oqupiwyf.lookseekpages.com /rickeskenmop.html
jydinoxoto.dreamstation.com /phit47tiz37.html
kakexo-xyho.builtfree.org /packran866.html
kamiqudob.lookseekpages.com /memgaful8510.html
karlo-b.de /1wls5te/index.html
kierwinski.pl /
kinditech.org /
kisyholy971.arcadepages.com /vsynu.html
kizodyxy.1accesshost.com /pesrul7910.html
klu-inkleur.nl /
kociqaw.websitehostfree.com /nezivog.html
kon.wheel.sk /4ypcij5/index.html
kowalczyk.cz /
ks31295.kimsufi.com /~palmthre/3dg825m/index.html
ks355256.kimsufi.com /~pool/bdw27yh/index.html
kuczka.eu /j9xiw3/index.html
kukawow.heikalhost.tk /ugisogu.html
kumquatphoto.com /
kutrite.ca /
laboiteabonheur.fr /
langleykinsmen.ca /
latiwusa.freewebportal.com /mipailmironuxko.html
latunogu.blogstar.tk /ovyruwev.html
lavegliacarlone.it /inlcude.html
lexisutherland.com /4fbf35l/index.html
lezisah.notlong.com /
lieuwedevries.com /
lifeart-petra-eischeid.de /7pm4la2/index.html
liveinconcerto.nl /08e4wt2/index.html
LNK.by /ff843
locker-ba.com.br /site/inlcude.html
loru-lazetes.o-f.com /ovtorko.html
lozamita.freewebportal.com /pallelundttjoeg.html
lusepewe.sertdisk.net /ugisogu.html
lutesylo421.100megsfree5.com /mfyainyy7.html
luyized.metrohosting.info /erygegy.html
lywobaneb-omic.1accesshost.com /oo90rufat.html
lyxnia.gr /2khjpzg/index.html
macservice.vn /
maddogphotography.ca /images/main11.html
majs.ca /
mcars.pl /
mesinuangku.net /2krnil/index.html
migre.me /69SRA
miron.notlong.com /
mixland.ca /
mkmdevcenter.ca /
mohidumo.sooot.cn /ubijemat.html
molihove.goearni.info /gizazago.html
moq-ydygafyko.greatnow.com /povuuk.html
moruyime.pi6.info /nezivog.html
muguhesi.3host.tk /furuser.html
mysejofov1845.fcpages.com /selegaaa0808.html
myuu.de /
n2testing.co.uk /
naf-tufamur.dreamstation.com /vherzodjor8810.html
nailandhammer.net /
nakayimahotel.com /
nefelefi1879.fcpages.com /niskish.html
netdekorasyoninsaat.com /
ntlauf.nt.ohost.de /inlcude.html
nyjicited.freewebportal.com /nurdete.html
nylaneri-mac.servetown.com /ditonii1167.html
nytezuva-pyh.100megsfree5.com /eqq6911.html
nz-wolfenhausen.de /kpqnpk/index.html
obehumekid.lookseekpages.com /ovenhrehv.html
ochrona-almar.neostrada.pl /inlcude.html
ocig-ujaforisoc.exactpages.com /podvouskiialezj.html
oficinasvirtualesimc.cl /5j4k0ke/index.html
oguce.notlong.com /
ohquudi.notlong.com /
okeg-gyhydyq.dreamstation.com /oo67ao.html
okywijejaf.maddsites.com /ssorpuonu1.html
one-egizad.fcpages.com /vavilugxa.html
onipuwavy-oge.dreamstation.com /pwuptro.html
ontariobuildingtrades.com /5vfe149/index.html
ooblu.com /
ooquoobe.notlong.com /
opezopan.100freemb.com /pvodateconnection.html
opibak-baw.freewebportal.com /mobodultyy04.html
oqomijoh.virtue.nu /nyculmoaa0.html
oral-hekegudu.arcadepages.com /zrooo72000.html
ostwestfalen-lippe.de /8ffzcx1/index.html
otrasexshopmas.com /81p88fk/index.html
ourdogz.nl /04x6pt/index.html
oursdes4saisons.com /~oursdess/fjnopyy/index.html
outsourcemanpower.com /~outso4/4jz88e/index.html
outtheboxmusik.com /1vpj9l/index.html
ovarc.us /3df0ta/index.html
overnightclippingpath.com /a3g2pwc/index.html
ovijujase.exactpages.com /rmren.html
owehyrufiz.freewebportal.com /wubuyukiyndo.html
owips.square7.ch /pc6ypb1/index.html
oxodopi-cuce.maddsites.com /uurnorld15.html
oxu-yvurobuboh.freehostyou.com /topcaf881.html
oxymarketing.com.br /inlcude.html
oyuncumusun.com /2sfjyh2/index.html
ozcanymm.net /
ozinocug.o-f.com /njuf.html
p131879.webspaceconfig.de /d07a0hw/index.html
p7902.typo3server.info /9f9bp6n/index.html
paetzold-beratung.de /cvo8xq/index.html
PageDr.com /d1mqfg7/index.html
pagedrakemusic.com /1o1eis/index.html
paintball-bohinj.si /00vb7md/index.html
paiportacf.com /7t62aei/index.html
palathinkalktm.org /hogm7g/index.html
panmotorsports.com /53412dc/index.html
panteleon.de /6t73qt/index.html
panzercrom.com /1yd59f/index.html
paokvolos.gr /13abr4/index.html
paperequipment.com /1lt2bt/index.html
ParkGina.com /2xi5al/index.html
partnersarl.lu /a6c9j6d/index.html
pascal-bellefroid.be /627bqd6/index.html
paspartoy.gr /77j0m9/index.html
passgo.ca /
paszczak.pl /6vgjxor/index.html
paynterparmesan.com.au /0tnx3ta/index.html
pcapinvest.com /t373ygr/index.html
p-center.biz /169mdzp/index.html
pchelpch.pc.ohost.de /1fdlwp/index.html
pcmswitch.co.uk /1so14g/index.html
pc-tuning.be /5mgsw8z/index.html
pcwbc.ca /
pdc.bplaced.net /5c9tin/index.html
pdrg.zxq.net /5rte95/index.html
pdsignatures.com /o1l5a4/index.html
peachesandcreamspas.com /
peelcruise.com /3xw40nk/index.html
peluangusahaonlines.com /57tt9o/index.html
penisenlargementcourse.com /bb8yhu/index.html
perfilthermik.com /lkpeam/index.html
perso.ovh.net /~polyverr/74r128/index.html
personalinjuryaccidents.com /dogsyd/index.html
peruvision.de /95nivmn/index.html
PeshawarJin.com /13d4tx/index.html
peveduto.com.br /
pheebaha.notlong.com /
philipdc.ph.funpic.de /cx52om/index.html
philippe-decotte.fr /~philippezm/i7nsv9i/index.html
philippinetyphoons.com /25jy8gd/index.html
phobiaman.co.uk /9af3v8/index.html
ph-online.net /37tyaxa/index.html
photosdumonde.info /
phprecdb.bplaced.net /7s4y1p/index.html
pictureahealthierworld.org /4e7h78z/index.html
piefaez.notlong.com /
pies.edu.pk /~piesedup/f0grdvr/index.html
pifadew.bdlike.com /buluvivy.html
pinskylickstein.com /h3fywd/index.html
pioneerweb.in /a9zkq8i/index.html
pite-olacelyb.100freemb.com /gvizdikvk.html
pixa-design.de /4xmbbut/index.html
pixe.mx /
pixelyn.co.za /~pbxnet/0p9gu8/index.html
pkphotography.com /93b6jfu/index.html
plasticimages.com /504mcxt/index.html
playgroupstudio.com /4ycljge/index.html
playweb.6po.pl /
plexuscomms.com.au /chu594/index.html
plummessage.com /lt7joa/index.html
pmtm.com /78gr9so/index.html
poizonroze.com /1ujn1kg/index.html
Pokerworld.com.au /4mebwl2/index.html
polidor.eu /29e41h/index.html
polimitlc.altervista.org /119976/index.html
poliprodukt.pl /frjawen.html
popihug.indiv.in /ugisogu.html
poppenhouse.ru /2x1gsy/index.html
porezi.rs /
portonesautomaticos-ferrobone.cl /260je7o/index.html
portrait-skulpturen.de /6d138g6/index.html
prismproductions.net /0edicf/index.html
prodomoelec.com /
pronutrition.ca /
prosolv.se /
puqupity-sase.bigheadhosting.net /lapwevuu04.html
pushkardesigns.com /
putovuve.arcadepages.com /abee680.html
qarehuq.hosthost.info /ruvyhupa.html
qejazocuf-adus.dreamstation.com /nightshado257.html
qejuticu.pubwebhost.com /ygegysed.html
qezevosak.s-enterprize.com /dcbadur.html
qibuxumu-gen.freewebportal.com /ovehdiligenz.html
qim-tajomuhu.virtue.nu /xnryy596.html
qoge-wigiqiber.freewebportal.com /hhaj.html
qr.net /fqv2
queller-gemeinschaft.de /3rysoo/index.html
quze-fegabugage.freewebportal.com /qbohrint.html
qybo-hubybewu.freewebsitehosting.com /nonplatentiluu21.html
qyn-otomibezo.1accesshost.com /nobolybo13.html
qyxozoxija.dreamstation.com /ptym2111.html
racogad-upy.greatnow.com /plaloj.html
ramebeny1368.greatnow.com /prompncyyy42.html
rapidosports.com /
raum-wolfenhausen.de /39zvuv3/index.html
redir.ec /8aOr5
rekufel.3host4.info /wuvyhup.html
rerajo-qaz.digitalzones.com /onioo8.html
restaurantposthalterey.de /1gml2xu/index.html
rid-yzytawaj.1accesshost.com /bursopaff.html
riteyolu.0fees.net /lodugiz.html
safe.mn /3tJR
safer63and881.com /
saform.com.pl /
sahecafa.3net.tk /furuser.html
saracens-fhc.ca /
scrapbookersbliss.com /
seasonal56.ca /
semineedevis.ro /
sensalights.com /in11.html
senuyave.yk0.net /wuvyhupa.html
sezaylighting.com /
sezogoca-epy.mindnmagick.com /restole.html
shangpalace.com.vn /
shorl.com /difratresutyby
siamrestaurant.ca /
simurl.com /bepnac
siperbinvestments.com /
smx1.hostdime.com.mx /~periodic/0hfmuib/index.html
snipr.com /2oalgv
snipurl.com /2oalwc
sojesif.hostingforfree.org /gagicyb.html
sorupemu.4ever20bucks.info /kejaruv.html
sothbys.ho.ua /
srisaipearls.com /
stepnik.de /9u4ougo/index.html
stykky.pl /
succesvol.su.funpic.org /
sudarom-dyke.dreamstation.com /qfoiio6g.html
surarena.rs /inlcude.html
sweetroute.com /
sytixytex140.s-enterprize.com /nicolahg.html
taklitci.com /
tamilsudartv.com /fejkb8e/index.html
tasaqifa.hostingwithu.com /uhezivo.html
tassilomusic.com /
taximihywe-pyri.bigheadhosting.net /kipusyy00.html
tbspirit.com /
tcjc.ca /
tcproperties.co.za /
teamprimerib.com /12evdr/index.html
tegikobi.w9l.in /edoruvy.html
telusplanet.net /~polihale/40ht0fa/index.html
teqaqybu.freewebportal.com /nermox.html
ternama.com /
tesuzuma-tah.freehostyou.com /zhavneree1971.html
thaore.notlong.com /
thegrandehaven.com /
thesacredvoicegallery.com /
thesurl.com /11
ticoyez.297m.com /gudylog.html
tie.ly /_ggeqie
tisilume.qualityprohost.com /sedejodu.html
tllg.net /aUm4
tm-studio.com.pl /
tolenaars.nl /
topolema.koon.pl /ivyfurus.html
toronto-orienteering.com /pictures/main.html
totavalaw-zejy.freewebportal.com /nunes.html
toyamakitokito.web.fc2.com /
trmfiltration.com /
trucksidefunding.ca /
tujeqexo.000adz.com /nezivogo.html
tuvoca1466.freewebportal.com /rdobyllo.html
u-china-consulting.com /1qvkcx5/index.html
uci-nyhiguve.fcpages.com /trobexso.html
ucugywyl.fcpages.com /brntschrmnf.html
ugi-ypuwewipax.freewebportal.com /otakunojoworo.html
uhocekef.servetown.com /heaami.html
ujugob-ytoz.100megsfree5.com /ivadpomidorivf.html
ulmer-shop.de /2rsl1a/index.html
ultraline.it /
umy-qekuqi.dreamstation.com /irnuschel.html
unbrockandice.ca /images/in11.html
unitedbookgroup.com /
upihigajar.1accesshost.com /pipkertyn.html
upmarketing.mx /
url.ie /dia9
usifof-ufy.o-f.com /prosencaphalecii21.html
usyrepihon-elaz.1accesshost.com /pronessorsii62.html
vabefod-uron.greatnow.com /ldnrkaa5.html
vahaxisasu.mindnmagick.com /vokolak.html
valanali.cuccfree.com /icutovov.html
vaneenoo.eu /images/index11.html
vbvastgoed.nl /
velvetropemiami.com /jl3o9c/index.html
vesadofefy.freewaywebhost.com /nuhedreampirls.html
vetmobile.ca /
video.web2001.cz /
viphoco.notlong.com /
vlamos-homerealty.gr /
voyibopa.cuscovirtual.tk /ivefuquw.html
vugojape.mindnmagick.com /nonspors.html
vuhyzeto1234.exactpages.com /wroromunticii71.html
walther-reinhardt.de /bvbiohh/index.html
wanaqecu.onlin-e.net /lodugiz.html
wca8532g2.homepage.t-online.de /d2gcop/index.html
webresourcecentral.com /2858sa/index.html
webseosmoservices.com /
welfare114.net /
welfens.de /8tc00m/index.html
wetyqifu1471.1accesshost.com /sluvataxo.html
whistleradio.com /
wiyetipa.webhostingforfree.org /ymanibu.html
wohi-xygumu.1accesshost.com /dystemhakem.html
wp.tedinet.com /bx0koa/index.html
wsconsulting.ca /
wuda-lolexu.maddsites.com /murokchiok.html
www.africanelections.org /4qtmbt/index.html
www.athmainfosolutions.com /29ial3/index.html
www.avtkhyber.com /1tcnzx/index.html
www.bakou.gr /h1hmsp/index.html
www.casainlegnohonka.it /wmi34d/index.html
www.desmidspijk.nl /
www.dldsrl.it /
www.flooringin.ae /
www.garagevanstraelen.be /
www.hadi-art.com /
www.honkafusion.it /t8xfifq/index.html
www.jenabakery.com /
www.lumhongye.com /13f2em/index.html
www.mesinuangku.net /~peluang4/sa0hxip/index.html
www.parimpood.ee /16e6beb/index.html
www.pcrutchfield.com /1g9wxxn/index.html
www.peluangusahaonlines.com /28dvhds/index.html
www.pension-kleinekorte-guestrow.de /
www.phobiaman.co.uk /81ccngg/index.html
www.photoeditingservices.co.uk /3sr31z5/index.html
www.physicaltherapy.co.ke /9a54nqy/index.html
www.pies.edu.pk /2nktlke/index.html
www.plasticsurgeryinstituteofcalifornia.com /aojaas/index.html
www.poodlesislandwear.com /eoqf7q/index.html
www.postandparcel.net /52xxjn/index.html
www.proalkoholici.cz /atb.html
www.publishingoutsourcing.com /2e0dh9/index.html
www.seriilanlar-antalya.com /
www.stockkamp.com /
www.wouda-assu.nl /
xagemume.bdlike.com /iticuto.html
xechuyendung.net /
xikuga486.1accesshost.com /anrrey216vorkuta.html
xizakobiv1963.freewebsitehosting.com /avevbroaren.html
xoragam.hostingperron.com /cacejodu.html
xumubowo.johaneswisnu.info /ejodugiz.html
ycomefy1524.bigheadhosting.net /aanbelochik.html
yeasheve.notlong.com /
ygo-foxucobyzy.virtue.nu /mojoqens.html
yiprint.com.tw /
yjoliveba.freewebsitehosting.com /demonidi9.html
ymob-cezulu.freewaywebhost.com /quak0610.html
ymoz-afydybime.mindnmagick.com /pichugana627.html
yosulag.freehost.artonat.com /oruvyhup.html
yulasuhu.adsfree.ru /xubijema.html
yusaduy.123bemyhost.com /uhezivo.html
yxydyt-caxa.mindnmagick.com /oxueywro.html
yzic-kuligu.lookseekpages.com /oupslyng.html
yzid-ufehupuse.servetown.com /mlitvyaj.html
zawizifani366.freewaywebhost.com /qumusegu.html
zebuana.de /
zeh-patinuli.lookseekpages.com /nicsfev.html
zespol-millenium.home.pl /
zil-vakahidyti.lookseekpages.com /umnyk.html
zoom.nsjet.com /~pochince/28nz9l/index.html
zulu-ezaxodevic.freewebsitehosting.com /dimenhofigan.html
zymuzymugo271.s-enterprize.com /bcretkon.html
zyvu-umodecy.1accesshost.com /rvm.html
zyxukifuzo.1accesshost.com /dmimkac.html

====================
List of Financial Institutions used by the "zfin" spam . . .

1st Bank Yuma
1st Capital Bank
1st Centennial Bank
1st Enterprise Bank
1st National Bank of Scotia
1st Pacific Bank of California
1st Source Bank
Abacus Federal SAvings Bank
ABC International Bank
ABN AMRO Bank
Abrams Centre National Bank
Affinity Bank
Agriland FCS
AgTexas
Aig Federal SAvings Bank
Alamerica Bank
Aliant Bank
Allegiance Community Bank
Alliance Bank
Alliance Bank of Arizona
Allied Irish Bank
Alta Alliance Bank
Amalgamated Bank of Chicago
Amarillo National Bank
Amcore Bank
Amegy Bank of Texas
Ameriana Bank and Trust
America California Bank
American Bank
American Bank of Commerce
American Bank of Texas
American Business Bank
American Express Bank Limited
American National Bank
American National Bank of Texas
American River Bank
American Riviera Bank
American Savings Bank
American State ABnk
American State Bank
Americas United Bank
Amsouth Bank
Amsterdam Savings Bank
ANZ Bank
Applied Card Systems
Archer Bank
Artisans Bank
Atlantic Bank of New York
Atlantic Pacific Bank
Atlas Savings Bank
AuburnBank
Austin Bank
Austin County State Bank
Austin Telco Federal Creit Union
Balboa Thrift and Loan Association
Balcones Bank
Ballston Spa National Bank
Bank Atlantic
Bank Calumet
Bank Independent
Bank of Agriculture and Commerce
Bank of Akron
Bank of Amador
Bank of Baroda
Bank of Castile
Bank of Evergreen
Bank Of Illinois
Bank of India
Bank of Los Altos
Bank of Marin
Bank of Marion
Bank of New York
Bank of Orange County
Bank of Pensacola
Bank of Petaluma
Bank of Pine Hill
Bank of Prattville
Bank of Quincy
Bank of Rantoul
Bank of Rio Vista
Bank of Sacramento
Bank of Santa Barbara
Bank of Santa Clarita
Bank of Springfield
Bank of Stockton
Bank of Tampa
Bank of the Orient
Bank of the Sierra
Bank of the Southwest
Bank of the West
Bank of Tidewater
Bank of Tuscaloosa
Bank of Vernon
Bank of Walnut Creek
Bank of Waukegan
Bank One
Bank United
BankChampaign
Bankers Trust Company
BankFIRST
BankUnited Express
Barclays Bank
Barrington Bank and Trust
Bay Area Bank
Bay Cities National Bank
Bay Commercial Bank
Beal Bank
Belvidere Bank
Benchmark Bank
Beverly Bank
Bluestem National Bank
Borel Bank
Borrego Springs Bank
Brady National Bank
Brenham National Bank
Brickyard Bank
Bridgehampton National Bank
Broadway Bank
Broadway Federal Bank
Broadway Federal Bank FSB
Broadway National Bank
Brooklyn Federal Savings Bank
Brown Brothers Harriman
Busey Bank
Business Bank of California
Business First National Bank
Butte Community Bank
Caledonian Fund Services
California Bank and Trust
California Community Bank
California Federal Bank
California National Bank
California Oaks State Bank
California State Bank
Canadaigua National Bank and Trust Company
Canyon Community Bank
Canyon National Bank
Capital City Bank
Capital Farm Credit
Cardinal Services Corp
Carlinville National Bank
Carver Federal SAvings Bank
Cathay Bank
Cattaraugus County Bank
Centier Bank
Central California Bank
Central Illinois Bank
Central National Bank of Waco
Central Trust and Savings Bank
Central Valley Community Bank
Century Bank
CFS Bank
Champlain National Bank
Chang Hwa Commercial Bank Ltd
Charlotte State Bank
Charter National Bank
Charter Oak Bank
Chase Manhattan Bank
Chicago Community Bank
Chino Commercial Bank NA
Circle Bank
Citibank
Citizens Bank
Citizens Bank Baytown
Citizens Bank of Northern California
Citizens Business Bank
Citizens Community Bank
Citizen's Federal Savings Bank
Citizens First Bank
Citizens National Bank
Citizens National Bank of Macomb
Citizens State Bank
Citrus Bank NA
City Bank Lubbock
City National Bank
City National Bank of Florida
City State Bank of Palacios
CivicBank of Commerce
Clarendon Hills Bank
Claritybank
Clay County Bank
Clear Lake National Bank
Coast Commercial Bank
Coast National Bank
Cohen Financial
Cohoes SAvings Bank
Coldwell Banker Commercial PR
Columbia Bank
Comerica
Commerce Bank of Folsom
Commerce National Bank
Commercial Bank of California
Commercial National Bank
Commerzbank
Commonwealth Business Bank
Commonwealth Trust Company
Community 1st Bank
Community Bank
Community Bank and Trust
Community Bank of Elmhurst
Community Bank of Florida
Community Bank of Naples
Community Bank of San Joaquin
Community Bank of Santa Maria
Community Bank of the Bay
Community Bank Texas
Community Banks of Northern California
Community Business Bank
Community Commerce Bank
Community First Bank of Howard County
Community Savings
Community West Bank
Compass Bank
Coppermark Bank
Cornerstone Community Bank
Coronado First Bank
Corus Bank
County Bank
Credit Suisse First Boston
Cross County Federal Savings Bank
Crown Bank
Crystal Lake Bank
DeAnza National Bank
Delaware National Bank
Delta Bank
Delta National Bank
Delta National Bank And Trust Company
Demotte State Bank
DEPFA BANK
Desert Commercial Bank
Deutsche Asset Management
Deutsche Bank
Devon Bank Online
Downers Grove National Bank
Downey Savings
Eagle Bank
East West Bank
Edens Bank
Edgar County Bank and Trust
Effingham State Bank
EFG Capital International Corp
Eisenhower National Bank
El Dorado Savings Bank
El Paseo Bank
Eldorado Bank
Elgin Financial Savings Bank
Elmira Savings Bank FSB
Emerald Coast Bank
Englewood Bank
Esse Hypothekenbank
Eureka Bank
Eurohypo Aktiengesellschaft
European American Bank
Evans National Bank
Evertrust Bank
Excel National Bank
Exchange Bank
Fairport Saving Bank
Falcon International Bank
Far East National Bank
Farm Credit Bank of Texas
Farmers and Merchants Bank
Farmers National Bank
Farmers State Bank of Hoffman
Federal Home Loan Bank
Federal Home Loan Bank of Dallas
Federal Land Bank
Federal Reserve Bank of Chicago
Federal Reserve Bank of Dallas
Federal Reserve Bank of New York
Federal Reserve Bank of San Francisco
Federal Trust Bank
Fidelity Federal Bank
Fidelity Federal Savings Bank
Fifth Third Bank
Fireside Bank
First American Bank
First Bank
First Bank and Trust
First Bank and Trust Company
First Bank of Clewiston
First Bank of San Luis Obispo
First California Bank
First Chicago Capital
First Choice Bank
First Citrus Bank
First City Bank
First Commerce Bank
First Commercial Bank
First Commercial Bank of Florida
First Community Bank
First Convenience Bank
First Federal Bank
First Franklin Bank
First General Bank
First Gulf Bank
First Home Bank
First Indiana Bank
First Internet Bank of Indiana
First Mercantile Bank
First Metro Bank
First Mountain Bank
First National Bank
First National Bank and Trust
First National Bank of Abilene
First National Bank of Ashford
First National Bank of Bellville
First National Bank of Brookfield
First National Bank of Central California
First National Bank of Chillicothe
First National Bank of Danville
First National Bank of Dryden
First National Bank of Eagle Lake
First National Bank of Jasper
First National Bank of Marengo
First National Bank of Mineola Texas
First National Bank of North County
First National Bank of Northern California
First National Bank of Northern New York
First National Bank of Paris
First National Bank of San Benito
First National Bank of Scottsboro
First National Bank of Steeleville
First National Bank of Trenton
First National Bank of Valparaiso
First National Bank of Waterloo
First Navy Bank
First Niagara Bank
First Northern Bank
First of America
First Priority Bank
First Regional Bank
First Savings Bank FSB
First SAvings Bank of Hegewisch
First Southern National Bank
First Standard Bank
First State Bank
First State Bank Frankston
First State Bank of Eldorado
First State Bank of Shallowater
First State Bank of the Florida Keys
First State Bank of Western Illinois
First United Bank
First USA Bank
First Victoria National Bank
FirstBank of Palm Desert
Five Star Bank
Flatbush Federal Savings
FLBA of Texas
Florida Choice Bank
Florida First Bank
Folsom Lake Bank
Foothill Independent Bank
Fort Hood National Bank
Founders Bank
Founders Community Bank
Franklin Bank
Fremont Bank
Frontier Bank
Frost Bank
Frost National Bank
Fullerton Community Bank
Gateway National Bank
Geddes Federal Savings
General Bank
Genesee Regional Bank
Gerard Klauer Mattison
Gibraltar Bank
Global Resource Bank
Golden Security Bank
Goleta National Bank
Grabill Bank
Grand Bank of Florida
Grand National Bank
Grapeland State Bank
Guaranty Bank
Guaranty Bond Bank
Guaranty Federal Bank
Gulf State Community Bank
Habib American Bank
Hanmi Bank
Hardware State Bank
Harris Trust and savings Bank
Hendricks County Bank and Trust
Heritage Bank East Bay
Heritage Bank of Central Illinois
Heritage Bank of Commerce
Heritage Bank South Valley
Heritage Commerce Corp
Heritage Land Bank
Heritage National Bank
Hickory Point Bank and Trust
Highwood Bank
Hinsdale Bank and Trust
Hinsdale Bank Trust Co
Home National Bank
Honda Bank
Horizon Bank
HSBC Bank
Hudson Valley Bank
Humboldt Bank Merchant Services
Hypo Real Estate Bank International
Illini State Bank
Imperial Bank
Imperial Capital LLC
Independent National Bank
Independent Online
ING Capital LLC
Intercredit Bank
International Bancshares
Interstate Bank of Oak Forest
Invex Grupo Financiero
Irwin Financial Corporation
Israel Discount Bank of New York
Itasca Bank and Trust Co
Jackson County Bank
Jacksonville Savings Bank
Jefferson Heritage Bank
Jefferson State Bank
Jourdanton State Bank
JP Morgan Chase Bank
Key West Bank
Kookmin Bank
Lafayette Bank And Trust
Lafayette Savings Bank
Lake Forest Bank and Trust
Lake Shore SAvings And Loan
Lamar National Bank
Landmark Bank
LaSalle State Bank
Lavine Financial Capital
Legacy Bank of Texas
Lehman Brothers
Liberty Bank
Liberty Federal Bank
Liberty Federal Savings Bank
Libertyville Bank
LIFE Bank
Lone Star Federal Land Bank Association
Long Island Commercial Bank
Long Island Savings Bank
Los Angeles National Bank
Lubbock National Bank
Luther Burbank Savings
Madison Bank
Malaga Bank
Mansfield Bank
Manufacturers Bank
Marathon National Bank
Marina Bank
Marketplace Bank
Mazon State Bank
Mellon 1st Business Bank
Melon Bank by
Mercantile Bank
Mercantile Trust and Savings Bank
Merchants and Southern Bank
Merchants Bank of California
Merchants Bank of Jackson
Merchants National Bank of Aurora
Meridian Bank
Merrill Lynch
MetroBank
Metropolitan Bank
MFB Financial
Mission Community Bank
Mission Oaks National Bank
Modern Bank
Mohave Community
Mohave State Bank
Monroe County Bank
Montecito Bank and Trust
Moody National Bank
Morgan Stanley
Morton Community Bank
Murphy Wall State Bank
Mutual Federal Savings Bank
Mutual of Omaha Bank
Nara Bank National Association
NatBank
National Bank
National Bank of California
National City Bank
New Century Bank
New South Federal Savings Bank
Nexity Bank
North Coast Bank
North Community Bank
North County Bank
North County Savings Bank
North Houston Bank
North Valley Bank
Northern Trust Bank
Northern Trust Company
Northfield Savings Bank
NorthShore Trust Saving
NorthStar Bank
Oak Brook Bank
Oak Lawn Bank
Oak Valley Community Bank
Oceanic Bank
Oceanmark Bank
Oceanside Bank of Jacksonville
Old Florida Bank
Old National Bank
Old Second Bancorp
Old Second Bank of Aurora
OptimumBank
Ossian State Bank
Oswego Community Bank
our bank
Overton Bank and Trust
Owen County State Bank
Pacesetter Bank
Pacific Crest Bank
Pacific National Bank
Pacific Trust Bank
Palm Desert National Bank
Palmer Bank
Park Avenue Capital
Park National Bank
Partners Bank
PathFinder Bank
Peoples Bank of Graceville
Peoples Bank of Lubbock
Peoples Bank of North Alabama
Peoples National Bank
People's Trust Company
Permanent Federal Savings Bank
Perryton National Bank
Pff Bank Trust
Phillipine National Bank
Pilgrim Bank
Pinnacle Bank
Pioneer Savings Bank
Plains National Bank Financial
Plaza Bank
Plumas Bank
Pna Bank
Pointe Bank
Ponce de Leon Federal Savings Bank
Popular Bank of Florida
Power Project Financing
Premier Valley Bank
Prosperity Bank
Provident Bank
Queens County Savings Bank
Raiffeisen Zentralbank AG
Randolf County Bank
Redding Bank of Commerce
Regents Bank
Reliance Bank
Ridgewood Bank
Ripley County Bank
River City Bank
Riverside National Bank
Robertson Stephens
Rondout Savings Bank
Roseville Banking Center
Roslyn Savings Bank
Royal Oaks Bank
RZB Finance LLC
Salin Bank and Trust Company
San Diego National Bank
San Jose National Bank
Sand Ridge Bank
Santa Barbara Bank and Trust
Santa Monica Bank
Saratoga National Bank
Scott State Bank
Seacoast National Bank
Second Federal Savings
Security Federal Savings Bank
Seneca Federal Savings and Loan
Sierra Vista Bank
Silicon Valley Bank
Silverado Bank
Six Rivers National Bank
Sonoma Valley Bank
South Alabama Bank
South County Bank
South Pointe Bank
Southern California Funding
Southern Security Bank
Southwest Bank
Southwest Bank of Texas
Sovereign Bank
Spencer County Bank
Star Bank
Star Bank of Texas
Star Financial Bank
State Bank of Ashland
State Bank of Countryside
State Bank of India
State Bank of Lizton
State Bank of Long Island
State Bank of Texas
State Bank of The Lakes
State Bank of Waterloo
State Farm
State National Bank of West Texas
Staten Island Savings Bank
Sterling Bank
Sterling National Bank
Stone City Bank
Strategic Partners
Success National Bank
Suffolk County National Bank
Sumitomo Bank of California
Summit Bank
Surety Bank
Synergy Bank
Tallahassee State Bank
TCB Bank
TCF National Bank
Tempo Bank
Terre Haute Savings Bank
Texas Bank
Texas Capital Bank
Texas Champion Bank
Texas First Banks
Texas Independent Bank
Texas Land Bank
Texas State Bank
The Astoria Federal Savings Bank
The Bank
The Bank and Trust
The Carson Medlin Company
The Dime Savings Bank of New York
The First American Investment Banking Corporation
The First National Bank of Hico
The First National Bank of Long Island
The First State Bank of North Dakota
The Foothills Bank
The Gifford State Bank
The Independent Bankers Bank
The Laredo National Bank
The Mechanics Bank
The SAvings Bank of Utica
The South Holland Bank
The State National Bank
The Warwick Savings Bank
TIB Bank of the Keys
Tokai Bank of California
Tompkins County Trust Company
Town North Bank
Tremont SAvings Bank
Troy Bank and Trust
Troy Savings Bank
Trustbank
Ulster Savings Bank
Unicredito Italiano
Union Bank of Arizona
Union Bank of California
Union Federal
Union Federal Savings Bank
Union Planters Bank
Union State Bank
United Bank
United California Bank
United Commercial Bank
United Community Bank
United Fidelity Bank
United Security Bank
United Southern Bank
Universal Bank
Upstate Niagara Cooperative
us
Valley Business Bank
Valley Commerce Bank
Valley Independent Bank
Valrico State Bank
Vantage Bank of Alabama
Ventura County Business Bank
Viewpoint Bank
Village Banc of Naples
Vineyard Bank
Vintage Bank
VirtualBank
Visalia Community Bank
Vista Bank
Walden Savings Bank
Warrington Bank
Washington Federal Bank
Washington Savings and Loan
Wells Fargo Bank
West Coast Bank
West Suburban Bank
Western Financial Bank
Western Security Bank
Western Springs Bank
Western Springs National Bank
Whisperwood National Bank
Wilber National Bank
Wilmington Trust
Wilshire State Bank
Wintrust Financial Corporation
Woodforest National Bank
Worth National Bank
WSFS bank
Yolo Community Bank

==========================

Operation Ghost Click: DNSChanger Malware Ring Dismantled

2011-11-09T14:04:00.000-08:00

Since 2007 computers around the internet have been suffering from a secret ailment. Sometimes when their owners clicked on a link, they didn't go where they were supposed to go! The problem was caused by a fairly simple piece of malware called a DNSChanger. This family of malware only does one thing -- it changes the DNS settings on your computer from the one that you are supposed to use, to one that a cyber criminal has chosen for you to use.

Today the FBI and NASA's Office of the Inspector General (NASA-OIG) announced "Operation: Ghost Click" and the arrests of six Estonian criminals who have been involved in this scam since 2007.

Those arrested by the Estonian Police and Border Guard Board were:

Vladimir Tsastsin, age 31
Timur Gerassimenko
Dmitri Jegorov
Valeri Aleksejev
Konstantin Poltev
Anton Ivanov

Andrey Taame, age 31, Russian, is still at large

We were especially pleased by the sidebar entitled "Success Through Partnerships".

A complex international investigation such as Operation Ghost Click could only have been successful through the strong working relationships between law enforcement, private industry, and our international partners.

Announcing today’s arrests, Preet Bharara, (above left) U.S. Attorney for the Southern District of New York, praised the investigative work of the FBI, NASA’s Office of Inspector General (OIG), the Estonian Police and Border Guard Board, and he specially thanked the National High Tech Crime Unit of the Dutch National Police Agency. In addition, the FBI and NASA-OIG received assistance from multiple domestic and international private sector partners, including Georgia Tech University, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, University of Alabama at Birmingham, and members of an ad hoc group of subject matter experts known as the DNS Changer Working Group (DCWG).

The Manhattan U.S. Attorney's office released a much more detailed announcement with the headline Manhattan U.S. Attorney Charges Seven Individuals for Engineering Sophisticated Internet Fraud Scheme That Infected Millions of Computers Worldwide and Manipulated Internet Advertising Business:
Malware Secretly Re-Routed More Than 4 Million Computers, Generating at Least $14 Million in Fraudulent Advertising Fees for the Defendants.

Congratulations to all who were involved! Especially to the FBI's Botnet Threat Focus Cell, NASA's incredible Office of the Inspector General, the FBI's Southern District of New York office, and those who attended Bar-Con in 2009.

What is DNS? DNS, or Domain Name Services, is what tells your computer how to find the website you are looking for by turning the name you type, such as www.fbi.gov, into an IP address, such as 205.128.73.105. For most users, this happens by asking the Name Server at your Internet Service Provider.

Pay Per Click Fraud

If you were infected by this DNSChanger malware, instead of asking your ISP for that information, you would be asking a criminal. MOST of the time the criminals would simply give you the same answer that your ISP would give you ... but whenever they wanted to make some extra money, they could tell your computer the wrong answer!

In an example taken from the indictment, an infected user goes to Google and types in "itunes". The first link that they are returned shows the destination "www.apple.com/itunes/" which the real Apple website where someone can download the iTunes software.

(source: Tsastsin Indictment)

When an infected computer clicks the link, the user's computer would go to the criminal's nameserver who would send them to the wrong computer. In this case, instead of going to "apple.com" the user is sent to "www.idownload-store-music.com" which looks just like the Apple store, but which charges your credit card to sell you iTunes! The criminals received a payment each time they sent someone to this fake websites.

In other examples, the company where the traffic is sent to is a legitimate company. For example, H&R Block, the Tax preparation people, have an affiliate program. If you have a website, you can put an ad on your website that advertises the H&R Block website. If people click on your ad, you might receive a tiny amount of money, and if they buy something at the H&R website, you might receive a larger amount of money. Instead of advertising, the criminals made a link that redirected you to the H&R Block website if you tried to visit www.irs.gov. So, because you were using the criminal's nameserver, if you typed or clicked on "irs.gov" you could be redirected to H&R Block, earning an "affiliate payment" for the criminals!

Ad Replacement

The other way the criminal earned money was to replace your ads with their ads. How does that earn money? The most common way is that when your computer is told to go get an advertisement from a certain website, such as Google or Bing or Yahoo, instead of showing you the advertisement from those organizations, it would show you an ad from an organization that was run by the criminal instead.

In an example for the court documents, a visitor to ESPN's webpage should have seen an advertisement for Dr. Pepper. But when the infected computer visited the webpage, the criminal's nameserver redirected the request to an advertisement for a timeshare instead!

More than 4 million computers in 100 countries, including 500,000 computers in the United States were infected with this malware. The earnings generated by these young men from the false advertisements exceeded $14 Million Dollars!

Blocking Antivirus

In addition to using the nameserver to send false advertisements, the criminals also used the nameserver to stop infected computers from being able to reach their anti-virus vendors. This prevented the user from being able to install new anti-virus products or to update the definitions on their existing anti-virus products. If the computer attempted to visit any major anti-virus, it would simply give an error saying the server was unavailable.

The Charges

All the criminals are charged with:
1. Wire fraud conspiracy
2. Computer intrusion conspiracy
3. Wire fraud
4. Computer intrusion (furthering fraud)
5. Computer intrusion

In addition, the ringleader, Vladimir Tsastsin was charged with:
6. Money laundering
7. Engaging in monetary transactions of value over $10,000 involving fraud proceeds.

So, Are you infected?

The Protective Order associated with this case lists the IP addresses involved in the fake nameserver business.

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

The FBI has provided a helpful document that explains how to check your DNS settings to see whether you are using one of these "Rogue DNS Servers". See DNSChanger Malware.

If your IP address is on the list, you are encouraged to fill out the form Register as a Victim of DNS Malware.

The criminals used many different data centers, some of which were featured more prominently in the case than others.

Pilosoft, in New York City known as "The Manhattan Data Center" in the court documents.

ColoSecure, in Chicago, Illinois

ThePlanet, in Houston, Texas

Multacom Corporation, in Canyon County, California

Layered Technologies, in Plano, Texas

Network Operation Center, in Scranton, Pennsylvania

Wholesale Internet, in Kansas City, Missouri

SingleHop, in Chicago, Illinois

PremiaNet, in Las Vegas, Nevada

Interserver, in Secaucus, New Jersey

ISPrime, in Weehawken, New Jersey

Global Net Access, in Atlanta, Georgia

The Challenge

The big challenge faced by this case was this -- if the FBI were to simply "turn off" all of these nameservers, four million computers would no longer be able to find anything on the Internet! If your computer has been programmed by the DNSChanger malware to look up names using the criminals' nameserver, and that nameserver goes away, there is no "fall back" to use some other nameserver, your computer just stops being able to look up names! If that had happened, when you typed in "www.facebook.com" your computer would say something like "No Such Server" or "Host Unknown". Then you couldn't play Farmville! How sad!

To address this challenge, the FBI filed a Protective Order that identified all of the Rogue DNS Servers, and assigned the IP addresses belonging to those servers to the Internet Systems Consortium, or ISC. ISC established "replacement DNS servers" that would behave properly, and replaced all of the "Rogue DNS servers" with properly configured DNS servers. After this was accomplished, none of the infected computers would be redirected to the wrong content anymore, and they would once again be able to update their anti-virus software.

The other benefit of this action is that ISC is now in a position to be able to compile a list of the computers that have been infected. Each time a computer uses one of the formerly Rogue DNS servers, ISC will log that action so that we can have accurate knowledge of how many computers have been infected, and this class of victims can be offered assistance.

The Protective Order was approved by the Honorable William H. Pauly III on November 3rd in the Southern District of New York.

The Criminal Companies

The Estonian criminals controlled a number of corporations to enable this activity.

Rove Digital, in Estonia, was a software development company that created and managed the malware.

Tamme Arendus, also in Estonia, was a real estate development business that acquired most of Rove's assets.

SPB Group was the name of the company that leased the Manhattan Data Center from Pilosoft.

Cernel Inc, in California, Internet Path Limited, in New York, Promnet Limited, in Ukraine, ProLite Limited, in Russia, Front Communications, in New York, and others were involved with registering thousands of IP addresses that were used by the criminals for various activities.

Furox Aps (Gathi.com), Onwa Limited (Uttersearch.com), Lintor Limited (Crossnets.com) and others were used to create and broker advertising deals which would be used in the Replacement Ad schemese.

Duqu: You're safe unless you use TrueType Fonts?

2011-11-04T05:14:00.000-07:00

Two of the malware analysts in my lab have been complaining to me that the malware they see everyday is getting boring - the primary attacks that we see in the largest volume are the same thing over and over and over again.

Let's be thankful for that! The big news in the malware world yesterday came when Microsoft announced a work around for Duqu, named by researchers in the CrySyS Lab (the Laboratory for Cryptography and System Security at Budapest University of Technology and Economics) because it prefixes some created filenames with the letters "~DQ".

On October 14, 2011, CrySyS contacted Symantec to get some help analyzing the malware, and Symantec released an extremely informative 67 page PDF report called W32.Duqu: The Precursor to the next Stuxnet. (The link is to version 1.3 of the report, updated on November 1, 2011).

There have been two IP addresses confirmed to be associated with Duqu and serving as Command & Control. The first IP was in India - 206.183.111.97. The second was in Hungary - 77.241.93.160. Traffic flow to either of these IP addresses would be a strong positive indicator of a Duqu infection! Both sites are down now.

The first server was announced to be down on October 31st in stories such as this one -- India Shuts Server Linked to Duqu Computer Virus that shares some details of a server located at 200 employee data center Web Werks.

The second server was at Combell in Belgium -- as described in stories such as this one -- Duqu Hackers Shift to Belgium After India Raid.

Duqu is a data stealing program that shares several blocks of code with Stuxnet. In fact, one of the two pieces of malware we've seen that is described as being Duqu is also detected as Stuxnet by some AV vendors.

Here's a VirusTotal report of the better detected of those pieces of code, which had the MD5 value e1e00c2d5815e4129d8ac503f6fac095. This file is not "Duqu" but is rather "an .exe file related to Duqu" which is a much larger program (this one is only 9k in size).

(Click for VirusTotal Report)

Non "generic" definitions for this malware included:

Avast: Win32:Duqu-F
Emsisoft: Trojan.Win32.Stuxnet!IK
Ikarus: Trojan.Win32.Stuxnet
Microsoft: Trojan:Win32/Duqu.E
NOD32: probably a variant of Win32/Duqu.A
TrendMicro: TROJ_DUQU.AJ

Symantec mentioned MD5s

9749d38ae9b9ddd81b50aad679ee87ec
Wed Jun 01, 03:25:18 2011
Stealing information

4c804ef67168e90da2c3da58b60c3d16
Mon Oct 17 17:07:47 2011
Reconnaissance module

856a13fcae0407d83499fc9c3dd791ba
Mon Oct 17 16:26:09 2011
Lifespan extender

92aa68425401ffedcfba4235584ad487
Tue Aug 09 21:37:39 2011
Stealing information

In each of those above, the link on the MD5 will show you the VirusTotal report. I find it interesting that TrendMicro consistently names these files "TROJ_SHADOW.AG" which makes me wonder if they had independently discovered this malware family prior to the naming as Duqu by the CrySyS team.

Symantec calls attention to the fact that several of these files show compile dates AFTER the public disclosure of the existence of Duqu.

Delivery Mechanism

Symantec disclosed in their report that one of the infections they were analyzing had been infected via a Word Document that exploited the system using a previously unknown 0-day attack.

We now know from Microsoft more about this exploit. On November 3, 2011, Microsoft released this Microsoft Security Advisory (2639658)
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege. The advisory starts with an executive summary which says, in part:

Microsoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware.

Microsoft has released a work around. The exploit is taking advantage of the fact that there is a problem in one of the DLL's called by TrueType in certain circumstances. If a system denies access to that .DLL, T2EMBED.DLL, then the exploit would fail to work.

The workaround can be executed like this, but Microsoft cautions that applications that rely on EMBEDDED TrueType fonts could then fail to display properly:

(For older Windows versions)
Echo y| cacls "%windir%\system32\t2embed.dll" /E /P everyone:N

(For newer Windows versions)
Takeown.exe /f "%windir%\system32\t2embed.dll"

For more details on the workaround, please see Microsoft Security Advisory: Vulnerability in TrueType font parsing could allow elevation of privileges which offers a "Fix It For Me" button to apply the work around for you.

Duqu Compared to Stuxnet

The Symantec report has 22 or so pages of original Symantec content, and then has as the majority of it's body the report by the CrySyS Lab, which has a section that compares the Duqu and Stuxnet code. In particular, the Decryption function seems to be nearly identical.

ACH spam uses intermediary sites to deliver malware punch

2011-10-19T10:37:00.001-07:00

If you have an email address in the United States, either you or your spam filter is certainly familiar with this spam by now:

The spam with the subjects "ACH Payment (random numbers) Canceled" intends to imitate the National Automated Clearing House Association. NACHA is the organization that banks use to handle the electronic transfer of funds between domestic banks for things such as "Direct Deposit" or electronic bill paying.

The spam's message "The ACH transaction recently initiated from your checking acount was canceled by the other financial institution" is intended to elicit a panic response to get the recipient to click on the link in the email.

The problem has been getting worse because of two "upgrades" by the spammers.

First - they are using "drive-by" infectors, in the form of the BlackHole Exploit Kit. In the past a spam message such as this would have relied on trying to get you to download an '.exe' file and trick you into running it on your computer. Now, simply visiting the website will often be enough to infect your machine.

The second improvement, which comes and goes in waves, is that the criminals have compromised many "intermediary" web hosts to use in their spam. If the spammer were sending you to "mybadsite.com" your security software would quickly learn that "mybadsite.com" is a potentially harmful destination and block you from visiting.

To make sure their spam is delivered, the spammers have stolen the credentials from many website owners and have used these credentials to add one tiny file to their existing legitimate website. So, as a randomly chosen example, the spam link that claims to point to "nacha.org" may actually point to a page at "iscsconferencerecording.com". That page belongs to the International Society of Communication Specialists, so it probably has a "positive" reputation among security companies, who may be loathe to block the site.

What happens when we visit that page?

The only contents on the page "am2wdh.html" are calls to two Javascript files on other websites. In this case:

www.xmjhx.com /czc /js.js
and
vscreative.com /images /js.js

The first time I loaded this, it caused a document location to be set to "www.nachaemployee.com"

A rerun of the same site pointed me instead to a blackhole exploit kit page at:

milloworks.com /main.php? page=890639ab2b6c1ab8

Which caused me to fetch:

milloworks.com /w.php ?f=70&e=4

This caused me to download the file:

www.vncoach.com /editors /nachareport20111910.pdf.exe

Another attempt sent me to:

tgqswpqqh.org.in from which we attempt to load the Blackhole Exploit page from

This drops a number of files on our computer, including Flash exploits, PDF exploits, and an EXE called "FIX_KB112755.exe" which gets downloaded from the IP address 213.123.52.133. FIX_KB111088.exe and FIX_KB113547.exe were also downloaded from there.

After the malware drops on the computer, we are forwarded through "dating-portal.net" where the affiliate engine sends us to an "Adult Friend Finder" sign-up website.

The point of this story, however, is not really what malware gets dropped, but the use of so many hacked intermediary servers to do the dropping.

In the first twelve hours of October 19, 2011, we saw 184 different websites used in this type of attack with an ACH spam subject line. In order of occurrence, with the first observed URL each, here is what we've seen today:

HOSTNAME PATH
================================ ===================================
preseis.com /7x1tyg6.html
server.softhost.org /
silverfruit.com.ec /t2jr.html
newsletter.stable-jo.com /t43z.html
www.Shoubra-prep.com /4x8l.html
marcinjarzabek.cp5.win.pl /16ih2.html
professionalroofing.co.uk /ph4xn5.html
host272.hostmonster.com /~fdflockc/6xh9l1e.html
sethsauction.com /6gh1u7.html
www.corazondejesus.net /4cpjx.html
murciaopina.com /tq3e.html
www.digitalhomna.com /
latinholdings.com.mx /4ghy.html
108cms.com /3n7s.html
way2tutorial.com /g02lwbp.html
nimbuscertifications.com /4qt4.html
ultimateselena.org /0tpno.html
www.efficientorganizationnw.com /rk1pb.html
trinity-work-shop.test-rackspeed.de /
hosting31.serverhs.org /~ecommerc/zu9iah7.html
www.todotaringa.com /0pya.html
stremyfoot.com /q37hdi.html
www.ganarlaprimitiva.com /g5knqjr.html
manaiz.com /a2w7q.html
caspsurveys.org /zmu2.html
www.ironsidegroup.pk /kq6bz.html
temporary-toilets.com /mczkg.html
0342962.netsolhost.com /716txi.html
babilhotel.com /5bf0html
customcakesnw.com /not8.html
tomralph.net /vsz8c.html
www.panelpeople.com /1060.html
goldencrownhotel.com /zf9w3uh.html
www.launas.fr /jjssgx4.html
dev.crm-warehouse.be /uclt4.html
alassite.com /2hyl0.html
02be375.netsolhost.com /6mu1v.html
evo2inc.com /o3wyn.html
campossaab.net /g1hrhtml
inzanepix.com /19v4sx.html
specialrental.com /p5y6.html
iscsconferencerecording.com /am2wdh.html
www.murciaopina.com /rt5dmy.html
buynanoclean.com /3c6tp7.html
froda.com /5kbnak.html
globaliellc.com /1o36z.html
mslbx.com /~servatus/soexlyy.html
indexpoker.com /
diversco.com /6fxo.html
www.acclaimcabinetscom.au /7xoslgn.html
mvlmobile.in /d34c.html
weightlosspersonaltrainerconsulting.com /1decnf9.html
vandieautomatisering.nl /linhe.html
intestinoirritable.ws /e66uc.html
fmwwrestling.us /gsld0d.html
abeauty.com.au /
sokullupasahotel.com /fvn4upi.html
ants.net.au /yxe4ma.html
lkco.in /a8l876j.html
static-64-184-73-69nocdirect.com /~afroland/eh8jvre.html
damarchesi.it /6m2rdlx.html
trinity-work-shop.de /5t5ub.html
mycountylink.com /f6atze.html
artigianatopasella.com /9ghy.html
ohtobeyoungagain.com /t4cj.html
syedaliahmad.com /3mlnfh.html
www.geelongeisteddfod.com.au /13pspj.html
www.tommysparger.com /ci87qyp.html
nt-ves.ac.th /
diipbmis.nl /l374dcthtml
bakulpharma.com /
etno-plants.ro /
professionalroofingco.uk /vmba.html
altiaproducts.com /29f4.html
dezoetezaak.nl /anxl5.html
ozurfa.com.tr /ras5.html
lexxstore.de /7nsenqhtml
meirmodiin.org /~meirm/kk22.html
siflindia.com /27swn2.html
grapediscounts.com /fjlj9k.html
fastincomebiz.com /hsd6g7b.html
thebeadrotisserie.com /vel42.html
46.23.64.241 /~jamias/lc50sf.html
fastincomesystem.biz /u8g4tn.html
surebg.co.za /xltlgs.html
110.4.42.93 /bx94l.html
www.resourceelementlimited.com /
graph2profit.com /utxfc.html
shriganpatiproduction.net /r05qv4h.html
micrene.com /ivowl1rhtml
pdscientific.com /tl1s.html
www.wanithai.com /u7pv30b.html
ads-protection.com /fs3lax.html
sl3-vgt.vgthosting.com /~worknetw/fj2bvn.html
fb.servatusdev.com /~servdev/56iy2.html
hedy-lamarr.org /n2tgsb.html
niritech.com /pxkf.html
212.68.54.148 /~radyoruz/qsdsw9m.html
www.pushtiieshakti.com /783i.html
empiresallies-secrets.com /k0bayr.html
tarjetaspilos.com /9tvd.html
voongo.com /asfti1/index.html
searchtroop.net /04sh.html
altagallura.it /bd5jhtml
gran-mar.com.ar /4p6sbu7.html
fullart.com.pe /3c55egr.html
sanianishtar.info /7o2dd.html
umtelecom.com /h10krhtml
reformasyreparaciones.com /76kdp.html
206.217.196.47 /~dumpsche/kes773.html
acumenauditors.com.au /vfa9.html
www.rippt.com /t8859u.html
trunghieu.com /hsx1n3r.html
delallosa.com /mtgy99y.html
lainformacion.us /snkk1.html
refritermo.com /j9ps4y.html
www.grahajodoh.com /bqe6zk.html
etakip.com /yg4jl9.html
carifind.com /t718xhhtml
jpvarleyllc.com /kna4wx.html
www.shatteredhope.gr /lnsp.html
autoblog.fastincomesystem.biz /~cheers/gyjde.html
reformhaus-mehnert.de /2vn9yr5.html
indianbookshop.co.in /5b9fgs.html
host272.hostmonstercom /~fdflockc/6xh9l1e.html
enbramex.com /mpvsgi2.html
onlinesurat.com /mb2d.html
surrealtopia.com /hmsuu.html
el-salto-fishing.com /agg0noo.html
simplefact.mx /xln290.html
bofco.in /htrc.html
iznillahcng.com /y5le.html
static-64-184-73-69.nocdirect.com /~afroland/eh8jvre.html
vizonix.com /c1ptwqs/index.html
visionciudadconsultores.com /dwqopc/index.html
winsbyinc.com /0sm9j5/index.html
www.tradehalls.com /8eeh2.html
4income-solutions.com /93e3x.html
locanda-stazzo-bona.com /
jade.nseasy.com /~manishar/7xl9bd.html
GUHDNS.COM /md8g.html
livedata.it /ssao.html
www.manojengg.com /scv2.html
sexshop.com.tr /3igtv8.html
perfumeylenceria.com /joiwku.html
server10.namecheaphosting.com /
freunde-klinik-ottobeuren.de /oryh1.html
floristeriasdecoaromascostarica.com /kh31.html
portalinternational.us /5ecf2z.html
molinas.eu /nz4ot.html
clubfirst.org /2ba0jra.html
thepentad.com /eg3eje/index.html
www.dsmodular.com /qt21ta.html
hotelmarinepalace.com /0493.html
teresita.com.mx /hcrji4t.html
198.63.48.81 /z116c.html
punjnud.com /3sllgkihtml
inkostudio.com /y0ao0c.html
tuncakyavas.com /jfifrpb.html
hkf.huber-babenhausen.de /xyy4dg3.html
watson.timeweb.ru /~kostos/7euyd25.html
vscreative.com /x882.html
lemilano.fr /
labeltula.it /e51rsq.html
www.acclaimcabinets.com.au /
shelterpropertydealers.com /97qf.html
dotmile.com /cvpa4jj.html
www.clubbayard.com /w6kzi.html
myauto.co.nz /odmz0chtml
whydodogs.org /jdab40.html
bigrace2012.com /3ri1vt.html
www.launas-hebergement.com /fj9p1.html
www.neoplastic.gr /0qedzw.html
ittefaqpipe.com /2inp.html
efficientorganizationnw.com /ix84c.html
indosyslife.com /cdwwto.html
newmonicaarts.org /
avicarusa.com /uyxasjr.html
atlantidesardegna.it /61fyvx.html
baratrucks.com /n6j5m.html
heromw.com /602ka.html
web3.biz /4jdsydk.html
eqsync.com /bx5wfm.html
weblinksubmissions.com /1bgypq/index.html

New York City "Uniform Traffic Ticket" tops spammed malware

2011-08-17T03:37:00.000-07:00

Email attachments that contain malicious code are still being used to infect computers and steal the data found on those computers. While it is easy to find people who discount this threat, believing no one would be foolish enough to open one of these email attachments, the criminals are working hard to make their approaches more convincing.

Today we've seen more than 11,000 copies of their newest attempt come in to the UAB Spam Data Mine. The email received looks like this:

The email contains several falsified header indicators, including at the most basic level that it claims to come from "@nyc.gov". In addition to this, however, there has been a "Received:" tag added to make it appear to have originated from a legitimate New York City IP address:

Received: from nyc.gov ([167.153.240.51]) by xx.xx.xx.xx; Wed, 03 Aug 2011 12:20:46 +0530

The City of New York is the registrant for every IP address beginning with "167.153.*.*" - in fact 167.153.240.51 is the IP address of the website "nyc.gov" where Mayor Bloomberg's homepage can be found.

The other false information is the date. Both the date in the Received: tag and the date in the "Date:" tag have been falsified to make it seem this email has been in your in box for several days by the time you see it.

Just from the falsified header, we would predict that this email is going to be in the same family of malware as the "IRS Notification" and "UPS Notification" emails seen earlier this week, which also contained falsified Received: tags.

The zip file contains an executable file disguised as a PDF file:

When the malware is launched, it connects to "sfkdhjnsfjg.ru" on 195.189.226.117.

from there it fetches "/ftp/g.php" and "pusk3.exe" -- exactly the same as the IRS Notification spam and the UPS Notification spam.

VirusTotal Report

Another group of spam messages this morning pretends to be a notice that you have received money via Western Union.

The attachment is of course a virus:

VirusTotal Report.

Money Transfer Information
MONEY TRANSFER INFORMATION
Money Transfer Information 00375
Money Transfer Notice
MONEY TRANSFER NOTICE
MONEY TRANSFER NOTICE 06457
Western Union: Money Transfer For You
WESTERN UNION: MONEY TRANSFER FOR YOU
Western Union: Remittance Advice
WESTERN UNION: REMITTANCE ADVICE
Western Union: Transfer Of Money
WESTERN UNION: TRANSFER OF MONEY
Western Union: You Have Money Transfer
WESTERN UNION: YOU HAVE MONEY TRANSFER
Western Union: You have received a money transfer
WESTERN UNION: YOU HAVE RECEIVED A MONEY TRANSFER

Another top spammed malware attachment today delivers emails with these subjects:

Re: End of July Statement Required
Re: FW: End of July Stat.
Re: FW: End of July Statement
Re: FW: End of July Statement required
Re: FW: End of July Statement Required
Re: FW: End of July Statement REquired
Re: FW: End of July Statement REquired!
Re: FW: End of July Stat. required
Re: FW: End of July Stat. Required

The email body says simply:

Hallo,
As requested i give you open Invoices issued to you as per 5th Aug. 2011
Regards
DEENA BUCKLEY

Here's the VirusTotal report for this one.

Inter-company Invoice spam leads to Malware

2011-08-10T05:57:00.001-07:00

This morning we are seeing a new spam campaign in the UAB Spam Data Mine. Volumes are still low, but the count is rising steadily, and the detection so far is horrible. When I started writing this post we had seen 710 copies. It's now up to 1389 copies and counting!

count | mbox
-------+---------------------
1 | 2011-08-10 05:45:00
6 | 2011-08-10 06:00:00
3 | 2011-08-10 06:15:00
85 | 2011-08-10 06:30:00
1 | 2011-08-10 06:45:00
3 | 2011-08-10 07:00:00
1 | 2011-08-10 07:15:00
301 | 2011-08-10 07:30:00
252 | 2011-08-10 07:45:00
260 | 2011-08-10 08:00:00
247 | 2011-08-10 08:15:00
229 | 2011-08-10 08:30:00
(12 rows)

The spam pretends to be an invoice from a random company. So far this morning we've seen spam claiming to be an invoice from:

Aleris International Corp.
AMR Corporation Corp.
Anic Corp.
Arch Coal Corp.
ATFT Corp
Beazer Homes USA Corp.
Boyd Gaming Corp.
Brookdale Senior Living Corp.
Hyland Software Corp.
KPMG Corp.
Kraft Foods Corp.
Miltek Corp.
Novellus Systems Corp.
OSN Corp.
PDC Corp.
Safeco Corporation Corp.
WLC Corp.

Subject can be:

Re: Fw: Inter-company inv. from (company)
Re: Fw: Inter-company inv. from (company)
Re: Fw: Inter-company invoice from (company)
Re: Fw: Intercompany invoice from (company)
Re: Fw: Corp. invoice from (company)

A couple example emails follow:

Hi
Attached the inter-company inv. for the period January 2010 til December 2010.

Thanks a lot for support setting up this process.

CHERYL Flowers
Kraft Foods Corp.

Hi

Attached the inter-company inv. for the period January 2010 til December 2010.
Thanks a lot

Asher GIFFORD
Anic Corp.

Good day

Attached the intercompany invoice for the period January 2010 til December 2010.

Thanks a lot for supporting this process
MAYOLA LEARY
Aleris International Corp.

The attachment may be named "Intinvoice" or "Invoice" followed by an underscore, a date, and an "invoice number" ".zip" such as:

Intinvoice_08.6.2011_2222341965.zip
or
Intinvoice_08.4.2011_Q167829.zip
or
Invoice_08.6.2011_T40099.zip

We've seen 1300+ copies so far in the UAB Spam Data Mine, and I have 15 in my personal email.

So far, all have had the same attachment MD5, which yields a 6 of 43 detection rate on this VirusTotal Report.

So far everyone is just saying it is "Suspicious" or "Generic" ... which is our invitation to infect ourselves and figure out what it does!

When we launched the malware, we made a connection to "armaturan.ru" on 94.199.48.152.

We also talked to "ss-partners.ru" on 77.120.114.100
and to "ledinit.ru" on 78.111.51.121

The connection to armaturan.ru did:

GET /forum/dl/ots.php?seller=4&hash={8FA33B0C-3F04-405B-83BD-1CD82D298FF2}

which seems to be uniquely registering our machine, and giving seller #4 credit for my infection?

From ss-partners.ru we fetched a file:

GET /dump/light.exe

which dropped an approximately 70k file onto our local machine.

Then we went back to armaturan.ru and sent another get:

GET /forum/dl/getruns.php?seller=4&hash={8FA33B0C-3F04-405B-83BD-1CD82D298FF2}&ahash=5895b2509324d6a17b2b6ea09859a485

Any bets on whether that ahash is the MD5 of the file I just downloaded?

Looks like I just reported back to the C&C that I successfully downloaded and installed malware with that MD5.

At this point I checked my registry and found that I had a new Run command for next time I restart. I'm supposed to run:

C:\Documents and Settings\Administrator\Application Data\3B1F8DC4\3B1F8DC4.EXE

Odd, I don't recall having a file named that?

Actually, we confirmed that this is the file that was downloaded as "light.exe" above. The VirusTotal report shows only 4 of 43 infection reports for this file as well. See VirusTotal Report.

Unfortunately, it disproves my MD5 theory. This is NOT the "ahash" value. This file's MD5 is f58d5cbb564069eca8806d4e48d7a714.

Launching the second file caused the machine to open an SSL tunnel to 78.111.51.121 and then sit idle.

You may recognize that as the IP address for "ledinit.ru" earlier, but it didn't make a connection by name. It went straight for the IP address. If that IP sounds familiar, it's probably because there have been many other malware campaigns tied to the network "Azerbaijan Baku Sol Ltd", but I'm sure that's just because it's a very large network.

78.111.51.100 is currently hosting three live Zeus C&C servers. Surely a coincidence.

fileuplarc.com
hunterdriveez.com
asdfasdgqghgsw.cx.cc

I'll email the owner and get those taken down right away! (smirk)

-----------

person: Vugar Kouliyev
address: 44, J.Jabbarli str., Baku, Azerbaijan
mnt-by: MNT-SOL
e-mail: vugar@kouliyev.com
phone: +994124971234
nic-hdl: VK1161-RIPE
source: RIPE # Filtered

route: 78.111.48.0/20
descr: SOL ISP
origin: AS43637
mnt-by: MNT-SOL
source: RIPE # Filtered

route: 78.111.51.0/24
descr: SOL ISP
origin: AS43637
mnt-by: MNT-SOL
source: RIPE # Filtered

----------------

Armaturan.ru on 94.199.48.152 also has a sordid history.

That IP address, in Hungary, has been associated with at least two active SpyEye domains: hdkajhslalskjd.ru and hhasdalkjjfasd.ru

I suppose we'll have to ask Mr. Zsolt nicely if he would remove those domains.

person: Zemancsik Zsolt
address: Victor Hugo u. 18-22.
address: 1132 Budapest
address: Hungary
phone: +36 203609059
e-mail: darwick@cyberground.hu
nic-hdl: DARW-RIPE
mnt-by: DARW-MNT
source: RIPE # Filtered

route: 94.199.48.0/21
descr: Originated from 23VNet Network
origin: AS30836
mnt-by: NET23-MNT
source: RIPE # Filtered

========
ss-partners.ru is on servers from Bellhost.ru, a customer of Volia DC

person: Volia DC Admin contact
address: Ukraine, Kiev, Kikvidze st. 1/2
phone: +38 044 2852716
abuse-mailbox: abuse@dc.volia.com
nic-hdl: VDCA-RIPE
mnt-by: VOLIA-DC-MNT
source: RIPE # Filtered

route: 77.120.96.0/19
descr: Volia more specific route
origin: AS25229
mnt-by: VOLIA-MNT
mnt-lower: VOLIA-MNT
source: RIPE # Filtered

Fake IRS emails continue to spread Gov-related Zeus

2011-08-05T03:40:00.000-07:00

We've already seen nearly 500 copies of the new Government-related Zeus spam campaign so far this morning in the UAB Spam Data Mine. As has been typical in this campaign that we first started tracking on July 13th, the detection has been fairly horrible each morning for the new malware version. We lasted updated on this malware on July 29th in our story Government-related Zeus Spam Continues.

Today's version advertises the domain "tax-irs-report.com" and asks users to download the file 0000770950077US.pdf.exe from that site.

190 different computers have sent us the spam for this campaign so far today. 118 of them from the USA, 40 from India.

When we asked the UAB Spam Data Mine what other virus links we had been sent by this same group of 190 computers on other days, we got this list:

receiving_date | machine | path
----------------+------------------------------+-------------------------------
2011-07-13 | usbanking-security.com | /tax_report.pdf.exe
2011-07-15 | federalsecusrity.com | /pending-taxes.pdf.exe
2011-07-19 | irs-report-link.com | /tax-report.pdf.exe
2011-07-19 | irs-taxes-report.com | /tax-report.pdf.exe
2011-07-19 | taxreport-irs.com | /tax-report.pdf.exe
2011-07-20 | alerts-federalresrve.com | /rejected_wire.pdf.exe
2011-07-20 | nacha-alert.com | /rejected_transaction.pdf.exe
2011-07-20 | nacha-alert.org | /rejected_transfer.pdf.exe
2011-07-20 | reports-federalreserve.com | /rejected_wire.pdf.exe
2011-07-21 | national-security-agency.com | /blocked_list.exe
2011-07-21 | national-security-agency.com | /token_security_update.exe
2011-07-21 | nsa-security.net | /blocked-list.exe
2011-07-21 | nsa-security.net | /token_security_update.exe
2011-07-22 | irs-downloads.com | /00000700955160US.exe
2011-07-22 | irs-files.com | /00000700955170US.exe
2011-07-26 | irs-alert.com | /00000700955770US.exe
2011-07-27 | nacha-transactions.org | /304694305894903.pdf.exe
2011-07-27 | taxes-refund.com | /00000700975770US.exe
2011-07-27 | www.nacha-rejected.com | /304694305894903.pdf.exe
2011-07-28 | fdic-updates.com | /system_update_07_28.exe
2011-07-29 | federalreserve-alert.com | /transaction_report.pdf.exe
2011-07-29 | taxes-security.com | /00000700955060US.pdf.exe
2011-08-03 | irs-report.com | /00000770950077US.exe
2011-08-05 | tax-irs-report.com | /0000770950077US.pdf.exe
(24 rows)

So, at least some of today's spamming computers have been with this campaign since the beginning (July 13th).

When today's malware is executed it sets a registry key in "HKEY_USERS\S-1-5(my user)-500\Software\Microsoft\Windows\CurrentVersion\Run" to relaunch itself from my current user account where it had copied itself as "C:\Documents and Settings\Administrator\Application Data\Afena\iror.exe"

It makes connection to domains generated with a DGA (Domain Generation Algorithm). Today's live domain was:

olojkpcltulirqr.info on 50.57.71.39

from there it did a GET for /news/?s=158404

It tried many other domains, but none of the others were live. Some of them include:

jruioljslsitjpfv.biz
wlnzkqmohuhzqyra.info
tjjhmtjlziebo.net
jpkpbxkoxwijzijr.info

As we have seen before, the malware ALSO fetches a copy of "heap_v206_mails.exe" after it successfully installs itself.

The spam started at 4:45 AM (Central time), peaked at 5:15, and then began to trickle off. (We group in 15 minute windows.)

count | 15 minute spam block
-------+---------------------
3 | 2011-08-05 04:45:00
3 | 2011-08-05 05:00:00
406 | 2011-08-05 05:15:00
86 | 2011-08-05 05:30:00
(4 rows)

This morning's malware is largely undetected:

A VirusTotal Report shows 6 of 43 AV products know that this is a virus.

I have to praise Microsoft for being the only one of the six to correctly call this Zeus (Zbot).

Email subjects we've seen on this morning's campaign:

count | subject
-------+-------------------------------------------------------------------
38 | Change Confirmation
4 | Does your company is registered outstanding tax debt
5 | Does your company is registered tax debt
1 | Does your enterprise including unpaid tax debts
1 | Does your enterprise listed outstanding tax debts
1 | Does your enterprise listed unpaid tax debts
30 | Federal Tax payment rejected
1 | For your company including unpaid tax debts
1 | For your company is registered outstanding tax debts
1 | For your company is registered tax debts
1 | For your company is registered unpaid tax debt
1 | For your company listed tax debts
2 | For your enterprise listed tax debt
70 | Internal Revenue Service
24 | Internal Revenue Service (IRS)
19 | Internal Revenue Service United States Department of the Treasury
32 | IRS.gov
31 | IRS.gov US
19 | Notice of Underreported Income
35 | Payment IRS.gov
50 | Support IRS.gov
40 | Treasury Inspector General for Tax Administration
42 | U.S. Department of the Treasury
1 | Your company including outstanding tax debts
1 | Your company including tax debts
1 | Your company listed outstanding tax debt
2 | Your company listed tax debts
1 | Your enterprise including outstanding tax debts
2 | Your enterprise is registered unpaid tax debts
1 | Your enterprise listed outstanding tax debt
1 | Your enterprise listed unpaid tax debt
39 | Your IRS payment rejected
(32 rows)

A mix and match of sender name, sender-username, and sender-domain creates the from addresses:

count | sender_name
-------+---------------------------------------------------------------------
19 | "Internal Revenue Service"
18 | "Internal Revenue Service (IRS)"
27 | "Internal Revenue Service (IRS.gov)"
29 | "Internal Revenue Service United States Department of the Treasury"
23 | "Internal Revenue Service US Department of the Treasury"
29 | "IRS.gov"
18 | "IRS.gov United States Department of the Treasury"
30 | "IRS.gov US"
22 | "IRS.gov US Department of the Treasury"
21 | "IRS United States Department of the Treasury"
41 | "Payment IRS.gov"
37 | "Support IRS.gov"
23 | "The Consumer Financial Protection"
37 | "Treasury Inspector General for Tax Administration"
30 | "United States Department of the Treasury"
19 | "U.S. Department of the Treasury"
23 | "US_IRS"
17 | "USIRS"
35 | "US IRS.gov"

count | sender_username
-------+--------------------------
12 | admin
8 | adminnistration
9 | alerts
16 | cunsumer
29 | delivery
15 | e-file
10 | finance
33 | frboard-webannouncements
36 | govdelivery
26 | info
17 | information
14 | inspector
8 | internal_revenue_service
30 | Internal_Revenue_Service
18 | irs
6 | news
14 | news-alerts
8 | no-reply
28 | privacy_policy
22 | protection
5 | public
5 | report
9 | service
17 | stats
22 | subscriber
12 | subscriptions
13 | support
13 | usirc
14 | USIRS
13 | usttb
16 | webannouncements
(31 rows)

count | sender_domain
-------+-------------------
93 | antifraud.irs.gov
73 | info.irs.gov
78 | irs.gov
91 | irs.security.gov
73 | irs.taxes.gov
90 | service.irs.gov
(6 rows)

Love Map Spam spreads Fake AV

2011-08-03T07:19:00.000-07:00

The top malware spam of the morning is another Fake Antivirus product, but as you'll see in today's story, its a very familiar Fake AV product.

About 1/2 of 1% of the spam we've seen this morning is a new campaign spreading a fake antivirus dropper. The malware has a fair detection rating, with 17 of 43 AV products detecting the malware according to VirusTotal in their report for MD5 = 635aceafb9ee4236e50e7d0f6c7a7895.

The email bodies use some random misspellings, but look something like this:

WELCOME S'EXOHOLIC!
Are YOU real Se'X-tourist?
Check ->>NEW PROJECT: WORLD MAP OF PUSSY
With Best Wishes ...
www. love-map .com

and then have an attachment, which is the malware.

(the website, love-map.com, doesn't actually exist...)

The attachment filename is "map_of_love###.zip" where ### is a random number of length between 4 and 8 characters.

Thanks to the UAB Spam Data Mine, it's fairly easy for us to link this new Fake AV spam campaign to previous ones. For example -- we've seen 520 distinct sending IP addresses so far this morning, so let's ask "What was the most common email subject that those same sending IP addresses sent us yesterday?"

43 of the IP addresses sent us an email yesterday with the subject "Your credit card is blocked"

33 sent us "Your credit card has been blocked"

That's the same campaign we've been seeing since we wrote about it on July 23rd (See: MasterCard Spam Leads to Fake AV.

The other big fake AV campaign from yesterday was one pretending to be the US Postal Service. We saw 814 copies of that spam yesterday, and 154 of them came from computers that also sent us today's "Love Map" malware.

The USPS subjects were like:

DELIVERY CONFIRMATION FROM USPS 0785164
From USPS 0735590
USPS Attention 03867076
USPS: DELIVER CONFIRMATION - FAILED 1399475
USPS Delivery Confirmation 1784864
USPS id. 167163
Your USPS id. 12286791

With random upper and lowercasing, and random numbers in each subject.

Here's a VirusTotal report on yesterday's USPS Fake AV, which had MD5 = a9a01f061d336774276fabb1827b91cc

How closely related are the "MasterCard" fake AV and the USPS fake AV? Well, they are actually IDENTICAL. Its the same Malware. Here's a report extract from yesterday showing the email subject and the MD5 of the attached malware:

Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
From USPS 38864359 | a9a01f061d336774276fabb1827b91cc
USPS DELIVERY CONFIRMATION 954859 | a9a01f061d336774276fabb1827b91cc
From USPS 8815572 | a9a01f061d336774276fabb1827b91cc
DELIVERY CONFIRMATION FROM USPS 6498394 | a9a01f061d336774276fabb1827b91cc
DELIVERY CONFIRMATION FROM USPS 73687208 | a9a01f061d336774276fabb1827b91cc
USPS DELIVERY CONFIRMATION 56547166 | a9a01f061d336774276fabb1827b91cc
USPS ATTENTION 578975 | a9a01f061d336774276fabb1827b91cc
USPS: DELIVER CONFIRMATION - FAILED 9211453 | a9a01f061d336774276fabb1827b91cc
From USPS 5174072 | a9a01f061d336774276fabb1827b91cc
USPS Attention 1201554 | a9a01f061d336774276fabb1827b91cc
Your USPS id. 92444941 | a9a01f061d336774276fabb1827b91cc
DELIVERY CONFIRMATION FROM USPS 575555 | a9a01f061d336774276fabb1827b91cc
Your USPS id. 82259351 | a9a01f061d336774276fabb1827b91cc
Your USPS id. 139017 | a9a01f061d336774276fabb1827b91cc
Your USPS id. 381458 | a9a01f061d336774276fabb1827b91cc
From USPS 3877947 | a9a01f061d336774276fabb1827b91cc
USPS id. 45254864 | a9a01f061d336774276fabb1827b91cc

OK, back to today . . .

Here are the "Love Map" spam subject lines we've seen it use so far:

BABECITIES IN WORLD 2011
BABEPLACES IN WORLD 2011
BABIESPLACES IN WORLD 2011
BABIESSPOTS IN WORLD 2011
BABYCITIES IN WORLD 2011
BABYSPOTS IN WORLD 2011
GIRLSCITIES IN WORLD 2011
GIRLSPLACES IN WORLD 2011
GIRLSSPOTS IN WORLD 2011
HOT BABE CITIES 2011
HOT BABE PLACES 2011
HOT BABE SPOTS 2011
HOT BABIES CITIES 2011
HOT BABIES SPOTS 2011
HOT BABY CITIES 2011
HOT BABY PLACES 2011
HOT BABY SPOTS 2011
HOT CITIES OF BABE 2011
HOTCITIES OF BABIES 2011
HOT CITIES OF BABY 2011
HOTCITIES OF BABY 2011
HOT CITIES OF GIRLS 2011
HOTCITIES OF GIRLS 2011
HOTCITIES OF PUSSY 2011
HOT GIRLS PLACES 2011
HOT GIRLS SPOTS 2011
HOT PLACES OF BABE 2011
HOT PLACES OF BABIES 2011
HOTPLACES OF BABIES 2011
HOT PLACES OF BABY 2011
HOTPLACES OF BABY 2011
HOT PLACES OF GIRLS 2011
HOTPLACES OF GIRLS 2011
HOT PLACES OF GIRLS IN WORLD
HOTPLACES OF GIRLS IN WORLD
HOT PLACES OF PUSSIES 2011
HOTPLACES OF PUSSIES 2011
HOT PLACES OF PUSSY 2011
HOTPLACES OF PUSSY 2011
HOT PUSSIES CITIES 2011
HOT PUSSIES SPOTS 2011
HOT PUSSY CITIES 2011
HOT PUSSY PLACES 2011
HOT PUSSY SPOTS 2011
HOT SPOTS OF BABE 2011
HOT SPOTS OF BABIES 2011
HOTSPOTS OF BABIES 2011
HOT SPOTS OF GIRLS 2011
HOTSPOTS OF GIRLS 2011
HOT SPOTS OF GIRLS IN WORLD
HOT SPOTS OF PUSSIES 2011
HOTSPOTS OF PUSSIES 2011
HOT SPOTS OF PUSSY 2011
HOTSPOTS OF PUSSY 2011
JULY-2011: BABECITIES IN WORLD
JULY-2011: BABEPLACES IN WORLD
JULY-2011: BABIESCITIES IN WORLD
JULY-2011: BABIESPLACES IN WORLD
JULY-2011: BABYCITIES IN WORLD
JULY-2011: BABYPLACES IN WORLD
JULY-2011: GIRLSPLACES IN WORLD
JULY-2011: GIRLSSPOTS IN WORLD
JULY-2011: HOT BABE CITIES
JULY-2011: HOT BABE PLACES
JULY-2011: HOT BABE SPOTS
JULY-2011: HOT BABIES CITIES
JULY-2011: HOT BABY CITIES
JULY-2011: HOT BABY PLACES
JULY-2011: HOT BABY SPOTS
JULY-2011: HOT CITIES OF BABE
JULY-2011: HOTCITIES OF BABE
JULY-2011: HOTCITIES OF BABIES
JULY-2011: HOT CITIES OF BABY
JULY-2011: HOTCITIES OF BABY
JULY-2011: HOT CITIES OF GIRLS
JULY-2011: HOTCITIES OF GIRLS
JULY-2011: HOT CITIES OF PUSSIES
JULY-2011: HOTCITIES OF PUSSIES
JULY-2011: HOT CITIES OF PUSSY
JULY-2011: HOTCITIES OF PUSSY
JULY-2011: HOT GIRLS PLACES
JULY-2011: HOT GIRLS SPOTS
JULY-2011: HOT PLACES OF BABE
JULY-2011: HOTPLACES OF BABE
JULY-2011: HOT PLACES OF BABIES
JULY-2011: HOTPLACES OF BABIES
JULY-2011: HOT PLACES OF BABY
JULY-2011: HOTPLACES OF BABY
JULY-2011: HOT PLACES OF GIRLS
JULY-2011: HOTPLACES OF GIRLS
JULY-2011: HOTPLACES OF PUSSIES
JULY-2011: HOT PLACES OF PUSSY
JULY-2011: HOTPLACES OF PUSSY
JULY-2011: HOT PUSSIES CITIES
JULY-2011: HOT PUSSIES PLACES
JULY-2011: HOT PUSSIES SPOTS
JULY-2011: HOT PUSSY CITIES
JULY-2011: HOT PUSSY PLACES
JULY-2011: HOT PUSSY SPOTS
JULY-2011: HOTSPOTS OF BABE
JULY-2011: HOT SPOTS OF BABIES
JULY-2011: HOTSPOTS OF BABIES
JULY-2011: HOT SPOTS OF BABY
JULY-2011: HOTSPOTS OF BABY
JULY-2011: HOT SPOTS OF GIRLS
JULY-2011: HOTSPOTS OF GIRLS
JULY-2011: HOT SPOTS OF PUSSIES
JULY-2011: HOTSPOTS OF PUSSIES
JULY-2011: HOT SPOTS OF PUSSY
JULY-2011: LOVE BABE CITIES
JULY-2011: LOVE BABE PLACES
JULY-2011: LOVE BABIES SPOTS
JULY-2011: LOVE BABY CITIES
JULY-2011: LOVE BABY PLACES
JULY-2011: LOVE BABY SPOTS
JULY-2011: LOVE CITIES IN WORLD
JULY-2011: LOVE CITIES OF BABE
JULY-2011: LOVECITIES OF BABE
JULY-2011: LOVECITIES OF BABIES
JULY-2011: LOVE CITIES OF BABY
JULY-2011: LOVECITIES OF BABY
JULY-2011: LOVECITIES OF GIRLS
JULY-2011: LOVE CITIES OF PUSSIES
JULY-2011: LOVECITIES OF PUSSIES
JULY-2011: LOVE CITIES OF PUSSY
JULY-2011: LOVECITIES OF PUSSY
JULY-2011: LOVE GIRLS CITIES
JULY-2011: LOVE GIRLS PLACES
JULY-2011: LOVE GIRLS SPOTS
JULY-2011: LOVE MAP OF BABE
JULY-2011: LOVE MAP OF BABIES
JULY-2011: LOVE-MAP OF BABIES
JULY-2011: LOVE-MAP OF BABY
JULY-2011: LOVE MAP OF GIRLS
JULY-2011: LOVE-MAP OF GIRLS
JULY-2011: LOVE MAP OF PUSSIES
JULY-2011: LOVE-MAP OF PUSSIES
JULY-2011: LOVE MAP OF PUSSY
JULY-2011: LOVE-MAP OF PUSSY
JULY-2011: LOVEPLACES IN WORLD
JULY-2011: LOVE PLACES OF BABE
JULY-2011: LOVEPLACES OF BABE
JULY-2011: LOVE PLACES OF BABIES
JULY-2011: LOVEPLACES OF BABIES
JULY-2011: LOVE PLACES OF BABY
JULY-2011: LOVEPLACES OF BABY
JULY-2011: LOVE PLACES OF GIRLS
JULY-2011: LOVEPLACES OF GIRLS
JULY-2011: LOVE PLACES OF PUSSIES
JULY-2011: LOVEPLACES OF PUSSIES
JULY-2011: LOVE PLACES OF PUSSY
JULY-2011: LOVE PUSSIES PLACES
JULY-2011: LOVE PUSSIES SPOTS
JULY-2011: LOVE PUSSY CITIES
JULY-2011: LOVE PUSSY PLACES
JULY-2011: LOVE SPOTS IN WORLD
JULY-2011: LOVESPOTS IN WORLD
JULY-2011: LOVE SPOTS OF BABE
JULY-2011: LOVESPOTS OF BABE
JULY-2011: LOVE SPOTS OF BABIES
JULY-2011: LOVE SPOTS OF BABY
JULY-2011: LOVE SPOTS OF GIRLS
JULY-2011: LOVESPOTS OF GIRLS
JULY-2011: LOVE SPOTS OF PUSSIES
JULY-2011: LOVESPOTS OF PUSSIES
JULY-2011: LOVE SPOTS OF PUSSY
JULY-2011: LOVESPOTS OF PUSSY
JULY-2011: PUSSYCITIES IN WORLD
JULY-2011: PUSSYPLACES IN WORLD
JULY-2011: SEXYCITIES IN WORLD
JULY-2011: SEXY LOVE MAP
JULY-2011: SEXY LOVE-MAP
JULY-2011: SEXY PLACES IN WORLD
JULY-2011: SEXYPLACES IN WORLD
JULY-2011: SEXYSPOTS IN WORLD
JULY-2011: SEXY WORLD MAP
JULY-2011: WORLD MAP OF BABE
JULY-2011: WORLD-MAP OF BABE
JULY-2011: WORLD MAP OF BABIES
JULY-2011: WORLD-MAP OF BABIES
JULY-2011: WORLD MAP OF BABY
JULY-2011: WORLD-MAP OF BABY
JULY-2011: WORLD MAP OF GIRLS
JULY-2011: WORLD-MAP OF GIRLS
JULY-2011: WORLD-MAP OF PUSSIES
JULY-2011: WORLD MAP OF PUSSY
JULY-2011: WORLD-MAP OF PUSSY
KNOW-HOW: BABECITIES IN WORLD
KNOW-HOW: BABEPLACES IN WORLD
KNOW-HOW: BABESPOTS IN WORLD
KNOW-HOW: BABIESCITIES IN WORLD
KNOW-HOW: BABIESSPOTS IN WORLD
KNOW-HOW: BABYCITIES IN WORLD
KNOW-HOW: BABYPLACES IN WORLD
KNOW-HOW: BABYSPOTS IN WORLD
KNOW-HOW: GIRLSPLACES IN WORLD
KNOW-HOW: HOT BABE PLACES
KNOW-HOW: HOT BABE SPOTS
KNOW-HOW: HOT BABIES CITIES
KNOW-HOW: HOT BABIES PLACES
KNOW-HOW: HOT BABIES SPOTS
KNOW-HOW: HOT BABY CITIES
KNOW-HOW: HOT BABY PLACES
KNOW-HOW: HOT BABY SPOTS
KNOW-HOW: HOT CITIES OF BABE
KNOW-HOW: HOTCITIES OF BABE
KNOW-HOW: HOT CITIES OF BABIES
KNOW-HOW: HOTCITIES OF BABIES
KNOW-HOW: HOT CITIES OF BABY
KNOW-HOW: HOTCITIES OF BABY
KNOW-HOW: HOT CITIES OF PUSSIES
KNOW-HOW: HOTCITIES OF PUSSY
KNOW-HOW: HOT GIRLS CITIES
KNOW-HOW: HOT GIRLS SPOTS
KNOW-HOW: HOT PLACES OF BABE
KNOW-HOW: HOTPLACES OF BABE
KNOW-HOW: HOT PLACES OF BABIES
KNOW-HOW: HOTPLACES OF BABIES
KNOW-HOW: HOTPLACES OF BABY
KNOW-HOW: HOT PLACES OF GIRLS
KNOW-HOW: HOTPLACES OF GIRLS
KNOW-HOW: HOT PLACES OF PUSSIES
KNOW-HOW: HOT PLACES OF PUSSY
KNOW-HOW: HOTPLACES OF PUSSY
KNOW-HOW: HOT PUSSIES CITIES
KNOW-HOW: HOT PUSSIES PLACES
KNOW-HOW: HOT PUSSY PLACES
KNOW-HOW: HOT SPOTS OF BABE
KNOW-HOW: HOTSPOTS OF BABE
KNOW-HOW: HOT SPOTS OF BABY
KNOW-HOW: HOTSPOTS OF BABY
KNOW-HOW: HOTSPOTS OF GIRLS
KNOW-HOW: HOTSPOTS OF PUSSY
KNOW-HOW: LOVE BABE CITIES
KNOW-HOW: LOVE BABE SPOTS
KNOW-HOW: LOVE BABIES CITIES
KNOW-HOW: LOVE BABIES PLACES
KNOW-HOW: LOVE BABY CITIES
KNOW-HOW: LOVE CITIES IN WORLD
KNOW-HOW: LOVECITIES IN WORLD
KNOW-HOW: LOVECITIES OF BABE
KNOW-HOW: LOVECITIES OF BABIES
KNOW-HOW: LOVE CITIES OF BABY
KNOW-HOW: LOVECITIES OF BABY
KNOW-HOW: LOVE CITIES OF GIRLS
KNOW-HOW: LOVECITIES OF PUSSIES
KNOW-HOW: LOVE CITIES OF PUSSY
KNOW-HOW: LOVECITIES OF PUSSY
KNOW-HOW: LOVE GIRLS CITIES
KNOW-HOW: LOVE GIRLS SPOTS
KNOW-HOW: LOVE MAP OF BABE
KNOW-HOW: LOVE MAP OF BABIES
KNOW-HOW: LOVE MAP OF BABY
KNOW-HOW: LOVE-MAP OF BABY
KNOW-HOW: LOVE MAP OF GIRLS
KNOW-HOW: LOVE-MAP OF GIRLS
KNOW-HOW: LOVE MAP OF PUSSIES
KNOW-HOW: LOVE-MAP OF PUSSIES
KNOW-HOW: LOVE MAP OF PUSSY
KNOW-HOW: LOVE-MAP OF PUSSY
KNOW-HOW: LOVE PLACES IN WORLD
KNOW-HOW: LOVEPLACES IN WORLD
KNOW-HOW: LOVE PLACES OF BABE
KNOW-HOW: LOVEPLACES OF BABE
KNOW-HOW: LOVEPLACES OF BABIES
KNOW-HOW: LOVE PLACES OF BABY
KNOW-HOW: LOVEPLACES OF BABY
KNOW-HOW: LOVE PLACES OF GIRLS
KNOW-HOW: LOVEPLACES OF GIRLS
KNOW-HOW: LOVE PLACES OF PUSSIES
KNOW-HOW: LOVEPLACES OF PUSSIES
KNOW-HOW: LOVE PLACES OF PUSSY
KNOW-HOW: LOVEPLACES OF PUSSY
KNOW-HOW: LOVE PUSSIES CITIES
KNOW-HOW: LOVE PUSSIES PLACES
KNOW-HOW: LOVE PUSSIES SPOTS
KNOW-HOW: LOVE PUSSY CITIES
KNOW-HOW: LOVE PUSSY PLACES
KNOW-HOW: LOVE PUSSY SPOTS
KNOW-HOW: LOVE SPOTS IN WORLD
KNOW-HOW: LOVE SPOTS OF BABE
KNOW-HOW: LOVESPOTS OF BABE
KNOW-HOW: LOVESPOTS OF BABIES
KNOW-HOW: LOVESPOTS OF BABY
KNOW-HOW: LOVE SPOTS OF GIRLS
KNOW-HOW: LOVESPOTS OF GIRLS
KNOW-HOW: LOVE SPOTS OF PUSSIES
KNOW-HOW: LOVESPOTS OF PUSSIES
KNOW-HOW: LOVESPOTS OF PUSSY
KNOW-HOW: PUSSYPLACES IN WORLD
KNOW-HOW: PUSSYSPOTS IN WORLD
KNOW-HOW: SEXY CITIES IN WORLD
KNOW-HOW: SEXYCITIES IN WORLD
KNOW-HOW: SEXY LOVE MAP
KNOW-HOW: SEXY LOVE-MAP
KNOW-HOW: SEXY PLACES IN WORLD
KNOW-HOW: SEXYPLACES IN WORLD
KNOW-HOW: SEXY SPOTS IN WORLD
KNOW-HOW: SEXYSPOTS IN WORLD
KNOW-HOW: SEXY WORLD MAP
KNOW-HOW: SEXY WORLD-MAP
KNOW-HOW: WORLD MAP OF BABE
KNOW-HOW: WORLD-MAP OF BABE
KNOW-HOW: WORLD MAP OF BABIES
KNOW-HOW: WORLD-MAP OF BABIES
KNOW-HOW: WORLD MAP OF BABY
KNOW-HOW: WORLD-MAP OF BABY
KNOW-HOW: WORLD MAP OF GIRLS
KNOW-HOW: WORLD-MAP OF GIRLS
KNOW-HOW: WORLD-MAP OF PUSSIES
KNOW-HOW: WORLD MAP OF PUSSY
LOVE BABE CITIES 2011
LOVE BABE PLACES 2011
LOVE BABE SPOTS 2011
LOVE BABIES CITIES 2011
LOVE BABIES PLACES 2011
LOVE BABIES SPOTS 2011
LOVE BABY CITIES 2011
LOVE BABY PLACES 2011
LOVE BABY SPOTS 2011
LOVE CITIES IN WORLD 2011
LOVE CITIES OF BABE 2011
LOVECITIES OF BABE 2011
LOVE CITIES OF BABIES 2011
LOVECITIES OF BABIES 2011
LOVE CITIES OF BABY 2011
LOVECITIES OF BABY 2011
LOVE CITIES OF GIRLS 2011
LOVECITIES OF GIRLS 2011
LOVE CITIES OF PUSSIES 2011
LOVECITIES OF PUSSIES 2011
LOVE CITIES OF PUSSY 2011
LOVECITIES OF PUSSY 2011
LOVE GIRLS CITIES 2011
LOVE GIRLS PLACES 2011
LOVE GIRLS SPOTS 2011
LOVE MAP OF BABE 2011
LOVE-MAP OF BABE 2011
LOVE MAP OF BABIES 2011
LOVE-MAP OF BABIES 2011
LOVE MAP OF BABY 2011
LOVE-MAP OF BABY 2011
LOVE-MAP OF GIRLS 2011
LOVE MAP OF PUSSIES 2011
LOVE-MAP OF PUSSY 2011
LOVE PLACES IN WORLD 2011
LOVEPLACES IN WORLD 2011
LOVE PLACES OF BABE 2011
LOVEPLACES OF BABE 2011
LOVE PLACES OF BABIES 2011
LOVEPLACES OF BABIES 2011
LOVEPLACES OF BABY 2011
LOVE PLACES OF GIRLS 2011
LOVEPLACES OF GIRLS 2011
LOVE PLACES OF GIRLS IN WORLD
LOVEPLACES OF GIRLS IN WORLD
LOVE PLACES OF PUSSIES 2011
LOVEPLACES OF PUSSIES 2011
LOVE PLACES OF PUSSY 2011
LOVEPLACES OF PUSSY 2011
LOVE PUSSIES PLACES 2011
LOVE PUSSIES SPOTS 2011
LOVE PUSSY CITIES 2011
LOVE PUSSY PLACES 2011
LOVE PUSSY SPOTS 2011
LOVE SPOTS IN WORLD 2011
LOVESPOTS IN WORLD 2011
LOVESPOTS OF BABE 2011
LOVE SPOTS OF BABIES 2011
LOVESPOTS OF BABIES 2011
LOVE SPOTS OF BABY 2011
LOVESPOTS OF BABY 2011
LOVE SPOTS OF GIRLS 2011
LOVESPOTS OF GIRLS 2011
LOVE SPOTS OF GIRLS IN WORLD
LOVE SPOTS OF PUSSIES 2011
LOVESPOTS OF PUSSIES 2011
LOVE SPOTS OF PUSSY 2011
LOVESPOTS OF PUSSY 2011
PUSSIESCITIES IN WORLD 2011
PUSSIESPLACES IN WORLD
PUSSIESSPOTS IN WORLD 2011
PUSSYCITIES IN WORLD 2011
PUSSYPLACES IN WORLD 2011
PUSSYSPOTS IN WORLD 2011
SEXY CITIES IN WORLD 2011
SEXY LOVE MAP 2011
SEXY LOVE-MAP 2011
SEXY PLACES IN WORLD 2011
SEXYPLACES IN WORLD 2011
SEXY SPOTS IN WORLD
SEXYSPOTS IN WORLD
SEXY WORLD MAP 2011
SUMMER-2011: BABECITIES IN WORLD
SUMMER-2011: BABEPLACES IN WORLD
SUMMER-2011: BABIESCITIES IN WORLD
SUMMER-2011: BABIESPLACES IN WORLD
SUMMER-2011: BABYCITIES IN WORLD
SUMMER-2011: BABYPLACES IN WORLD
SUMMER-2011: GIRLSCITIES IN WORLD
SUMMER-2011: GIRLSPLACES IN WORLD
SUMMER-2011: GIRLSSPOTS IN WORLD
SUMMER-2011: HOT BABE SPOTS
SUMMER-2011: HOT BABIES CITIES
SUMMER-2011: HOT BABIES PLACES
SUMMER-2011: HOT BABY PLACES
SUMMER-2011: HOT CITIES OF BABE
SUMMER-2011: HOTCITIES OF BABE
SUMMER-2011: HOT CITIES OF BABIES
SUMMER-2011: HOT CITIES OF BABY
SUMMER-2011: HOTCITIES OF BABY
SUMMER-2011: HOT CITIES OF GIRLS
SUMMER-2011: HOT CITIES OF PUSSIES
SUMMER-2011: HOT CITIES OF PUSSY
SUMMER-2011: HOTCITIES OF PUSSY
SUMMER-2011: HOT GIRLS CITIES
SUMMER-2011: HOTPLACES OF BABE
SUMMER-2011: HOT PLACES OF BABIES
SUMMER-2011: HOTPLACES OF BABIES
SUMMER-2011: HOT PLACES OF BABY
SUMMER-2011: HOTPLACES OF BABY
SUMMER-2011: HOT PLACES OF GIRLS
SUMMER-2011: HOTPLACES OF GIRLS
SUMMER-2011: HOT PLACES OF PUSSIES
SUMMER-2011: HOTPLACES OF PUSSIES
SUMMER-2011: HOT PLACES OF PUSSY
SUMMER-2011: HOTPLACES OF PUSSY
SUMMER-2011: HOT PUSSIES CITIES
SUMMER-2011: HOT PUSSIES PLACES
SUMMER-2011: HOT PUSSY CITIES
SUMMER-2011: HOT PUSSY SPOTS
SUMMER-2011: HOT SPOTS OF BABE
SUMMER-2011: HOTSPOTS OF BABE
SUMMER-2011: HOT SPOTS OF BABIES
SUMMER-2011: HOTSPOTS OF BABIES
SUMMER-2011: HOT SPOTS OF BABY
SUMMER-2011: HOTSPOTS OF BABY
SUMMER-2011: HOT SPOTS OF GIRLS
SUMMER-2011: HOTSPOTS OF GIRLS
SUMMER-2011: HOT SPOTS OF PUSSIES
SUMMER-2011: HOTSPOTS OF PUSSIES
SUMMER-2011: HOT SPOTS OF PUSSY
SUMMER-2011: HOTSPOTS OF PUSSY
SUMMER-2011: LOVE BABE CITIES
SUMMER-2011: LOVE BABE PLACES
SUMMER-2011: LOVE BABE SPOTS
SUMMER-2011: LOVE BABIES CITIES
SUMMER-2011: LOVE BABIES SPOTS
SUMMER-2011: LOVE BABY CITIES
SUMMER-2011: LOVE BABY PLACES
SUMMER-2011: LOVE CITIES IN WORLD
SUMMER-2011: LOVE CITIES OF BABE
SUMMER-2011: LOVECITIES OF BABE
SUMMER-2011: LOVECITIES OF BABIES
SUMMER-2011: LOVE CITIES OF BABY
SUMMER-2011: LOVECITIES OF BABY
SUMMER-2011: LOVE CITIES OF PUSSIES
SUMMER-2011: LOVECITIES OF PUSSIES
SUMMER-2011: LOVE CITIES OF PUSSY
SUMMER-2011: LOVECITIES OF PUSSY
SUMMER-2011: LOVE GIRLS CITIES
SUMMER-2011: LOVE GIRLS PLACES
SUMMER-2011: LOVE GIRLS SPOTS
SUMMER-2011: LOVE MAP OF BABE
SUMMER-2011: LOVE-MAP OF BABE
SUMMER-2011: LOVE MAP OF BABIES
SUMMER-2011: LOVE-MAP OF BABIES
SUMMER-2011: LOVE MAP OF BABY
SUMMER-2011: LOVE-MAP OF BABY
SUMMER-2011: LOVE-MAP OF GIRLS
SUMMER-2011: LOVE MAP OF PUSSIES
SUMMER-2011: LOVE-MAP OF PUSSIES
SUMMER-2011: LOVE MAP OF PUSSY
SUMMER-2011: LOVE-MAP OF PUSSY
SUMMER-2011: LOVE PLACES OF BABE
SUMMER-2011: LOVEPLACES OF BABE
SUMMER-2011: LOVE PLACES OF BABIES
SUMMER-2011: LOVEPLACES OF BABIES
SUMMER-2011: LOVE PLACES OF BABY
SUMMER-2011: LOVEPLACES OF BABY
SUMMER-2011: LOVE PLACES OF GIRLS
SUMMER-2011: LOVEPLACES OF GIRLS
SUMMER-2011: LOVE PLACES OF PUSSIES
SUMMER-2011: LOVEPLACES OF PUSSIES
SUMMER-2011: LOVEPLACES OF PUSSY
SUMMER-2011: LOVE PUSSIES CITIES
SUMMER-2011: LOVE PUSSIES PLACES
SUMMER-2011: LOVE PUSSIES SPOTS
SUMMER-2011: LOVE PUSSY CITIES
SUMMER-2011: LOVE PUSSY SPOTS
SUMMER-2011: LOVE SPOTS IN WORLD
SUMMER-2011: LOVESPOTS IN WORLD
SUMMER-2011: LOVE SPOTS OF BABE
SUMMER-2011: LOVESPOTS OF BABE
SUMMER-2011: LOVE SPOTS OF BABIES
SUMMER-2011: LOVESPOTS OF BABIES
SUMMER-2011: LOVE SPOTS OF BABY
SUMMER-2011: LOVESPOTS OF BABY
SUMMER-2011: LOVE SPOTS OF GIRLS
SUMMER-2011: LOVE SPOTS OF PUSSIES
SUMMER-2011: LOVESPOTS OF PUSSIES
SUMMER-2011: LOVE SPOTS OF PUSSY
SUMMER-2011: LOVESPOTS OF PUSSY
SUMMER-2011: PUSSYCITIES IN WORLD
SUMMER-2011: PUSSYPLACES IN WORLD
SUMMER-2011: SEXYCITIES IN WORLD
SUMMER-2011: SEXY LOVE MAP
SUMMER-2011: SEXY LOVE-MAP
SUMMER-2011: SEXY PLACES IN WORLD
SUMMER-2011: SEXYPLACES IN WORLD
SUMMER-2011: SEXY SPOTS IN WORLD
SUMMER-2011: SEXYSPOTS IN WORLD
SUMMER-2011: SEXY WORLD MAP
SUMMER-2011: SEXY WORLD-MAP
SUMMER-2011: WORLD MAP OF BABE
SUMMER-2011: WORLD-MAP OF BABE
SUMMER-2011: WORLD MAP OF BABIES
SUMMER-2011: WORLD MAP OF BABY
SUMMER-2011: WORLD-MAP OF BABY
SUMMER-2011: WORLD MAP OF GIRLS
SUMMER-2011: WORLD-MAP OF GIRLS
SUMMER-2011: WORLD MAP OF PUSSIES
SUMMER-2011: WORLD-MAP OF PUSSIES
SUMMER-2011: WORLD-MAP OF PUSSY
WORLD MAP OF BABE 2011
WORLD MAP OF BABIES 2011
WORLD-MAP OF BABIES 2011
WORLD-MAP OF BABY 2011
WORLD MAP OF GIRLS 2011
WORLD-MAP OF GIRLS 2011
WORLD MAP OF PUSSY 2011
WORLD-MAP OF PUSSY 2011
(532 rows)

"Wrong Transaction" Hotel spam malware continues to evolve

2011-07-31T18:31:00.001-07:00

One of the distinct advantages of having the UAB Spam Data Mine is that we are able to provide near-real-time intelligence about the evolution of malware campaigns being delivered by spam. On July 27, 2011 we provided a warning about Wrong Transaction Hotel Spam that was covered by Robert McMillan in PC World and ComputerWorld, and was also mentioned by Matt Liebowitz for MSNBC.

Unfortunately, from an anti-virus perspective, consumers are no safer than they were when we first put out the warning four days ago.

We're still seeing more than 1,000 copies per day of this malware (with the exception of the 29th) each day:

 count | receiving_date
-------+----------------
  1516 | 2011-07-27
  1828 | 2011-07-28
   813 | 2011-07-29
  1470 | 2011-07-30
  1258 | 2011-07-31
(5 rows)

but the malware is constantly evolving.

Count	Malware MD5	TimeRange
593	c15eb3c47800fec025b6a86a6409f144	2011-07-27 03:00 AM to 2011-07-27 08:30 AM
1001	01e3bbd4b6f8c22a3516771f9b6792bc	2011-07-27 12:45 PM to 2011-07-28 04:45 AM
318	57d931256fd6d7184528ae983e34677b	2011-07-27 08:00 AM to 2011-07-27 13:30 PM
865	6e2eae488317280dd813e3e2fc9e0275	2011-07-28 04:15 AM to 2011-07-28 13:00 PM
554	ad760ac5806a84a272e1eb76b315ac31	2011-07-28 12:30 PM to 2011-07-28 20:15 PM
1116	4140ee10115174fe36a738d4d943f2af	2011-07-29 13:45 PM to 2011-07-30 04:00 AM
614	e2d3d4ccf02ea924e6d11cb452235f4c	2011-07-30 03:30 AM to 2011-07-30 16:15 PM
931	5bbe80ad216c89bcbb6891178dc4b5fa	2011-07-30 14:45 PM to 2011-07-31 07:30 AM
409	ca84d1a0c49eff5ca829b5fa531800e8	2011-07-31 07:30 AM to 2011-07-31 13:15 PM
484	aa412182a164321a159f9b2e95be53bc	2011-07-31 13:15 PM to 2011-07-31 CURRENT TIME

Each of the links in the table above will take you to the VirusTotal report showing how many of 43 different anti-virus products detected this particular malware at the time it was submitted to VirusTotal.

I'll let you explore the links for yourself, but may I call attention to the fact the last one is detected by FOUR of forty-three AV products, and the one immediately prior to that by ONE of forty-three.

Just to make sure there was not a problem, I decided to look at those last two and confirm that they actually were malware.

We started with the sample starting with "aa412". It unpacks successfully as an .exe named "Refund_Form" that uses an icon from Microsoft Office Excel to try to trick people into thinking it's a Spreadsheet.

When we launched it, it made connections to:

runescapegpge2011.ru - 84.247.61.25
www.radio-80.com - 210.172.192.38
heftyhips.com - 66.197.251.53

That last would be exactly the same domain that the first sample we looked at on the 27th connected to. It fetched "soft.exe" from www.radio-80.com.

I'm going to go out on a limb and say this is malware. "soft.exe" got renamed "defender.exe" and placed in our "C:\Documents and Settings\All Users\Application Data\" directory, which was scheduled to launch when the machine reboots.

Defender.exe was declared to be malware by 6 of 43 anti-virus packages at VirusTotal. Here's the report. It's Fake anti-virus.

Next, just to be thorough, we also checked out the version that started with "ca84d1". Just like the first, it unpacked to a "Refund_Form.exe" file, although this one had a different MD5. When we launched Refund_Form it made network connections to:

runescapegpge2011.ru - 84.247.61.25
ewingparkbmx2011.ru - failed to resolve

It looks like this version is not functioning due to a dead domain, which may be the reason the "aa412" version was released.

That "84.247.61.25" box is in Romania, currently using a domain name with "RuneScape" in the domain name. The same IP has recently been called bedownloader2011.ru, diamondexchange2011.ru, watchfamilyguynow2011.ru and is also currently resolving as yomwarayom2001.ru.

Update 01AUG2011

At 3:15 this morning, the malware being distributed swapped to:

2e749d608d29aef739f5b08e7f63225a (click for VirusTotal Report)

The MD5 for the exe inside of the zip file with MD5 2e749d608d29aef739f5b08e7f63225a is:

a446ced5db1de877cf78f77741e2a804 Filename: Refund-Form (dot) exe (1 of 43 detects at VirusTotal).

At 4:30 this morning, and continuing to the present moment (07:45 AM Central Time), the malware being distributed swapped to:

4b126c49c261ca0f65fce9e5d08811d6 (click for VirusTotal Report)

The MD5 for the exe inside of the zip file with MD5 4b126c49c261ca0f65fce9e5d08811d6 is:

2f0155c39ddcf490f3a310ba0546c627 Filename: Refund_Form (dot) exe (5 of 43 detects at VirusTotal).

"Government-related" Zeus spam continues

2011-07-28T04:12:00.000-07:00

As we discussed in yesterday's article, "Wrong transaction" hotel spam, the UAB Spam Data Mine now has an ability to provide early alerting when a new spam campaign is directly linking to executable files.

Update: New Zeus distribution site, July 29th AM:

We are receiving spam emails this morning from "nacha.org" From: addresses that direct us to this Zeus distribution site.

hxxp://federalreserve-alert.com/transaction_report.pdf.exe

Here's the VirusTotal report: As of this timestamp (5:30 AM Central time) we see (5 of 43) detections. Only 2 of those are calling this Zeus.

This morning we have a new example of this capability in the form of the two most recent installments of a long-running "government-related" Zeus campaign.

One of the two spammed destinations is:

alert-irs.com /00000700973770US.exe MD5 = 0691a4856713edc97664e60db735747c

This malware is currently showing a (12 of 43) detection rate at VirusTotal, as seen in this VirusTotal Report.

The other spammed destination is:

fdic-updates.com /system_update_07_28.exe MD5 = 7a0303fdb809ac0c1a84123b106992c2

This malware is currently showing a (8 of 43) detection rate at VirusTotal, as seen in this VirusTotal Report.

Both files are 172,032 bytes in size, but currently the FDIC one is showing a dramatically wider distribution via email than the IRS one, which may be an indication of "targeting" by the latter.

The FDIC version has been seen almost 500 times, despite the fact that the campaign is less than 45 minutes old as of this writing. Here is the count per 15 minute block seen in the UAB Spam Data Mine:

     5 | ACH and Wire transfers disabled.      | 2011-07-28 06:00:00
     3 | Banking security update.              | 2011-07-28 06:00:00
     1 | Update for your banking account.      | 2011-07-28 06:00:00
   107 | ACH and Wire transfers disabled.      | 2011-07-28 05:45:00
   138 | Banking security update.              | 2011-07-28 05:45:00
   108 | Security update for banking accounts. | 2011-07-28 05:45:00
   122 | Update for your banking account.      | 2011-07-28 05:45:00
     1 | Banking security update.              | 2011-07-28 05:30:00
     1 | Security update for banking accounts. | 2011-07-28 05:30:00
     1 | ACH and Wire transfers disabled.      | 2011-07-28 05:15:00
     1 | Banking security update.              | 2011-07-28 05:15:00
     1 | Security update for banking accounts. | 2011-07-28 05:15:00

(Timestamps are US-Central Time, GMT -6)

The FDIC spam comes from email addresses that randomly associate these "usernames" with these "hostnames". Everything in the first column was seen combined with everything in the second column.

admin            @   admin.fdic.gov
adminnistration  @   administration.fdic.gov
cunsumer         @   fdic.gov
FDIC             @   security.fdic.gov
finance          @
govdelivery      @
information      @
inspector        @
news             @
no-reply         @
privacy_policy   @
protection       @
public           @
report           @
service          @
stats            @
support          @
webannouncements @

Here's what the email actually says:

Dear clients,
Your account ACH and Wire transactions have been
temporarily suspended for your settings, due to the
expiration of your security version. To download and install the
newest Updates, click here.

As soon as it is Applied, your transaction abilities will be fully restored.

Best regards,
Online security department
Federal Deposit Insurance Corporation

The IRS related spam came first:

     2 | Internal Revenue Service     | 2011-07-28 04:15:00
     2 | Federal Tax payment rejected | 2011-07-28 04:00:00
     2 | Your IRS payment rejected    | 2011-07-28 04:00:00
     2 | Internal Revenue Service     | 2011-07-28 03:45:00

This is fairly typical spamming for this group. They like to make a new Zeus variant, populate it on a website, and then spam it very hard at the beginning of the East Coast business day. For example, here is the spam for:

"nacha-rejected.com"

     2 | Rejected transaction | 2011-07-27 05:30:00
     1 | Canceled  payment    | 2011-07-27 05:15:00
     2 | Canceled transaction | 2011-07-27 05:15:00
     3 | Payment rejected     | 2011-07-27 05:15:00
     5 | Rejected transaction | 2011-07-27 05:15:00
     2 | Canceled transaction | 2011-07-27 05:00:00
     8 | Canceled transfer    | 2011-07-27 05:00:00
     5 | Payment canceled     | 2011-07-27 05:00:00
     3 | Payment rejected     | 2011-07-27 05:00:00
     4 | Rejected transaction | 2011-07-27 05:00:00
    92 | Canceled  payment    | 2011-07-27 04:45:00
    74 | Canceled transaction | 2011-07-27 04:45:00
    84 | Canceled transfer    | 2011-07-27 04:45:00
    60 | Payment canceled     | 2011-07-27 04:45:00
    75 | Payment rejected     | 2011-07-27 04:45:00
    57 | Rejected transaction | 2011-07-27 04:45:00
     2 | Payment canceled     | 2011-07-27 04:30:00
     1 | Payment rejected     | 2011-07-27 04:30:00
     1 | Canceled transaction | 2011-07-27 04:15:00
     2 | Payment canceled     | 2011-07-27 04:15:00

nacha-transactions.com

     1 | Payment rejected     | 2011-07-27 07:00:00
     1 | Rejected transaction | 2011-07-27 06:45:00
     4 | Canceled  payment    | 2011-07-27 06:30:00
     2 | Canceled transfer    | 2011-07-27 06:30:00
     1 | Payment canceled     | 2011-07-27 06:30:00
     1 | Payment rejected     | 2011-07-27 06:30:00
     1 | Canceled transaction | 2011-07-27 06:15:00
     1 | Canceled transfer    | 2011-07-27 06:15:00
     1 | Payment canceled     | 2011-07-27 06:15:00
     1 | Payment rejected     | 2011-07-27 06:15:00

taxes-refund.com

     1 | Internal Revenue Service        | 2011-07-27 08:00:00
     1 | U.S. Department of the Treasury | 2011-07-27 08:00:00
     1 | Internal Revenue Service        | 2011-07-27 07:45:00
     2 | Internal Revenue Service (IRS)  | 2011-07-27 07:45:00
     2 | Payment IRS.gov                 | 2011-07-27 07:45:00
     1 | Internal Revenue Service        | 2011-07-27 07:30:00
     1 | IRS.gov                         | 2011-07-27 07:30:00
     1 | U.S. Department of the Treasury | 2011-07-27 07:30:00

Three consecutive campaigns, one following the other, with the whole thing wrapping up before 8 AM Central time. (which would be 9 AM Eastern time).

The NACHA spam leading to Zeus has been an issue for a very long time. We've seen spam like this since all the way back to November 2009, but it's been fairly constant since February of this year when we shared the article ACH Transaction Rejected Payment Spam.

Following the Botnet Back in Time

Because of the way we archive our email, it's possible for us to ask the UAB Spam Data Mine to reveal a deeper history for this particular spamming botnet by asking a question like:

"Show me all the spam subjects that have been sent by IP addresses that sent me this morning's fdic-updates.com spam message"

     5 | 2011-07-28 06:00:00 | ACH and Wire transfers disabled.
     3 | 2011-07-28 06:00:00 | Banking security update.
     1 | 2011-07-28 06:00:00 | Update for your banking account.
   107 | 2011-07-28 05:45:00 | ACH and Wire transfers disabled.
   138 | 2011-07-28 05:45:00 | Banking security update.
   108 | 2011-07-28 05:45:00 | Security update for banking accounts.
   122 | 2011-07-28 05:45:00 | Update for your banking account.
     1 | 2011-07-28 05:30:00 | Banking security update.
     1 | 2011-07-28 05:30:00 | Security update for banking accounts.
     1 | 2011-07-28 05:15:00 | ACH and Wire transfers disabled.
     1 | 2011-07-28 05:15:00 | Banking security update.
     1 | 2011-07-28 05:15:00 | Security update for banking accounts.
     1 | 2011-07-27 23:30:00 | ho
     1 | 2011-07-27 21:15:00 | RE:.. How do you do,
     4 | 2011-07-27 20:00:00 | ho
     1 | 2011-07-27 14:45:00 | VIDEO: Lockerbie bomber at pro-Gaddafi rally
     1 | 2011-07-27 12:00:00 | Yo
     1 | 2011-07-27 08:00:00 | Internal Revenue Service
     1 | 2011-07-27 06:45:00 | Rejected transaction
     2 | 2011-07-27 05:15:00 | Rejected transaction
     2 | 2011-07-27 05:00:00 | Canceled transaction
     2 | 2011-07-27 05:00:00 | Canceled transfer
     3 | 2011-07-27 05:00:00 | Payment rejected
    33 | 2011-07-27 04:45:00 | Canceled  payment
    22 | 2011-07-27 04:45:00 | Canceled transaction
    26 | 2011-07-27 04:45:00 | Canceled transfer
    24 | 2011-07-27 04:45:00 | Payment canceled
    30 | 2011-07-27 04:45:00 | Payment rejected
    17 | 2011-07-27 04:45:00 | Rejected transaction
     1 | 2011-07-27 04:30:00 | Payment canceled
     1 | 2011-07-27 04:15:00 | Canceled transaction
     1 | 2011-07-27 04:15:00 | Payment canceled
     1 | 2011-07-26 17:15:00 | Attack on Guinea leader repelled
     1 | 2011-07-26 06:00:00 | IRC.gov
     1 | 2011-07-26 05:45:00 | VIDEO: Phoenix hit by second dust storm
     1 | 2011-07-25 14:00:00 | Hi!
     1 | 2011-07-23 19:45:00 | Giant space telescope reaches orbit
     1 | 2011-07-23 19:45:00 | High Court challenge on care cuts
     1 | 2011-07-23 19:45:00 | HMRC in cost-cutting 'challenge'
     1 | 2011-07-23 19:45:00 | Mortgage lending remains subdued
     1 | 2011-07-23 19:45:00 | Mum's stress reaches baby in womb
     1 | 2011-07-23 19:45:00 | Nato hands over key Afghan city
     1 | 2011-07-23 19:45:00 | Personal pension advice still bad
     1 | 2011-07-23 19:45:00 | Scots economy escapes recession
     1 | 2011-07-23 19:45:00 | Serbia arrests last war crimes fugitive
     1 | 2011-07-23 19:45:00 | Strauss-Kahn daughter questioned
     1 | 2011-07-23 19:45:00 | VIDEO: Key moments as MPs grill Murdochs
     1 | 2011-07-23 18:30:00 | Heya
     2 | 2011-07-22 19:45:00 | Hi
     1 | 2011-07-22 19:00:00 | Hey
     1 | 2011-07-22 19:00:00 | Hi
     1 | 2011-07-22 13:45:00 | Heya
     1 | 2011-07-22 07:15:00 | Read: A Must for High-Rise Emergencies
     1 | 2011-07-22 05:00:00 | IRC.gov
     1 | 2011-07-22 04:45:00 | Support IRS.gov
     2 | 2011-07-22 03:45:00 | Change Confirmation
     1 | 2011-07-22 03:45:00 | Does your enterprise including outstanding tax debts
     1 | 2011-07-22 03:45:00 | Internal Revenue Service
     1 | 2011-07-22 03:45:00 | Internal Revenue Service United States Department of the Treasury
     1 | 2011-07-22 03:45:00 | IRC.gov
     1 | 2011-07-22 03:45:00 | IRS.gov US
     1 | 2011-07-22 03:45:00 | Notice of Underreported Income
     3 | 2011-07-22 03:45:00 | Support IRS.gov
     2 | 2011-07-22 03:45:00 | Treasury Inspector General for Tax Administration
     2 | 2011-07-22 03:45:00 | U.S. Department of the Treasury
     2 | 2011-07-22 03:45:00 | Your company including unpaid tax debts
     1 | 2011-07-21 13:00:00 | Manhood raisers with price-offs!
     1 | 2011-07-21 13:00:00 | Super lasting and good stiff!
     1 | 2011-07-21 05:45:00 | New security update
     2 | 2011-07-21 04:45:00 | Go id token update
     6 | 2011-07-21 04:45:00 | Security token update
     1 | 2011-07-21 04:45:00 | Token code update
     2 | 2011-07-21 04:45:00 | Token software update
     1 | 2011-07-20 07:30:00 | Canceled  payment
     1 | 2011-07-20 07:30:00 | Rejected transaction
     1 | 2011-07-20 07:00:00 | Payment rejected
     1 | 2011-07-20 06:45:00 | Canceled  payment
     1 | 2011-07-20 06:45:00 | Payment canceled
    16 | 2011-07-20 06:30:00 | Canceled  payment
     8 | 2011-07-20 06:30:00 | Canceled transaction
    10 | 2011-07-20 06:30:00 | Canceled transfer
     7 | 2011-07-20 06:30:00 | Payment canceled
     8 | 2011-07-20 06:30:00 | Payment rejected
     6 | 2011-07-20 06:30:00 | Rejected transaction
    19 | 2011-07-20 06:15:00 | Canceled  payment
    13 | 2011-07-20 06:15:00 | Canceled transaction
    15 | 2011-07-20 06:15:00 | Canceled transfer
    16 | 2011-07-20 06:15:00 | Payment canceled
    17 | 2011-07-20 06:15:00 | Payment rejected
    24 | 2011-07-20 06:15:00 | Rejected transaction
     2 | 2011-07-20 05:00:00 | Wire transfer # 3240569823405844930
     4 | 2011-07-20 05:00:00 | Wire transfer # 3463453123432454667
     1 | 2011-07-20 05:00:00 | Wire transfer # 3858994783568734677
     1 | 2011-07-20 05:00:00 | Wire transfer # 4577867895676542367
     2 | 2011-07-20 05:00:00 | Wire transfer # 5645746324515345353
     2 | 2011-07-20 05:00:00 | Wire transfer # 6754846773457536756
     2 | 2011-07-20 05:00:00 | Wire transfer # 6785675623451222333
     1 | 2011-07-20 05:00:00 | Wire transfer # 8565696735865742365
     2 | 2011-07-20 05:00:00 | Wire transfer ID 2345578568567567544
     1 | 2011-07-20 05:00:00 | Wire transfer ID 3265474356547356756
     1 | 2011-07-20 05:00:00 | Wire transfer ID 3425215345565475468
     1 | 2011-07-20 05:00:00 | Wire transfer id 3425233214234534634
     5 | 2011-07-20 05:00:00 | Wire transfer ID 3425233214234534634
     1 | 2011-07-20 05:00:00 | Wire transfer id 3452364365475463425
     1 | 2011-07-20 05:00:00 | Wire transfer ID 4135146854351231151
     1 | 2011-07-20 05:00:00 | Wire transfer ID 4353267658545629087
     3 | 2011-07-20 05:00:00 | Wire transfer ID 5468513264769656536
     1 | 2011-07-20 05:00:00 | Wire transfer id 5473785489567245623
     1 | 2011-07-20 05:00:00 | Wire transfer ID 5687895416264572398
     1 | 2011-07-20 05:00:00 | Wire transfer ID 5876978567345176586
     1 | 2011-07-20 05:00:00 | Wire transfer ID 6768576565423453415
     1 | 2011-07-20 05:00:00 | Wire transfer id 6857234568657433677
     3 | 2011-07-20 05:00:00 | Wire transfer id 8479764976835672345
     1 | 2011-07-20 05:00:00 | Wire transfer id 8658375686537546544
    41 | 2011-07-20 05:00:00 | Your Wire fund transfer
     1 | 2011-07-20 04:30:00 | Wire transfer ID 6431531354846843122
     1 | 2011-07-19 04:45:00 | Change Confirmation
     1 | 2011-07-19 04:45:00 | Does your company is registered outstanding tax debts
     2 | 2011-07-19 04:45:00 | U.S. Department of the Treasury
     1 | 2011-07-19 04:45:00 | Your IRS payment rejected
     1 | 2011-07-19 04:30:00 | Change Confirmation
     1 | 2011-07-19 04:30:00 | Does your company including  tax debts
     1 | 2011-07-19 04:30:00 | Does your enterprise listed unpaid tax debts
     2 | 2011-07-19 04:30:00 | Federal Tax payment rejected
     1 | 2011-07-19 04:30:00 | For your company including unpaid tax debt
     1 | 2011-07-19 04:30:00 | For your enterprise including  tax debt
    13 | 2011-07-19 04:30:00 | Internal Revenue Service
     4 | 2011-07-19 04:30:00 | Internal Revenue Service (IRS)
     2 | 2011-07-19 04:30:00 | Internal Revenue Service United States Department of the Treasury
     4 | 2011-07-19 04:30:00 | IRC.gov
     5 | 2011-07-19 04:30:00 | IRS.gov US
     8 | 2011-07-19 04:30:00 | Notice of Underreported Income
     6 | 2011-07-19 04:30:00 | Payment IRS.gov
     4 | 2011-07-19 04:30:00 | Support IRS.gov
     5 | 2011-07-19 04:30:00 | Treasury Inspector General for Tax Administration
     1 | 2011-07-19 04:30:00 | U.S. Department of the Treasury
     2 | 2011-07-19 04:30:00 | Your enterprise has remained outstanding tax debts
     3 | 2011-07-19 04:30:00 | Your IRS payment rejected
     1 | 2011-07-19 04:15:00 | Internal Revenue Service
     1 | 2011-07-18 10:30:00 | Love BlackJack? Check out the games at Winner Palace
     1 | 2011-07-16 02:00:00 | Out of Office AutoReply: Please Review
     1 | 2011-07-15 09:00:00 | For your company is registered unpaid tax debt
     1 | 2011-07-15 09:00:00 | Internal Revenue Service
     2 | 2011-07-15 08:45:00 | Change Confirmation
     2 | 2011-07-15 08:45:00 | Federal Tax payment rejected
     2 | 2011-07-15 08:45:00 | Internal Revenue Service
     2 | 2011-07-15 08:45:00 | Internal Revenue Service (IRS)
     4 | 2011-07-15 08:45:00 | Internal Revenue Service United States Department of the Treasury
     3 | 2011-07-15 08:45:00 | IRC.gov
     1 | 2011-07-15 08:45:00 | IRS.gov US
     3 | 2011-07-15 08:45:00 | Payment IRS.gov
     2 | 2011-07-15 08:45:00 | Support IRS.gov
     1 | 2011-07-15 08:45:00 | Treasury Inspector General for Tax Administration
     1 | 2011-07-15 08:45:00 | U.S. Department of the Treasury
     2 | 2011-07-15 08:45:00 | Your IRS payment rejected
     1 | 2011-07-15 07:30:00 | TV murder appeal prompts 40 calls
     1 | 2011-07-14 21:30:00 | US senator requests hacking probe
     1 | 2011-07-14 20:15:00 | Parties unite over BSkyB bid call
     1 | 2011-07-14 19:45:00 | PM Kan urges 'nuclear-free Japan'
     1 | 2011-07-14 18:00:00 | Man tells jury 'I killed Lynette'
     1 | 2011-07-14 15:15:00 | VIDEO: Live: Debate on youth unemployment
     1 | 2011-07-14 07:15:00 | Security update for banking accounts.
    10 | 2011-07-14 07:00:00 | ACH and Wire transfers disabled.
     5 | 2011-07-14 07:00:00 | Banking security update.
     7 | 2011-07-14 07:00:00 | Security update for banking accounts.
     5 | 2011-07-14 07:00:00 | Update for your banking account.
     1 | 2011-07-13 11:30:00 | Hospitals warned over clot deaths
     1 | 2011-07-13 07:45:00 | Does your enterprise listed unpaid tax debt
     3 | 2011-07-13 07:45:00 | Federal Tax payment rejected
     5 | 2011-07-13 07:45:00 | Internal Revenue Service United States Department of the Treasury
     2 | 2011-07-13 07:45:00 | IRC.gov
     7 | 2011-07-13 07:45:00 | Notice of Underreported Income
     1 | 2011-07-13 07:45:00 | Treasury Inspector General for Tax Administration
     2 | 2011-07-13 07:45:00 | U.S. Department of the Treasury
     1 | 2011-07-13 07:45:00 | Your company listed outstanding tax debt
     1 | 2011-07-13 07:45:00 | Your enterprise listed unpaid tax debt
     1 | 2011-07-13 07:30:00 | Internal Revenue Service
     2 | 2011-07-13 07:30:00 | Internal Revenue Service (IRS)
     2 | 2011-07-13 07:30:00 | Internal Revenue Service United States Department of the Treasury
     1 | 2011-07-13 07:30:00 | Notice of Underreported Income
     3 | 2011-07-13 07:30:00 | Payment IRS.gov
     1 | 2011-07-13 07:30:00 | Support IRS.gov
     2 | 2011-07-13 07:30:00 | U.S. Department of the Treasury
     2 | 2011-07-13 07:30:00 | Your IRS payment rejected
     3 | 2011-07-13 05:45:00 | Business accounts updates
     1 | 2011-07-13 05:45:00 | Dear corporate clients
     1 | 2011-07-13 05:45:00 | New settings for wire transfers
     1 | 2011-07-13 05:30:00 | Business accounts updates
     5 | 2011-07-13 05:30:00 | Corporate banking security
     3 | 2011-07-13 05:30:00 | Dear corporate clients
    10 | 2011-07-13 05:30:00 | Federalreserve security update
     4 | 2011-07-13 05:30:00 | New security settings
     4 | 2011-07-13 05:30:00 | New security update
     5 | 2011-07-13 05:30:00 | New settings for wire transfers
     2 | 2011-07-13 05:30:00 | Wire transfers update

We can also ask it to tell us what spammed destinations were being described by those messages and learn that what we see is:

July 13th = usbanking-security.com
July 15th = federalsecusrity.com
July 19th = taxreport-irs.com
July 19th = irs-taxes-report.com
July 19th = irs-report-link.com
July 20th = www.federalreserve.gov
July 20th = reports-federalreserve.com
July 20th = nacha-alert.org
July 20th = nacha-alert.com
July 20th = alerts-federalresrve.com
July 21st = national-security-agency.com
July 21st = federal-secueity-government.com
July 22nd = irs-downloads.com
July 22nd = irs-files.com
July 26th = taxes-irs.net
July 27th = www.nacha-rejected.com
July 27th = taxes-refund.com
July 28th = fdic-updates.com

Again, the query run says "look at my spam history FOR THE IP ADDRESSES USED BY THE GOV-RELATED ZEUS DOMAIN THIS MORNING and see what else they've sent me previously."

I've temporarily included only those links that were DIRECTLY linking to an executable, but we also have all of the "domain-shortener" spam that was sent on July 13th pretending to be a LinkedIn message. In that case, the spam used 25 different shortener services, most of which seem to have been created specifically for that purpose:

1tja.com
4h.biz
4nu.net
coge.la
d3c.co
flyfrm.com
gli.im
gsfn.info
hi2.com
ion.so
ks.gs
lawurl.com
lllll.im
niy.me
nznet.info
sendtourl.com
shoor.tk
smlurl.info
sra.li
tiny.tw
vs0.net
widg.me
wurl.ca
yi.pe
zolp.net

And yes, we can also tie today's spamming botnet to all of those fake LinkedIn spam messages that distributed Zeus on July 13th.

"Wrong Transaction" Hotel Spam

2011-07-27T09:01:00.000-07:00

(Updated information available here: Wrong Transaction Hotel Spam Continues to Evolve.)

One of the features in the new version of the UAB Spam Data Mine is the ability to quickly run "malware links" and "malware attachments" reports for the current day, the previous day, or a date range.

The objective of this functionality is to provide as close to "real time" intelligence on potential new email-based threats as possible. You'll see what I mean below.

I've been playing with it for the past several days, but just so you can join in the fun, let me show you the top results that come back when I do:

\i malware.attachments.sql

Spam Count	Attached MD5	Extension	Subject
6	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Renaissance Chicago made wrong transaction
5	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Hyatt Regency Houston made wrong transaction
5	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Jefferson made wrong transaction
5	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Renaissance Washington made wrong transaction
5	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Sheraton Suites San Diego at Symphony Hall made wrong transaction
5	c15eb3c47800fec025b6a86a6409f144	zip	Hotel The Westin Oaks made wrong transaction
5	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Westin Diplomat Resort & Spa made wrong transaction
5	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Westin St. Francis made wrong transaction
4	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Hilton Las Vegas made wrong transaction
4	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Intercontinental Buckhead Atlanta made wrong transaction
4	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Rancho Bernardo Inn made wrong transaction
4	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Ritz Carlton Kapalua made wrong transaction
4	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Ritz-Carlton Marina Del Rey made wrong transaction
4	c15eb3c47800fec025b6a86a6409f144	zip	Hotel The Latham made wrong transaction
4	c15eb3c47800fec025b6a86a6409f144	zip	Hotel The Westin New York at Times Square made wrong transaction
4	c15eb3c47800fec025b6a86a6409f144	zip	Wrong transaction from your credit card in Ritz Carlton Naples Beach Resort
3	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Four Seasons Resort Maui at Wailea made wrong transaction
3	c15eb3c47800fec025b6a86a6409f144	zip	Hotel The Whitehall made wrong transaction
3	c15eb3c47800fec025b6a86a6409f144	zip	Wrong transaction from your credit card in Loews Miami Beach
3	c15eb3c47800fec025b6a86a6409f144	zip	Wrong transaction from your credit card in Woodrun V Townhomes

Since we've never seen spam like this before, it's "new" and potentially interesting!

One quick check of whether this is "interesting" is what happens when we ask forty-three different Anti-virus vendors whether the attached file is a virus or not.

We do this by using the services of VirusTotal.com who gave us back this report: VirusTotal Report for c15eb3c47800fec025b6a86a6409f144. At the time of this writing, having already received more than 800 copies of the spam, Sophos and Trend Micro call it "BredoLab", Rising AV of China calls it "suspicious", and NOD32 says it's a "Kryptik" variant. The other thirty-nine AV companies currently don't have published definitions for this malware.

UPDATE: As of 12:36 PM Central Time on July 27th, we are now up to 12 of 43 detects. See the Update VirusTotal Report Here. Curiously, just yesterday someone asked me, do you ever see AV vendors change their mind on what something should be called? You'll note that on the first report, Sophos called this Bredolab, but now they are calling it Zbot. It will be curious to see how that rolls out, since no one else among the 12 detectors believes this to be Zeus (aka Zbot).

The spam messages look like this:

We've already seen more than 400 different subjects that are part of this group!

7 | Hotel Courtyard by Marriott Houston Downtown made wrong transaction
6 | Hotel Ritz-Carlton Marina Del Rey made wrong transaction
6 | Hotel Hilton Las Vegas made wrong transaction
6 | Hotel Renaissance Chicago made wrong transaction
6 | Hotel Westin Diplomat Resort & Spa made wrong transaction
5 | Wrong transaction from your credit card in Icon
5 | Wrong transaction from your credit card in Ritz Carlton Naples Beach Resort
5 | Hotel The Westin Oaks made wrong transaction
5 | Hotel Sheraton Suites San Diego at Symphony Hall made wrong transaction
5 | Hotel Renaissance Washington made wrong transaction
5 | Hotel Jefferson made wrong transaction
5 | Hotel Westin St. Francis made wrong transaction
5 | Hotel Rancho Bernardo Inn made wrong transaction
5 | Hotel Intercontinental Buckhead Atlanta made wrong transaction
5 | Hotel Hyatt Regency Houston made wrong transaction

(The complete list concludes at the bottom of this post . . . )

One of the other great things we can do with the UAB Spam Data Mine though, is to ask "what other things are being sent by the computers that sent us this spam?"

Look what happens when I ask "show me the top subjects from YESTERDAY that were spammed by IP addresses that spammed the hotel spam TODAY?"

62 | 2011-07-26 | Credit Card is one week overdue
51 | 2011-07-26 | Credit Card overdue
43 | 2011-07-26 | Your Credit Card is one week overdue
39 | 2011-07-26 | Payment by credit card overdue
39 | 2011-07-26 | Credit card payment of overstayed
25 | 2011-07-26 | Your financial debt overdue
6 | 2011-07-26 | Re: Re: hi bud
5 | 2011-07-26 | Get your first bonus just for registering.
4 | 2011-07-26 | We offer only top grade Replica watches at only a fraction of the original price,
4 | 2011-07-26 | Chase bonuses no more; register at Winner Palacce.
4 | 2011-07-26 | Seeking gaming glory? Sign up and get free bonus.
3 | 2011-07-26 | A dream come true sign up bonus at Winner Palacce.
3 | 2011-07-26 | Gaming glory beckons, register and get free bonus.

The top group - the most prominent in response to this query - was the "MasterCard" version of the Fake AV malware that we blogged about previously on July 23rd -- MasterCard Spam Leads to Fake AV. SC Magazine's Angelina Moscaritolo wrote that up under the headline "Rogue AV Masquerading as SC Awards 2011 Finalist. The same spamming botnet has been sending out Casino spam and Rolex watch spam for more than a month.

We had 120 different subjects from this small IP sample group yesterday -- many of the subjects are "customized" such as "gar@place.com Rolex.com For You - 77%" or "gar@otherplace.com Rolex.com For You - 55%"

So, what do we predict the Hotel Spam will turn out to be? There is a good chance it will be related to the MasterCard Fake AV Spam. Well . . . one way to find out, right?

The .zip file contained this file:

When we launched the malware, it made connection to the webserver at "yomwarayom2001.ru" on IP address 84.247.61.25.

The first link we hit there was an exploit server -- probably the "BlackHole Exploit Kit" that has been very popular recently on similarly structured web pages. We almost immediately ALSO fetched a file called "forum3/load.php?module=grabbers".

This caused us to download a file "soft.exe" from yomwarayom2001.ru.

In a couple minutes, a pop-up announced "Software Installed" and had an "OK" button. Clicking OK caused a connection to "heftyhips.com" on IP 66.197.251.53.

where the file "images/img.php?id=106" was fetched.

Shortly thereafter we had a "Defender" icon on the desktop, which was this file:

Note that "Defender" claims to be written by AVG Software Development, a real antivirus company!

That was enough to convince me we were still in "Fake AV" territory.

The rest of the hotel spam subject list

Hotel Acqualina Resort & Spa made wrong transaction
Hotel Ahwahnee made wrong transaction
Hotel Amsterdam Hospitality made wrong transaction
Hotel Anglers made wrong transaction
Hotel Argonaut made wrong transaction
Hotel Aria made wrong transaction
Hotel Arizona Biltmore made wrong transaction
Hotel Arrabelle at Vail Square made wrong transaction
Hotel Avalon made wrong transaction
Hotel Bellagio and Casino made wrong transaction
Hotel Beverly Hills & Bungalows made wrong transaction
Hotel Beverly Wilshire, A Four Seasons made wrong transaction
Hotel Biltmore made wrong transaction
Hotel Boston Harbor made wrong transaction
Hotel Boston Marriott Copley Place made wrong transaction
Hotel Breakers Palm Beach made wrong transaction
Hotel Breakwater made wrong transaction
Hotel Camelback Inn, A JW Marriott Resort & Spa made wrong transaction
Hotel Campton Place made wrong transaction
Hotel Carlton on Madison Avenue made wrong transaction
Hotel Casa Del Mar made wrong transaction
Hotel Chamonix made wrong transaction
Hotel Charleston Marriott made wrong transaction
Hotel Charleston Place made wrong transaction
Hotel Conrad Chicago made wrong transaction
Hotel Conrad Miami made wrong transaction
Hotel Courtyard by Marriott Capitol Hill/Navy Yard made wrong transaction
Hotel Courtyard by Marriott Houston Downtown made wrong transaction
Hotel Courtyard Washington Convention Center made wrong transaction
Hotel Crowne Plaza The Hamilton made wrong transaction
Hotel Delano made wrong transaction
Hotel Del Coronado made wrong transaction
Hotel Disney's Grand Californian made wrong transaction
Hotel Disney's Grand Floridian made wrong transaction
Hotel Disney's Polynesian Resort made wrong transaction
Hotel Doubletree by Hilton Orlando at SeaWorld made wrong transaction
Hotel Dunton Hot Springs made wrong transaction
Hotel Embassy Suites Chevy Chase Pavilion made wrong transaction
Hotel Embassy Suites - Convention Center made wrong transaction
Hotel Embassy Suites made wrong transaction
Hotel Embassy Suites North Charleston made wrong transaction
Hotel Embassy Suites Washington made wrong transaction
Hotel Enchantment Resort made wrong transaction
Hotel Encore at Wynn made wrong transaction
Hotel Fairmont Chicago made wrong transaction
Hotel Fairmont Heritage Place Ghiradelli Square made wrong transaction
Hotel Fairmont Kea Lani made wrong transaction
Hotel Fairmont Miramar made wrong transaction
Hotel Fairmont Scottsdale made wrong transaction
Hotel Fairmont & Towers made wrong transaction
Hotel Florida Choice Executive Pool Homes made wrong transaction
Hotel Four Seasons Los Angeles at Beverly Hills made wrong transaction
Hotel Four Seasons made wrong transaction
Hotel Four Seasons Resort Lanai at Manele Bay made wrong transaction
Hotel Four Seasons Resort Maui at Wailea made wrong transaction
Hotel Four Seasons Resort Palm Beach made wrong transaction
Hotel Four Seasons Resort Scottsdale made wrong transaction
Hotel Four Seasons San Francisco made wrong transaction
Hotel Gansevoort South made wrong transaction
Hotel George made wrong transaction
Hotel Gramercy Park made wrong transaction
Hotel Grand Bohemian made wrong transaction
Hotel Grand Hyatt Atlanta in Buckhead made wrong transaction
Hotel Grand Hyatt Kauai Resort & Spa made wrong transaction
Hotel Grand Hyatt New York made wrong transaction
Hotel Grand Hyatt San Francisco made wrong transaction
Hotel Grand Hyatt Seattle made wrong transaction
Hotel Grand Hyatt Washington made wrong transaction
Hotel Granduca made wrong transaction
Hotel Grand Wailea Resort made wrong transaction
Hotel Halekulani made wrong transaction
Hotel Hampton Inn Washington - Convention Center made wrong transaction
Hotel Helix Boutique made wrong transaction
Hotel Hilton Americas Houston made wrong transaction
Hotel Hilton Atlanta Airport made wrong transaction
Hotel Hilton Atlanta made wrong transaction
Hotel Hilton Boston Logan Airport made wrong transaction
Hotel Hilton Chicago made wrong transaction
Hotel Hilton Garden Inn Washington DC Franklin Square made wrong transaction
Hotel Hilton Grand Vacations Club made wrong transaction
Hotel Hilton Hawaiian Village made wrong transaction
Hotel Hilton Houston Plaza made wrong transaction
Hotel Hilton Houston Westchase made wrong transaction
Hotel Hilton Las Vegas made wrong transaction
Hotel Hilton Orlando Bonnet Creek made wrong transaction
Hotel Hilton Washington Embassy Row made wrong transaction
Hotel Hilton Washington made wrong transaction
Hotel Holiday Inn Port of Miami Downtown made wrong transaction
Hotel Homewood Suites made wrong transaction
Hotel Hyatt Grand Aspen made wrong transaction
Hotel Hyatt Regency Atlanta made wrong transaction
Hotel Hyatt Regency Grand Cypress made wrong transaction
Hotel Hyatt Regency Houston made wrong transaction
Hotel Hyatt Regency Huntington Beach made wrong transaction
Hotel Hyatt Regency Maui Resort and Spa made wrong transaction
Hotel Hyatt Regency San Francisco made wrong transaction
Hotel Hyatt Regency Scottsdale Resort made wrong transaction
Hotel Hyatt Regency Waikiki made wrong transaction
Hotel Hyatt Regency Washington made wrong transaction
Hotel Icon made wrong transaction
Hotel Indian Creek made wrong transaction
Hotel Inn at Perry Cabin made wrong transaction
Hotel Inn at the Ballpark made wrong transaction
Hotel Intercontinental Buckhead Atlanta made wrong transaction
Hotel InterContinental Chicago made wrong transaction
Hotel InterContinental made wrong transaction
Hotel Intercontinental San Francisco made wrong transaction
Hotel InterContinental The Barclay New York made wrong transaction
Hotel Jefferson made wrong transaction
Hotel Jerome made wrong transaction
Hotel Jumeirah Essex House made wrong transaction
Hotel JW Marriott Buckhead Atlanta made wrong transaction
Hotel JW Marriott Desert Ridge Resort & Spa made wrong transaction
Hotel JW Marriott Las Vegas Resort, Spa & Golf made wrong transaction
Hotel JW Marriott Miami made wrong transaction
Hotel JW Marriott Orlando Grande Lakes made wrong transaction
Hotel JW Marriott Pennsylvania Avenue made wrong transaction
Hotel JW Marriott San Francisco made wrong transaction
Hotel Kahala Resort made wrong transaction
Hotel Keswick Hall made wrong transaction
Hotel La Costa Resort & Spa made wrong transaction
Hotel Lauberge Del Mar made wrong transaction
Hotel La Valencia made wrong transaction
Hotel Le Meridien San Francisco made wrong transaction
Hotel Le Parker Meridien made wrong transaction
Hotel Lodge At Koele made wrong transaction
Hotel Lodge At Torrey Pines made wrong transaction
Hotel Loews Coronado Bay Resort made wrong transaction
Hotel Loews Miami Beach made wrong transaction
Hotel Loews Regency made wrong transaction
Hotel Loews Santa Monica Beach made wrong transaction
Hotel London West Hollywood made wrong transaction
Hotel Lowell made wrong transaction
Hotel Madera made wrong transaction
Hotel Madison made wrong transaction
Hotel Main Street Station & Casino made wrong transaction
Hotel Mandalay Bay made wrong transaction
Hotel Mandarin Oriental made wrong transaction
Hotel Mandarin Oriental Miami made wrong transaction
Hotel Marriott at Metro Center made wrong transaction
Hotel Marriott Chicago Downtown Magnificent Mile made wrong transaction
Hotel Marriott Houston Airport at George Bush Intercontinental made wrong transaction
Hotel Marriott Marquis San Francisco made wrong transaction
Hotel Marriott Resort made wrong transaction
Hotel Marriott San Francisco Fisherman's Wharf made wrong transaction
Hotel Mauna Kea Beach made wrong transaction
Hotel Mauna Lani Bay & Bungalows made wrong transaction
Hotel McCoy Peak Lodge made wrong transaction
Hotel Melrose made wrong transaction
Hotel Meridian Luxury Suites made wrong transaction
Hotel Michelangelo made wrong transaction
Hotel Millennium UN Plaza made wrong transaction
Hotel Monaco Boutique made wrong transaction
Hotel Monaco Washington DC made wrong transaction
Hotel Mona Lisa Suite made wrong transaction
Hotel Mondrian made wrong transaction
Hotel Mondrian Scottsdale made wrong transaction
Hotel Mondrian South Beach made wrong transaction
Hotel Morenas Resort Morrison-Clark Historic Inn made wrong transaction
Hotel M Resort Spa & Casino made wrong transaction
Hotel New York Marriott Marquis made wrong transaction
Hotel Nolitan made wrong transaction
Hotel Oak Plantation Resort made wrong transaction
Hotel Ocean Key Resort & Spa made wrong transaction
Hotel Ocean Point Resort & Club made wrong transaction
Hotel Omni Berkshire Place made wrong transaction
Hotel Omni Chicago made wrong transaction
Hotel Omni Houston made wrong transaction
Hotel Omni made wrong transaction
Hotel One Bal Harbour Resort & Spa made wrong transaction
Hotel Owl Creek Homes made wrong transaction
Hotel Palms Place & Spa made wrong transaction
Hotel Palomar Boutique made wrong transaction
Hotel Palomar made wrong transaction
Hotel Park Hyatt Chicago made wrong transaction
Hotel Park Hyatt made wrong transaction
Hotel Park Hyatt Resort & Spa made wrong transaction
Hotel Peabody Orlando made wrong transaction
Hotel Peninsula New York made wrong transaction
Hotel Phoenician made wrong transaction
Hotel Pierre A Taj made wrong transaction
Hotel Plaza Athenee made wrong transaction
Hotel Pocono Palace made wrong transaction
Hotel Prescott made wrong transaction
Hotel Raffles L'Ermitage Beverly Hills made wrong transaction
Hotel Rancho Bernardo Inn made wrong transaction
Hotel Rancho Las Palmas Resort & Spa made wrong transaction
Hotel Red Rock Casino Resort & Spa made wrong transaction
Hotel Renaissance Charleston Historic District made wrong transaction
Hotel Renaissance Chicago made wrong transaction
Hotel Renaissance Houston Greenway Plaza made wrong transaction
Hotel Renaissance New York Times Square made wrong transaction
Hotel Renaissance Washington made wrong transaction
Hotel Renaissance Waverly made wrong transaction
Hotel Residence Inn by Marriott Capitol made wrong transaction
Hotel Rio Suite and Casino made wrong transaction
Hotel Ritz-Carlton Battery Park made wrong transaction
Hotel Ritz-Carlton Boston Common made wrong transaction
Hotel Ritz-Carlton Central Park made wrong transaction
Hotel Ritz-Carlton Golf Resort made wrong transaction
Hotel Ritz Carlton Kapalua made wrong transaction
Hotel Ritz Carlton Key Biscayne made wrong transaction
Hotel Ritz-Carlton Laguna Niguel made wrong transaction
Hotel Ritz-Carlton made wrong transaction
Hotel Ritz-Carlton Marina Del Rey made wrong transaction
Hotel Ritz Carlton Naples Beach Resort made wrong transaction
Hotel Ritz Carlton Naples Golf Resort made wrong transaction
Hotel Ritz-Carlton Orlando, Grande Lakes Resort made wrong transaction
Hotel Ritz-Carlton Palm Beach made wrong transaction
Hotel Ritz-Carlton San Francisco made wrong transaction
Hotel Ritz Carlton South Beach made wrong transaction
Hotel Rouge made wrong transaction
Hotel Royal Hawaiian made wrong transaction
Hotel Royal Pacific Resort made wrong transaction
Hotel Royal Palms Resort & Spa made wrong transaction
Hotel Sanctuary on Camelback Mountain made wrong transaction
Hotel Seattle Marriott Waterfront made wrong transaction
Hotel Se San Diego made wrong transaction
Hotel Shangri-La made wrong transaction
Hotel Sheraton Bal Harbour Beach Resort made wrong transaction
Hotel Sheraton Chicago and Towers made wrong transaction
Hotel Sheraton Keauhou Bay Resort & Spa made wrong transaction
Hotel Sheraton Maui Resort made wrong transaction
Hotel Sheraton Moana Surfrider made wrong transaction
Hotel Sheraton Suites Houston Near The Galleria made wrong transaction
Hotel Sheraton Suites San Diego at Symphony Hall made wrong transaction
Hotel Sheraton Waikiki made wrong transaction
Hotel Shore Club made wrong transaction
Hotel Shutters Beach made wrong transaction
Hotel Signature at MGM Grand made wrong transaction
Hotel Skylofts at MGM Grand made wrong transaction
Hotel SLS at Beverly Hills made wrong transaction
Hotel Sofitel Lafayette Square made wrong transaction
Hotel Sonesta Orlando Downtown made wrong transaction
Hotel Sorrento made wrong transaction
Hotel South Beach Marriott made wrong transaction
Hotel Star The Michelangelo made wrong transaction
Hotel St. Gregory Luxury & Suites made wrong transaction
Hotel St. Regis made wrong transaction
Hotel St. Regis Princeville Resort made wrong transaction
Hotel St. Regis Washington made wrong transaction
Hotel Sun Harbour Boutique made wrong transaction
Hotel Sutton Place made wrong transaction
Hotel Swissotel Chicago made wrong transaction
Hotel Taj Boston made wrong transaction
Hotel Taj Campton Place made wrong transaction
Hotel Tamarack by Destination Resorts Snowmass made wrong transaction
Hotel The Alexander made wrong transaction
Hotel The Alex made wrong transaction
Hotel The Carlyle, A Rosewood made wrong transaction
Hotel The Carlyle Suites made wrong transaction
Hotel The Chatwal made wrong transaction
Hotel The Cosmopolitan Las Vegas made wrong transaction
Hotel The Drake made wrong transaction
Hotel The Enclave made wrong transaction
Hotel The Equinox Resort & Spa made wrong transaction
Hotel The Fairmont Copley Plaza made wrong transaction
Hotel The Fairmont made wrong transaction
Hotel The Fairmont Olympic made wrong transaction
Hotel The Fairmont Orchid made wrong transaction
Hotel The Fairmont Washington made wrong transaction
Hotel The Hay-Adams made wrong transaction
Hotel The Helmsley Carlton House made wrong transaction
Hotel The Henley Park made wrong transaction
Hotel The Houstonian Club & Spa made wrong transaction
Hotel The Huntington and Nob Hill Spa made wrong transaction
Hotel The Iroquois made wrong transaction
Hotel The Langham Huntington & SPA made wrong transaction
Hotel The Latham made wrong transaction
Hotel The Lenox made wrong transaction
Hotel The Little Nell made wrong transaction
Hotel The Lucerne made wrong transaction
Hotel The New York Helmsley made wrong transaction
Hotel The Orchard made wrong transaction
Hotel The Palmer House Hilton made wrong transaction
Hotel The Peninsula Beverly Hills made wrong transaction
Hotel The Peninsula made wrong transaction
Hotel The Phoenician made wrong transaction
Hotel The Pierre made wrong transaction
Hotel The Plaza made wrong transaction
Hotel The Quincy made wrong transaction
Hotel The Ritz-Carlton Bachelor Gulch made wrong transaction
Hotel The Ritz-Carlton Buckhead made wrong transaction
Hotel The Ritz-Carlton Fort Lauderdale made wrong transaction
Hotel The Ritz-Carlton Georgetown made wrong transaction
Hotel The Ritz-Carlton Laguna Niguel made wrong transaction
Hotel The Ritz Carlton made wrong transaction
Hotel The Ritz-Carlton Orlando, Grande Lakes made wrong transaction
Hotel The Setai Fifth Avenue made wrong transaction
Hotel The Setai made wrong transaction
Hotel The St. Regis Aspen made wrong transaction
Hotel The St. Regis Monarch Beach made wrong transaction
Hotel The Venetian Resort and Casino made wrong transaction
Hotel The Villa By Barton G made wrong transaction
Hotel The Washington Court On Capital Hil made wrong transaction
Hotel The Westin Atlanta Airport made wrong transaction
Hotel The Westin Chicago River North made wrong transaction
Hotel The Westin Embassy Row made wrong transaction
Hotel The Westin Grand made wrong transaction
Hotel The Westin Michigan Avenue made wrong transaction
Hotel The Westin Mission Hills Resort & Spa made wrong transaction
Hotel The Westin New York at Times Square made wrong transaction
Hotel The Westin Oaks made wrong transaction
Hotel The Westin Peachtree Plaza made wrong transaction
Hotel The Westin Seattle made wrong transaction
Hotel The Whitehall made wrong transaction
Hotel The Wit-A Doubletree made wrong transaction
Hotel Tides South Beach made wrong transaction
Hotel Topaz made wrong transaction
Hotel Trump International Sonesta Beach resort made wrong transaction
Hotel Trump International & Tower made wrong transaction
Hotel Trump International Waikiki Beach Walk made wrong transaction
Hotel Trump Las Vegas made wrong transaction
Hotel Trump Soho made wrong transaction
Hotel Universal Portofino Bay a Loews made wrong transaction
Hotel Universal Royal Pacific Resort a Loews made wrong transaction
Hotel Vdara & Spa made wrong transaction
Hotel Viceroy Palm Springs made wrong transaction
Hotel Villas Of Grand Cypress made wrong transaction
Hotel Wailea Marriott an Outrigger Resort made wrong transaction
Hotel Waldorf Astoria Orlando made wrong transaction
Hotel Waldorf Astoria & Towers made wrong transaction
Hotel Waldorf Towers made wrong transaction
Hotel Walt Disney World Swan and Dolphin made wrong transaction
Hotel Wardman Park Marriott made wrong transaction
Hotel Washington Court on Capitol Hill made wrong transaction
Hotel Washington Suites Georgetown made wrong transaction
Hotel W Atlanta Midtown made wrong transaction
Hotel W Boston made wrong transaction
Hotel Westin Diplomat Resort & Spa made wrong transaction
Hotel Westin Maui Resort & Spa made wrong transaction
Hotel Westin Princeville Ocean Resort Villas made wrong transaction
Hotel Westin St. Francis made wrong transaction
Hotel W Hollywood made wrong transaction
Hotel Willard InterContinental made wrong transaction
Hotel Windsor Court made wrong transaction
Hotel W Los Angeles Westwood made wrong transaction
Hotel Woodrun Place Condo made wrong transaction
Hotel Woodrun V Townhomes made wrong transaction
Hotel W Seattle made wrong transaction
Hotel Wyndham Grand Desert made wrong transaction
Hotel Wynn Las Vegas made wrong transaction
Hotel XV Beacon made wrong transaction
Hotel ZaZa Houston made wrong transaction
Hotel Z Ocean made wrong transaction
Wrong transaction from your credit card in Acqualina Resort & Spa
Wrong transaction from your credit card in Ahwahnee
Wrong transaction from your credit card in Amsterdam Hospitality
Wrong transaction from your credit card in Anglers
Wrong transaction from your credit card in Argonaut
Wrong transaction from your credit card in Aria
Wrong transaction from your credit card in Arizona Biltmore
Wrong transaction from your credit card in Arrabelle at Vail Square
Wrong transaction from your credit card in Avalon
Wrong transaction from your credit card in Bellagio and Casino
Wrong transaction from your credit card in Beverly Hills & Bungalows
Wrong transaction from your credit card in Beverly Wilshire, A Four Seasons
Wrong transaction from your credit card in Biltmore
Wrong transaction from your credit card in Boston Harbor
Wrong transaction from your credit card in Boston Marriott Copley Place
Wrong transaction from your credit card in Breakers Palm Beach
Wrong transaction from your credit card in Breakwater
Wrong transaction from your credit card in Camelback Inn, A JW Marriott Resort & Spa
Wrong transaction from your credit card in Campton Place
Wrong transaction from your credit card in Carlton on Madison Avenue
Wrong transaction from your credit card in Casa Del Mar
Wrong transaction from your credit card in Chamonix
Wrong transaction from your credit card in Charleston Marriott
Wrong transaction from your credit card in Charleston Place
Wrong transaction from your credit card in Conrad Chicago
Wrong transaction from your credit card in Conrad Miami
Wrong transaction from your credit card in Courtyard by Marriott Capitol Hill/Navy Yard
Wrong transaction from your credit card in Courtyard by Marriott Houston Downtown
Wrong transaction from your credit card in Courtyard Washington Convention Center
Wrong transaction from your credit card in Crowne Plaza The Hamilton
Wrong transaction from your credit card in Delano
Wrong transaction from your credit card in Del Coronado
Wrong transaction from your credit card in Disney's Grand Californian
Wrong transaction from your credit card in Disney's Grand Floridian
Wrong transaction from your credit card in Disney's Polynesian Resort
Wrong transaction from your credit card in Doubletree by Hilton Orlando at SeaWorld
Wrong transaction from your credit card in Dunton Hot Springs
Wrong transaction from your credit card in Embassy Suites
Wrong transaction from your credit card in Embassy Suites Chevy Chase Pavilion
Wrong transaction from your credit card in Embassy Suites - Convention Center
Wrong transaction from your credit card in Embassy Suites North Charleston
Wrong transaction from your credit card in Embassy Suites Washington
Wrong transaction from your credit card in Enchantment Resort
Wrong transaction from your credit card in Encore at Wynn
Wrong transaction from your credit card in Fairmont Chicago
Wrong transaction from your credit card in Fairmont Heritage Place Ghiradelli Square
Wrong transaction from your credit card in Fairmont Kea Lani
Wrong transaction from your credit card in Fairmont Miramar
Wrong transaction from your credit card in Fairmont Scottsdale
Wrong transaction from your credit card in Fairmont & Towers
Wrong transaction from your credit card in Florida Choice Executive Pool Homes
Wrong transaction from your credit card in Four Seasons
Wrong transaction from your credit card in Four Seasons Los Angeles at Beverly Hills
Wrong transaction from your credit card in Four Seasons Resort Lanai at Manele Bay
Wrong transaction from your credit card in Four Seasons Resort Maui at Wailea
Wrong transaction from your credit card in Four Seasons Resort Palm Beach
Wrong transaction from your credit card in Four Seasons Resort Scottsdale
Wrong transaction from your credit card in Four Seasons San Francisco
Wrong transaction from your credit card in Gansevoort South
Wrong transaction from your credit card in George
Wrong transaction from your credit card in Gramercy Park
Wrong transaction from your credit card in Grand Bohemian
Wrong transaction from your credit card in Grand Hyatt Atlanta in Buckhead
Wrong transaction from your credit card in Grand Hyatt Kauai Resort & Spa
Wrong transaction from your credit card in Grand Hyatt New York
Wrong transaction from your credit card in Grand Hyatt San Francisco
Wrong transaction from your credit card in Grand Hyatt Seattle
Wrong transaction from your credit card in Grand Hyatt Washington
Wrong transaction from your credit card in Granduca
Wrong transaction from your credit card in Grand Wailea Resort
Wrong transaction from your credit card in Halekulani
Wrong transaction from your credit card in Hampton Inn Washington - Convention Center
Wrong transaction from your credit card in Helix Boutique
Wrong transaction from your credit card in Hilton Americas Houston
Wrong transaction from your credit card in Hilton Atlanta
Wrong transaction from your credit card in Hilton Atlanta Airport
Wrong transaction from your credit card in Hilton Boston Logan Airport
Wrong transaction from your credit card in Hilton Chicago
Wrong transaction from your credit card in Hilton Garden Inn Washington DC Franklin Square
Wrong transaction from your credit card in Hilton Grand Vacations Club
Wrong transaction from your credit card in Hilton Hawaiian Village
Wrong transaction from your credit card in Hilton Houston Plaza
Wrong transaction from your credit card in Hilton Houston Westchase
Wrong transaction from your credit card in Hilton Las Vegas
Wrong transaction from your credit card in Hilton Orlando Bonnet Creek
Wrong transaction from your credit card in Hilton Washington
Wrong transaction from your credit card in Hilton Washington Embassy Row
Wrong transaction from your credit card in Holiday Inn Port of Miami Downtown
Wrong transaction from your credit card in Homewood Suites
Wrong transaction from your credit card in Hyatt Grand Aspen
Wrong transaction from your credit card in Hyatt Regency Atlanta
Wrong transaction from your credit card in Hyatt Regency Grand Cypress
Wrong transaction from your credit card in Hyatt Regency Houston
Wrong transaction from your credit card in Hyatt Regency Huntington Beach
Wrong transaction from your credit card in Hyatt Regency Maui Resort and Spa
Wrong transaction from your credit card in Hyatt Regency San Francisco
Wrong transaction from your credit card in Hyatt Regency Scottsdale Resort
Wrong transaction from your credit card in Hyatt Regency Waikiki
Wrong transaction from your credit card in Hyatt Regency Washington
Wrong transaction from your credit card in Icon
Wrong transaction from your credit card in Indian Creek
Wrong transaction from your credit card in Inn at Perry Cabin
Wrong transaction from your credit card in Inn at the Ballpark
Wrong transaction from your credit card in InterContinental
Wrong transaction from your credit card in Intercontinental Buckhead Atlanta
Wrong transaction from your credit card in InterContinental Chicago
Wrong transaction from your credit card in Intercontinental San Francisco
Wrong transaction from your credit card in InterContinental The Barclay New York
Wrong transaction from your credit card in Jefferson
Wrong transaction from your credit card in Jerome
Wrong transaction from your credit card in Jumeirah Essex House
Wrong transaction from your credit card in JW Marriott Buckhead Atlanta
Wrong transaction from your credit card in JW Marriott Desert Ridge Resort & Spa
Wrong transaction from your credit card in JW Marriott Las Vegas Resort, Spa & Golf
Wrong transaction from your credit card in JW Marriott Miami
Wrong transaction from your credit card in JW Marriott Orlando Grande Lakes
Wrong transaction from your credit card in JW Marriott Pennsylvania Avenue
Wrong transaction from your credit card in JW Marriott San Francisco
Wrong transaction from your credit card in Kahala Resort
Wrong transaction from your credit card in Keswick Hall
Wrong transaction from your credit card in La Costa Resort & Spa
Wrong transaction from your credit card in Lauberge Del Mar
Wrong transaction from your credit card in La Valencia
Wrong transaction from your credit card in Le Meridien San Francisco
Wrong transaction from your credit card in Le Parker Meridien
Wrong transaction from your credit card in Lodge At Koele
Wrong transaction from your credit card in Lodge At Torrey Pines
Wrong transaction from your credit card in Loews Coronado Bay Resort
Wrong transaction from your credit card in Loews Miami Beach
Wrong transaction from your credit card in Loews Regency
Wrong transaction from your credit card in Loews Santa Monica Beach
Wrong transaction from your credit card in London West Hollywood
Wrong transaction from your credit card in Lowell
Wrong transaction from your credit card in Madera
Wrong transaction from your credit card in Madison
Wrong transaction from your credit card in Main Street Station & Casino
Wrong transaction from your credit card in Mandalay Bay
Wrong transaction from your credit card in Mandarin Oriental
Wrong transaction from your credit card in Mandarin Oriental Miami
Wrong transaction from your credit card in Marriott at Metro Center
Wrong transaction from your credit card in Marriott Chicago Downtown Magnificent Mile
Wrong transaction from your credit card in Marriott Houston Airport at George Bush Intercontinental
Wrong transaction from your credit card in Marriott Marquis San Francisco
Wrong transaction from your credit card in Marriott Resort
Wrong transaction from your credit card in Marriott San Francisco Fisherman's Wharf
Wrong transaction from your credit card in Mauna Kea Beach
Wrong transaction from your credit card in Mauna Lani Bay & Bungalows
Wrong transaction from your credit card in McCoy Peak Lodge
Wrong transaction from your credit card in Melrose
Wrong transaction from your credit card in Meridian Luxury Suites
Wrong transaction from your credit card in Michelangelo
Wrong transaction from your credit card in Millennium UN Plaza
Wrong transaction from your credit card in Monaco Boutique
Wrong transaction from your credit card in Monaco Washington DC
Wrong transaction from your credit card in Mona Lisa Suite
Wrong transaction from your credit card in Mondrian
Wrong transaction from your credit card in Mondrian Scottsdale
Wrong transaction from your credit card in Mondrian South Beach
Wrong transaction from your credit card in Morenas Resort Morrison-Clark Historic Inn
Wrong transaction from your credit card in M Resort Spa & Casino
Wrong transaction from your credit card in New York Marriott Marquis
Wrong transaction from your credit card in Nolitan
Wrong transaction from your credit card in Oak Plantation Resort
Wrong transaction from your credit card in Ocean Key Resort & Spa
Wrong transaction from your credit card in Ocean Point Resort & Club
Wrong transaction from your credit card in Omni
Wrong transaction from your credit card in Omni Berkshire Place
Wrong transaction from your credit card in Omni Chicago
Wrong transaction from your credit card in Omni Houston
Wrong transaction from your credit card in One Bal Harbour Resort & Spa
Wrong transaction from your credit card in Owl Creek Homes
Wrong transaction from your credit card in Palms Place & Spa
Wrong transaction from your credit card in Palomar
Wrong transaction from your credit card in Palomar Boutique
Wrong transaction from your credit card in Park Hyatt
Wrong transaction from your credit card in Park Hyatt Chicago
Wrong transaction from your credit card in Park Hyatt Resort & Spa
Wrong transaction from your credit card in Peabody Orlando
Wrong transaction from your credit card in Peninsula New York
Wrong transaction from your credit card in Phoenician
Wrong transaction from your credit card in Pierre A Taj
Wrong transaction from your credit card in Plaza Athenee
Wrong transaction from your credit card in Pocono Palace
Wrong transaction from your credit card in Prescott
Wrong transaction from your credit card in Raffles L'Ermitage Beverly Hills
Wrong transaction from your credit card in Rancho Bernardo Inn
Wrong transaction from your credit card in Rancho Las Palmas Resort & Spa
Wrong transaction from your credit card in Red Rock Casino Resort & Spa
Wrong transaction from your credit card in Renaissance Charleston Historic District
Wrong transaction from your credit card in Renaissance Chicago
Wrong transaction from your credit card in Renaissance Houston Greenway Plaza
Wrong transaction from your credit card in Renaissance New York Times Square
Wrong transaction from your credit card in Renaissance Washington
Wrong transaction from your credit card in Renaissance Waverly
Wrong transaction from your credit card in Residence Inn by Marriott Capitol
Wrong transaction from your credit card in Rio Suite and Casino
Wrong transaction from your credit card in Ritz-Carlton
Wrong transaction from your credit card in Ritz-Carlton Battery Park
Wrong transaction from your credit card in Ritz-Carlton Boston Common
Wrong transaction from your credit card in Ritz-Carlton Central Park
Wrong transaction from your credit card in Ritz-Carlton Golf Resort
Wrong transaction from your credit card in Ritz Carlton Kapalua
Wrong transaction from your credit card in Ritz Carlton Key Biscayne
Wrong transaction from your credit card in Ritz-Carlton Laguna Niguel
Wrong transaction from your credit card in Ritz-Carlton Marina Del Rey
Wrong transaction from your credit card in Ritz Carlton Naples Beach Resort
Wrong transaction from your credit card in Ritz Carlton Naples Golf Resort
Wrong transaction from your credit card in Ritz-Carlton Orlando, Grande Lakes Resort
Wrong transaction from your credit card in Ritz-Carlton Palm Beach
Wrong transaction from your credit card in Ritz-Carlton San Francisco
Wrong transaction from your credit card in Ritz Carlton South Beach
Wrong transaction from your credit card in Rouge
Wrong transaction from your credit card in Royal Hawaiian
Wrong transaction from your credit card in Royal Pacific Resort
Wrong transaction from your credit card in Royal Palms Resort & Spa
Wrong transaction from your credit card in Sanctuary on Camelback Mountain
Wrong transaction from your credit card in Seattle Marriott Waterfront
Wrong transaction from your credit card in Se San Diego
Wrong transaction from your credit card in Shangri-La
Wrong transaction from your credit card in Sheraton Chicago and Towers
Wrong transaction from your credit card in Sheraton Keauhou Bay Resort & Spa
Wrong transaction from your credit card in Sheraton Maui Resort
Wrong transaction from your credit card in Sheraton Moana Surfrider
Wrong transaction from your credit card in Sheraton Suites Houston Near The Galleria
Wrong transaction from your credit card in Sheraton Suites San Diego at Symphony Hall
Wrong transaction from your credit card in Sheraton Waikiki
Wrong transaction from your credit card in Shore Club
Wrong transaction from your credit card in Shutters Beach
Wrong transaction from your credit card in Signature at MGM Grand
Wrong transaction from your credit card in Skylofts at MGM Grand
Wrong transaction from your credit card in SLS at Beverly Hills
Wrong transaction from your credit card in Sofitel Lafayette Square
Wrong transaction from your credit card in Sonesta Orlando Downtown
Wrong transaction from your credit card in Sorrento
Wrong transaction from your credit card in South Beach Marriott
Wrong transaction from your credit card in Star The Michelangelo
Wrong transaction from your credit card in St. Gregory Luxury & Suites
Wrong transaction from your credit card in St. Regis
Wrong transaction from your credit card in St. Regis Princeville Resort
Wrong transaction from your credit card in St. Regis Washington
Wrong transaction from your credit card in Sun Harbour Boutique
Wrong transaction from your credit card in Sutton Place
Wrong transaction from your credit card in Swissotel Chicago
Wrong transaction from your credit card in Taj Boston
Wrong transaction from your credit card in Taj Campton Place
Wrong transaction from your credit card in Tamarack by Destination Resorts Snowmass
Wrong transaction from your credit card in The Alex
Wrong transaction from your credit card in The Alexander
Wrong transaction from your credit card in The Carlyle, A Rosewood
Wrong transaction from your credit card in The Carlyle Suites
Wrong transaction from your credit card in The Chatwal
Wrong transaction from your credit card in The Cosmopolitan Las Vegas
Wrong transaction from your credit card in The Drake
Wrong transaction from your credit card in The Enclave
Wrong transaction from your credit card in The Equinox Resort & Spa
Wrong transaction from your credit card in The Fairmont
Wrong transaction from your credit card in The Fairmont Copley Plaza
Wrong transaction from your credit card in The Fairmont Olympic
Wrong transaction from your credit card in The Fairmont Orchid
Wrong transaction from your credit card in The Fairmont Washington
Wrong transaction from your credit card in The Hay-Adams
Wrong transaction from your credit card in The Helmsley Carlton House
Wrong transaction from your credit card in The Henley Park
Wrong transaction from your credit card in The Houstonian Club & Spa
Wrong transaction from your credit card in The Huntington and Nob Hill Spa
Wrong transaction from your credit card in The Iroquois
Wrong transaction from your credit card in The Langham Huntington & SPA
Wrong transaction from your credit card in The Latham
Wrong transaction from your credit card in The Lenox
Wrong transaction from your credit card in The Little Nell
Wrong transaction from your credit card in The Lucerne
Wrong transaction from your credit card in The New York Helmsley
Wrong transaction from your credit card in The Orchard
Wrong transaction from your credit card in The Palmer House Hilton
Wrong transaction from your credit card in The Peninsula
Wrong transaction from your credit card in The Peninsula Beverly Hills
Wrong transaction from your credit card in The Phoenician
Wrong transaction from your credit card in The Pierre
Wrong transaction from your credit card in The Plaza
Wrong transaction from your credit card in The Quincy
Wrong transaction from your credit card in The Ritz Carlton
Wrong transaction from your credit card in The Ritz-Carlton Bachelor Gulch
Wrong transaction from your credit card in The Ritz-Carlton Buckhead
Wrong transaction from your credit card in The Ritz-Carlton Fort Lauderdale
Wrong transaction from your credit card in The Ritz-Carlton Georgetown
Wrong transaction from your credit card in The Ritz-Carlton Laguna Niguel
Wrong transaction from your credit card in The Ritz-Carlton Orlando, Grande Lakes
Wrong transaction from your credit card in The Setai
Wrong transaction from your credit card in The Setai Fifth Avenue
Wrong transaction from your credit card in The St. Regis Aspen
Wrong transaction from your credit card in The St. Regis Monarch Beach
Wrong transaction from your credit card in The Venetian Resort and Casino
Wrong transaction from your credit card in The Villa By Barton G
Wrong transaction from your credit card in The Washington Court On Capital Hil
Wrong transaction from your credit card in The Westin Atlanta Airport
Wrong transaction from your credit card in The Westin Chicago River North
Wrong transaction from your credit card in The Westin Embassy Row
Wrong transaction from your credit card in The Westin Grand
Wrong transaction from your credit card in The Westin Michigan Avenue
Wrong transaction from your credit card in The Westin Mission Hills Resort & Spa
Wrong transaction from your credit card in The Westin New York at Times Square
Wrong transaction from your credit card in The Westin Oaks
Wrong transaction from your credit card in The Westin Peachtree Plaza
Wrong transaction from your credit card in The Westin Seattle
Wrong transaction from your credit card in The Whitehall
Wrong transaction from your credit card in The Wit-A Doubletree
Wrong transaction from your credit card in Tides South Beach
Wrong transaction from your credit card in Topaz
Wrong transaction from your credit card in Trump International Sonesta Beach resort
Wrong transaction from your credit card in Trump International & Tower
Wrong transaction from your credit card in Trump International Waikiki Beach Walk
Wrong transaction from your credit card in Trump Las Vegas
Wrong transaction from your credit card in Trump Soho
Wrong transaction from your credit card in Universal Portofino Bay a Loews
Wrong transaction from your credit card in Universal Royal Pacific Resort a Loews
Wrong transaction from your credit card in Vdara & Spa
Wrong transaction from your credit card in Viceroy Palm Springs
Wrong transaction from your credit card in Villas Of Grand Cypress
Wrong transaction from your credit card in Wailea Marriott an Outrigger Resort
Wrong transaction from your credit card in Waldorf Astoria Orlando
Wrong transaction from your credit card in Waldorf Astoria & Towers
Wrong transaction from your credit card in Waldorf Towers
Wrong transaction from your credit card in Walt Disney World Swan and Dolphin
Wrong transaction from your credit card in Wardman Park Marriott
Wrong transaction from your credit card in Washington Court on Capitol Hill
Wrong transaction from your credit card in Washington Suites Georgetown
Wrong transaction from your credit card in W Atlanta Midtown
Wrong transaction from your credit card in W Boston
Wrong transaction from your credit card in Westin Diplomat Resort & Spa
Wrong transaction from your credit card in Westin Maui Resort & Spa
Wrong transaction from your credit card in Westin Princeville Ocean Resort Villas
Wrong transaction from your credit card in Westin St. Francis
Wrong transaction from your credit card in W Hollywood
Wrong transaction from your credit card in Willard InterContinental
Wrong transaction from your credit card in Windsor Court
Wrong transaction from your credit card in W Los Angeles Westwood
Wrong transaction from your credit card in Woodrun Place Condo
Wrong transaction from your credit card in Woodrun V Townhomes
Wrong transaction from your credit card in W Seattle
Wrong transaction from your credit card in Wyndham Grand Desert
Wrong transaction from your credit card in Wynn Las Vegas
Wrong transaction from your credit card in XV Beacon
Wrong transaction from your credit card in ZaZa Houston
Wrong transaction from your credit card in Z Ocean
(689 rows)

MasterCard spam leads to Fake AV

2011-07-23T07:28:00.000-07:00

The FBI is doing a great job gaining international cooperation in going after cyber criminals. Just last month yet another malware group was arrested, as the public learned about in the June 22, 2011 FBI press release, Department of Justice disrupts international cybercrime rings distributing scareware. In that case, criminals were arrested as part of a scareware ring that had infected more than 1 million computers and caused more than $72 million in losses!

Unfortunately, the end of fake Anti-virus scareware has not yet arrived. Here's an example from today's spam from the UAB Spam Data Mine.

Please see end for an update

We're seeing a significant "spam attached malware" campaign in the past 24 hours with six different attachment MD5s.

uab_spam=> select count(*), sender_domain, md5_hex, size from spam natural join spam_attach where sender_domain = 'mastercard.com' and receiving_date >= '2011-07-22' group by sender_domain, md5_hex, size;

count | received | md5_hex | size
-------+-------------------------+---------------------------------+-------
318 | 7/22 03:15 - 7/22 10:15 | 241cc18918540d6c49dd8b45df31985d | 67584
20 | 7/22 10:45 - 7/22 11:00 | 5f8a95d194f7dcadabf442ed5705c4e0 | 79872
565 | 7/22 11:30 - 7/22 17:30 | 0256a71baefd0f625910bbc44147e432 | 68096
1133 | 7/22 17:45 - 7/23 04:00 | f4aea68ea94d7780a5b1abd709f7730f | 69632
67 | 7/22 12:00 - 7/23 08:15 | 277eb4dacd401a3c520dc5bb9ede70f0 | 77237
439 | 7/23 04:00 - 7/23 08:15 | fe88c3a276d11aa208dac7ae68f55cd3 | 67584
(6 rows)

Most popular email subjects:

count | subject
-------+-----------------------------------------------
24 | WARNING: Your credit card is locked!
26 | WARNING: Your credit card is blocked!
26 | ATTENTION: Your credit card has been blocked!
1116 | Your credit card is blocked
29 | ATTENTION: Your credit card is blocked!
1184 | Your credit card has been blocked
24 | CAUTION: Your credit card is locked!
29 | ATTENTION: Your credit card is locked!
31 | WARNING: Your credit card has been blocked!
19 | CAUTION: Your credit card has been blocked!
34 | CAUTION: Your credit card is blocked!
(11 rows)

The body of the email looks like the attached file:

------------------
Dear User,
Your credit card is locked!
From your credit card has been removed $ 3951,74
Possibly illegal operation!
More details in the attached file.
Instantly contact your bank .
Best regards, MASTERCARD Services.
-------------------

The username portion of the email sender is random, using a classic mis-spelling that has been consistent for this sender (which is the same guy who has been doing the "government imitating" zeus). "cunsumer"

Usernames are a single word, followed by a ".", "_", or "-", followed by a two or three digit number.

The most popular words (by far) are "manager" (770 time), and "support" (757 times), but we've also seen admin, adminnistration, alerts, cunsumer, delivery, e-file, finance, frboard-webannouncements, govdelivery, information, inspector, news, news-alerts, no-reply, protection, public, report, service, stats, subscriber, subscriptions, usttb, and webannouncements.

The attached file is actually named as a ".com" file, using a random-seeming filename in the format "id" followed by a 5-7 digit number (such as id918538.com).

Of the 2,649 IP addresses that have sent us the spam so far, they have come from 1,443 distinct sending IP addresses. Some of our most popular senders have been:

count | sender_ip
-------+--------------------
10 | 113.172.171.155/32
10 | 190.99.213.191/32
9 | 75.145.37.117/32
9 | 187.126.15.108/32
9 | 110.164.112.159/32
8 | 188.81.213.237/32
8 | 201.240.80.96/32
8 | 79.82.153.66/32
8 | 110.138.30.34/32
7 | 180.253.110.135/32
7 | 151.64.138.215/32
7 | 79.178.152.194/32
6 | 95.37.41.218/32
6 | 201.240.215.105/32
6 | 94.20.98.220/32
6 | 122.167.44.208/32
6 | 71.197.255.106/32
6 | 113.190.138.153/32
6 | 90.177.147.202/32
6 | 178.150.237.124/32
6 | 65.10.178.64/32
6 | 178.204.204.172/32
6 | 24.90.102.247/32
6 | 93.75.103.25/32
6 | 190.235.93.183/32
6 | 82.51.62.237/32
6 | 77.236.26.169/32
6 | 110.164.106.145/32
6 | 178.222.27.142/32
6 | 113.53.181.86/32
6 | 123.17.157.159/32
6 | 151.25.53.47/32
5 | 201.68.209.20/32
5 | 180.180.150.248/32
5 | 120.62.24.122/32
5 | 59.182.51.42/32
5 | 182.53.176.152/32
5 | 194.28.88.58/32
5 | 85.186.178.173/32
5 | 41.140.170.143/32
5 | 71.200.55.41/32
5 | 200.91.255.142/32
5 | 190.43.147.223/32
5 | 125.24.202.30/32
5 | 41.140.43.44/32
5 | 59.184.128.238/32
5 | 95.58.34.230/32
5 | 117.201.20.59/32
5 | 186.6.177.39/32

I chose the most recent MD5 and did a scan at VirusTotal, finding that only 3 of 43 Antivirus products were able to detect this as a virus, according to this VirusTotal report.

Since this was an email attachment, web reputation didn't really help here. This would be a case where your spam blocking would be your best defense!

When the file is launched, it attempts to make connections to a long list of domains that are probably made by a "DGA" or "Domain Generation Algorithm". It's likely that at different times or days this list would be different. My domains included:

syqivolurypugi.com
qotasifelaw.com
tibumuqel.com
suzehebaq.com
sivycaqilugoq.com
levulehup.com
ledimajezociw.com
rabuqibareme.com
fopuvuwupode.com
cinuherijugeg.com

and more.

bakagunaxepo.com responded as 193.164.132.20 <= Gigahosting, Germany
bipuwyqojivu.com responded as 85.17.239.165 <= Leaseweb, Netherlands
civivicuqekexo.com responded as 93.104.208.84 <= Gigahosting
levulehup.com responded as 204.45.120.27 <= FDC Servers, Chicago
levysavasezo.com responded as 85.17.239.215 <= Leaseweb, Netherlands
pafozykavygaj.com responded as 85.17.239.216 <= Leaseweb, Netherlands
pejozehywe.com responded as 50.2.7.242 <= Eonix/GotHost
suzehebaq.com responded as 206.217.134.44 <= Colocrossing
syqivolurypugi.com responded as 206.217.134.43 <= Colocrossing
waciroqohuli.com responded as 64.56.65.213 <= VRTServers.net
zarapetahuryp.com responded as 50.2.7.241 <= Eonix/GotHost

as a few examples . . .

The purpose of the malware? Seems to be just another Fake Anti-virus product. Here's the scan that kicked off:

After the scan, I was of course constantly reminded of the grave danger I was in:

First it did a get for "1038000112" from "bogekizase.com" on 66.197.213.6.

All it got back from there was "OK."

Most of the interaction was from tibumuqel.com on 79.143.178.101.

tibumuqel.com was registered on July 15, 2011 using the contact info:

Ana Ivancic freon@cutemail.org
+385.20324535
Od Domina 5
Dubrovnik,Southern Dalmatia,HR 20000

Searching on her details will show that "Ana" has registered plenty of other malware domains as well, usually with different email addresses.

From the tibumuqel.com domain, we did a get for "10380001124255461742" which was redirected to "buy.html"

That's also the box that my payment information was posted back to, although unfortunately, my credit card was declined. 8-(

That was my "purchase the fake AV product" screen, giving me my pricing options, and letting me know that this fake AV product was an SC Magazine 2011 award finalist!

What are our lessons learned?

Anti-virus can't protect you by itself, as evidenced by the 3 of 43 AV products that new about this malware this morning. You need a robust security strategy that includes:

a. Being Smart about what you click on. (Start with CLICK ON NOTHING)
b. a web-reputation component (stopping traffic to bad websites)
c. a strong spam filter

Update

Love Card Version

The "Love card" version of the spam reads like this:

-------

GOOD AFTERNOON! Do you like games ?

Service www. lovecard. ge Present New Game For Amateurs Strawberries
This game is still freeware. You can find it in Attached. Please test it and send us Your comments and suggestions !
With Best Wishes !.. www. love-card. org

-------

or

-------

Attention! Do you like games ?

Service www. mylovecards. com Present New Game For Amateurs Strawberries
This game is still freeware. You can find it in Attached. Please test it and send us Your comments and suggestions !
With Best Wishes !.. www. love-card. org

-----

The "love card" version ends with "white on white" text in tiny letters that reads:

Are you tired of routine romance and love making? Are you looking for a little more fun and excitement? Games are light-hearted and lots of fun. They take the pressure off and allow you and your partner to really let loose. Whether you're trying to get to know each other better, spark the romance, or improve your sex life, a game is a fun way to do it! www. love-card. org is the recognised industry leader in adult games for lovers who want to explore a deeper level of intimacy, sexuality and romance. We have been offering couples in loving relationships pleasurable and educational entertainment to enhance their relationship since 1987. Developed with the assistance of professionals, our games and products are tasteful, sensitive and respectful.

FedEx Version

The "FedEx" version looks like this:

GOOD DAY!
DEAR CONSUMER , Delivery Confirmation: FAILED
PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT
Pack it. Ship ip. No calculating , Your FedEx TEAM

or

Hello!
DEAR USER , DELIVERY CONFIRMATION: FAILED
PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT
With respect , FedEx .com Customer Services

or

Good day!
DEAR USER , We were not able to delivery the post package
Please print out the invoice copy attached and collect the package at our department
Best Regards , Fedex Customer Services

My Friend's Been Hacked!

2011-07-17T04:42:00.000-07:00

Have you ever received an email like this?

Subject: RE: URGENT RESPOND NEEDED‏

Hello,
I am sorry I didn't inform you about my traveling to Europe for a program called Empowering Youth to Fight Racism,HIV/AIDS,and Lack of Education,the program is taking place in three major countries in Europe which are Dublin,Scotland and England,I am persently in England,London.

I misplaced my wallet on my way to the hotel where my money,and other valuable things were kept.I will like you to assist me with a soft loan urgently with the sum of $2,800 US Dollars to sort-out my hotel bills and get myself back home.

I will appreciate whatever you can afford to send the money today.i'll pay you back as soon as i return,Let me know if you can assist. please use this information to send the money to me.I wait your quickly respond

I posted a copy of that email on my blog in February of 2009 (See: Traveler Scams: Email Phishers Newest Scam). Since that time ALMOST EVERY DAY I receive an email from someone thanking me for my post and telling me that one of their friends seems to have fallen victim. Then they say "What do I do next?"

Normally I tell them they need to contact their friend and have their friend report to their email provider that they have had their password stolen.

Please note that this is DIFFERENT than just getting a weird email that says it came from a friend. In this traveler scam, if you reply to the email, the bad guy will often reply with personal information about you "that only your friend could know." That's because they are actually in your friend's email account reading emails from you to try to find a way to convince you to wire them money.

Another indicator that someone may have had their email hacked is when there are several people on the "To:" or "CC:" line that you know your friend knows. When spammers randomly forge a "from" address, it doesn't necessarily mean they have stolen your friend's password, but when SEVERAL of your friend's acquaintances are in the "To:" line, it means the criminal has access to your friend's address book or email messages.

Hotmail: My Friend's Been Hacked!

Microsoft has just announced this week a new way that you can help your friend (if both of you use hotmail.) Dick Craddock writes in the "Inside Windows Live" blog on July 14th, Hey! My Friend's Account Was Hacked! about a new feature that is being offered to hotmail and live.com customers.

With the new feature, when you are reading the offending email, you can pull down the "Mark As" menu and choose "My Friend's Been Hacked!:

When you take the time to mark the message like that, it sends a high priority request to Microsoft to put this account "on hold." Now, there has to be some OTHER circumstances true as well, you can't use this to just cause trouble for people who annoy you, but when your report is combined with other factors about your friend's email usage -- such as sending an unusually high number of messages, or logging in from an IP in another country -- the account will be placed on hold.

That immediately stops the criminal from being able to use the account to send spam, AND let's your friend begin an Account Recovery Process the next time they try to log in.

Yahoo! and Gmail?

What if your friend doesn't use Hotmail?

Microsoft has now begun pushing the "My Friend's Been Hacked!" reports to Yahoo! and Gmail as well. So if YOU are a hotmail user, and your hacked friend is using Yahoo! or Gmail using the reporting mechanism on hotmail will still send an alert to Yahoo! or Google and let them know of the suspicious email you've received.

Hopefully this will become a new industry standard practice and we'll be able to send reports from any of our mail clients!

Here's some advice from other providers on what to do if a Friend seems to be compromised:

- Gmail: Report A Security Problem

- Google: How to Recover Your Email Account

- Facebook Security

- Yahoo! Account Helper

(If you have a suggestion of a better link, please let me know . . .)

FBI + Romanian DIICOT = 117 Search warrants and 100+ arrests

2011-07-15T09:26:00.000-07:00

In one of the largest international cybercrime enforcement actions in history, the FBI and the Romanian DIICOT (Directorate for Investigating Infractions of Organized Crime and Terrorism) have performed at least 117 searches and arrested 21 in America and more than 90 in Romania.

All across Romania, scenes such as this were being conducted:

The Romanian news source that provided the photos above shared this quote with Adrian Hood, Chief Prosecutor of DIICOT, Craiova Territorial Service:

"Specifically, defendants are charged for activities from 2009 to 2011 involving posting notices of sale of fictitious, non-existent goods such as cars, motorcycles, boats, and electronics on e-commerce platforms such as www.eBay.com and www.craigslist.org through advertisements made with false information."

(See the Original story for the Romanian original of that quote...

The FBI has issued a press release on the matter today, Organized Romanian Criminal Groups Targeted by DOJ and Romanian Law Enforcement.

The case centers on criminals in Romania who would post luxury items and vehicles for sale on Internet auction websites, such as eBay. They would then instruct the potential buyer that for safety of the transaction they would be using an escrow service and provide them instructions to wire the funds to the escrow service, rather than making their payment through the auction company. US-based co-conspirators would then go pick up the money from American bank accounts. These intermediaries are called "money mules" in the US, but in Romanian cybercrime parlance they are referred to as "arrows."

According to the FBI Press Release . . . "Since May 2010, the FBI and the U.S. Attorney’s Office for the Southern District of Florida have arrested and prosecuted numerous individuals from Romania, Moldova and the United States allegedly involved in this fraud scheme. Vadim Gherghelejiu, 29, of Moldova; Anatolie Bisericanu, 25, of Moldova; Jairo Osorno, 22, of Surfside, Fla.; Jason Eibinder, 22, of Sunny Isles Beach, Fla.; and Ciprian Jdera, 25, of Romania, have been convicted in the Southern District of Florida of conspiracy to commit wire fraud."

On February 22, 2010, a Miami court returned an indictment against "Pedro Pulido, 41, of Pembroke Pines, Fla.; Ivan Boris Barkovic, 19, of Sunny Isles Beach; Beand Dorsainville, 20, of North Miami Beach, Fla.; Sergiu Petrov, aka “Serogia,” 27, of Moldova; Oleg Virlan, 32, of Moldova; Marian Cristea, 22, of Romania; and Andrian Olarita, 26, of Moldova, with conspiracy to commit wire fraud and substantive counts of wire fraud. Pulido, Barkovic, Dorsainville and Olarita have pleaded guilty to conspiracy to commit wire fraud. Petrov, Virlan and Cristea remain at large and are considered fugitives."

Romanian news is buzzing today with news of many search warrants being issued all over Romania.

FBI Searches Romania - 20 million dollars stolen by hackers in eight countries

Photographers were present at many of today's Romanian arrests . . .

Here a dentist, Horace Balanescu, and his wife are being arrested in Bumbesti-Jiu Romania:

(photos from "adevarul.ro")

Romanian news says that there were more than 1,000 victims who collectively lost more than $20 million USD.

We'll have more details here in the near future . . .

Congratulations to all of the fine agents in Romania and the FBI who took part in this historical arrest, and to those at eBay and Craigslist and other companies who assisted with information.

A New Car! (or Zeus spam Campaign)

2011-06-25T06:11:00.000-07:00

If you believe my email today, everyone is getting a new car but me.

There are actually many different spam message subjects that make up this campaign. Those like the one above use a random person name in the subject line, like these:

Remember [name]?
It's [name]'s new car!
Saw new [name]'s car?
Do you remember [name]?

There were also quite a few "non-random" ones. Here's a sampling from yesterday's spam, when we received a total of more than 60,000 emails that are part of this malware distribution campaign:

count | subject
-------+------------------------------------
1398 | info
1389 | Hello
1357 | look
1344 | Hello!
1343 | Hi!
1341 | hello!
1333 | Look!
1328 | hello
1320 | hello.
1314 | Hello.
1305 | hey buddy!
1286 | hi buddy!
1282 | Hey!
590 | Is this your boyfriend?
580 | Do you remember me?
577 | Remember me?
549 | Is This Your Boyfriend?
539 | Is this your girlfriend bro?
538 | Is This Your Girl Bro?
533 | Is This Your Boy?
529 | Is this your boy?
507 | Is this your girl bro?
487 | Is This Your Girlfriend Bro?
482 | Is this your girlfriend buddy?
480 | Is This your Girlfriend?

Those numbers are the count of the email messages we received from that portion of the campaign that pretended to be related to LinkedIn. In the graphic above, you can see that the "From" address is on "live.com" and the "Reply-To" is on "linkedin.com". Actually neither one of those things were true.

Here are the actual mail headers (although I've redacted a couple things from this one):

In this image, the "fake" values are highlighted in green while the "real" values are highlighted in yellow. This email did NOT come from LinkedIn's IP 63.211.90.176. It really came from 173.200.78.57. (Many hundreds of IPs were used.)

We actually saw this same style of mail-header faking beginning last November, especially during a rampant USAA Phishing campaign where the destination websites were all on '.tk' domains. Although I didn't focus on that aspect in the story (instead we found the REAL sender IP addresses and wrote about those) it was partly because at the time I didn't understand how it was possible!

All of the spam messages listed above, whether they are the "New Car" version or the "Is that Your Boyfriend?" or even the "Hello!" versions have a common website location being advertised. They use random numbers in the hostname portion of the website address, but the all point to:

arcid_[RND#].oposumcruiser.com/arc/file/

That website looks like this:

UPDATE!!

I've received an update from my friend Steven Burn who runs the websites of Ur I.T. Mate Group. He pointed out to me that even if you don't download the .exe file from this page, you are still at risk just by visiting the site. There is an IFRAME hidden in the source code of the page that directs all visitors to load the Blackhole Exploit Kit from another location. As of this writing that other location is:

http://motorssmonito.com/forum.php?tp=778973f6b2977050

(Visit at your own risk - it WILL try to infect you! )

The excellent folks at UCSB's Wepawet project provide this decoding of the page:

Wepawet decode of the MotorSSMonito blackhole exploit kit

which shows all the little tricks it tries to use to infect you, including loading malicious .jar files, .pdf files, .avi files,

/End Update - Thank you, Mr. Burn!

One of the characteristics of the "Avalanche" botnet that we believed was associated with the USAA phish back in November was that the destination website is "Fast Flux" hosted -- meaning that the IP address is being constantly changed by modifying the nameserver to resolve the domain name to many different locations.

The first time I looked at this website, it was resolving to the IP address 112.71.69.76 in Japan. But when I asked the nameserver for its location, it gave back eight different IP addresses:

80.171.37.243
81.203.1.104
82.159.38.56
85.86.48.130
91.117.147.33
112.71.69.76
114.183.247.117
217.50.208.196

Only a few minutes later when I rechecked, I found the additional IP addresses:

83.213.31.242
90.168.201.126
95.125.232.109
212.225.173.8

all resolving the "oposumcruiser.com" random hostnames.

One of the many projects we have at the UAB Computer Forensics Research Lab is a Fast Flux tracker. Some of the other domains that are currently fluxing on this same space include perfectcheck2011.com, safeyourwork.net, personalsyscheck.com and safetylife2011.org which use the nameservers ns1.lonfd.net and ns1.cazonet.com. Most of those are autoforwarders for pharmaceutical websites such as sportsmedsrxpills.net which purports to be the "Canadian Health & Care Mall".

The fake website offers a download for you as an executable file "archive.exe"

According to the AV products on the VirusTotal website, this is either the Zbot trojan (commonly known as Zeus) or Kazy.

(Click the image to go to the VirusTotal Report for this malware

MD5: a653ef80a47f5ec646a2ce0fdbc1068d

Trojan-Spy.Win32.Zbot.buax, Gen:Variant.Kazy.28222, Win32/Spy.Zbot.YW, Trojan/Win32.Zbot

I put the malware in our Malware Analysis VM and watched to see what it would do.

The version of the malware that I self-infected with made DNS calls for
the following domains, many of which have not yet been registered.

lrnsxmztnqiomiq.com
rqnorekziuhmsxr.biz
rqnorekziuhmsxr.org
vlolhmcjlpqntm.net
vlolhmcjlpqntm.com
zqpyuykzovrsjw.info
zqpyuykzovrsjw.biz
wzmkrojrutomsg.net
wzmkrojrutomsg.org
nnpgpskekyrtyoq.info
nnpgpskekyrtyoq.com
stqbbjuqsoefcpcq.biz
stqbbjuqsoefcpcq.com
xljpkdlnzniocjpu.info

It also modified many registry keys, primary related to Outlook Express, which means there was probably going to be some spamming going on if I left the infection up.

The only one of these I can tell that WAS registered was here...using a
privacy service.

Domain Name: LRNSXMZTNQIOMIQ.COM

Administrative Contact:
Reinecker, Beverly ap9cm76v4sv@nameprivacy.com
ATTN:
P.O. Box 430 c/o NameSecure
Herndon, VA 20171-430
US
570-708-8782

When it was live, it was hosted on 72.249.171.121.

Also seen on that IP, according to bfk.de, are:

www.realgirlfights.org CNAME realgirlfights.org
lrnsxmztnqiomiq.com A 72.249.171.121
wqonlrwkuswjzmm.net A 72.249.171.121
lmnqnxypfulhgxo.biz A 72.249.171.121
kmxpiylvojgjcus.biz A 72.249.171.121

That IP is Colo4Dallas LP (AS36024) in Dallas, Texas.

Steven Burn provided the following list of related domains, as well as the path which hosts their respective badness. Again, please don't follow these links unless you are a malware researcher in a safe environment.

cgywgtcwpngrzgk.net/news/?s=195341
cpgfkybtkljjwvsk.org/news/?s=195341
futplqwsqqiopntn.com/news/?s=195341
ijqrqinymhjsvr.net/news/?s=195341
imwftfprsbxzgiy.info/news/?s=195341
iruwoekurjzrpko.biz/news/?s=195341
jptptmlpqnzdnpl.biz/news/?s=195341
jtpknvosaiwoxqs.info/news/?s=195341
jwqqrkosoqqglvpk.biz/news/?s=195341
jxatmxeojvhwhvd.com/news/?s=195341
ktznowypsmswqtjl.net/news/?s=195341
kxzjfqomtyjhhhzr.com/news/?s=195341
lhourmoptjoejd.info/news/?s=195341
lqwryghqqpiujsp.com/news/?s=195341
mjeqpkukusnkkhtm.info/news/?s=195341
mpwpxgmpjqkrpfzd.biz/news/?s=195341
mrjuqpqqzqikin.org/news/?s=195341
nfumumsidtqtynr.com/news/?s=195341
oopmeozgtsxerenn.com/news/?s=195341
orelrxnwtuiuplhn.biz/news/?s=195341
ounwukdlrpflento.com/news/?s=195341
pluufpyllzrqpnot.com/news/?s=195341
ppjjvmomiiwtkyn.com/news/?s=195341
prminhfvfmsckzjw.info/news/?s=195341
psiscguokswppvys.biz/news/?s=195341
pxcoprkgsoeyoiej.info/news/?s=195341
quujzvhhutfvtlq.info/news/?s=195341
rcjemwpzhygppmuo.net/news/?s=195341
rggfymzrkzpnpsjl.com/news/?s=195341
rheovalxkdmspe.net/news/?s=195341
rhtjdemtypbpow.com/news/?s=195341
rnosovkotqwbk.info/news/?s=195341
rpjrewwqsditwtky.org/news/?s=195341
rwfstvftrzwwtjxu.info/news/?s=195341
rxtrpjvcuikyipt.net/news/?s=195341
sklyzjonvkikpjt.org/news/?s=195341
soilvjyksytnfp.net/news/?s=195341
ssmkoqkrgimsnwe.com/news/?s=195341
tjtoehpzjmtnigs.net/news/?s=195341
ttzoxhbzvgpijlwk.biz/news/?s=195341
twsrnyyfnvrqhht.org/news/?s=195341
ydvkmqunnnnwqop.info/news/?s=195341
yjlmfeinqhupvtnh.info/news/?s=195341
yphxjkymmnqynogh.com/news/?s=195341

ACH Spammer switches to Shortened URLs

2011-05-16T06:41:00.001-07:00

For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domains in place for a campaign that we have been calling "NACHA Spam".

In this campaign, which we first wrote about in November 2009 (see: Newest Zeus: NACHA Electronic Payments, the criminals send emails suggesting that an Automated Clearing House (ACH) payment has failed. It is thought that this may be a method of screening recipients as only people who deal with money transfer on a regular basis would be familiar with NACHA as having authority over ACH payments.

In more recent versions of the campaign, including the one we wrote about in March 2011 (see: More ACH Spam from NACHA) we have seen dozens or even hundreds of newly created domain names used to host the malicious content.

Here's a sample of the email body:

The ACH transfer (ID: 1514969569958), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Rejected transaction
Transaction ID: 1514969569958
Reason for rejection See details in the report below
Transaction Report report_1514969569958.pdf.exe (self-extracting archive, Adobe PDF)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

2011 NACHA - The Electronic Payments Association

Help stop the Osama bin Laden Videos on Facebook

2011-05-04T18:15:00.000-07:00

If you have teenage friends, or friends with poor security practices, you will probably notice that your wall has recently filled up with invitations to watch a video of Osama bin Laden being killed.

The behavior of this particular scam is too cause a link to be posted BY YOU on all of your friends' walls. (There is another popular one going around -- "See Who Viewed Your Profile" -- that behaves in the same way. Facebook confirms that there is no app that can do that, and encourages us to use the "REPORT" feature when we see that.

If you click the link, many geeky "redirections" (described at end of article) happen before you end up on a page that looks like this:

The danger starts if you click "Watch Video". DON'T DO IT!

While it would be interesting to explore the Cross Site Scripting vulnerability that allows this to happen, the more important thing to share is "what should a FaceBook user who sees this activity do about this offending post on their wall?"

Whenever you see something objectionable on your wall, the thing to do is REPORT IT!

Hover your mouse over a message on your wall, and a grey "X" will appear at the top right of the message.

When you click the "X" by the top right corner of the wall post, you are presented with a drop down menu. We're going to choose the bottom item -- "Report As Abuse"

Since the post is not "about me", we go to the lower section and choose "Spam or scam"

When we click "OK" we get an option to block the user. Since this is an innocent mistake by our friend, we don't want to "block" the friend, so just check the bottom box that says "Report to Facebook." If our friend is the sort of helpless, clueless individual that clicks on everything they see, eventually we would want to block this friend.

We get a nice "Thank you" from our friends at Facebook Security! These really help the team! They get the messages and use them to prioritize what things need to be addressed. If many reports are received for the same link, or about the same user, those things get addressed more quickly. Different types of reports go to different sub-groups so just because they are busy helping fight something like today's report doesn't mean that they ignore cyber-bullying.

Facebook WANTS YOU to report things that bother you. That's how they keep a clean neighborhood.

Help them help you. REPORT SCAMS!

Then take a moment more and send your friend a friendly message letting them know what's going on. They might want to let the rest of their friends know.

Facebook security has several recommendations, including a couple that I honestly wouldn't have thought of. (I'll put those first)

Unlike the page which tricked you into showing fake video and report them immediately to Facebook. -- in addition to posting the message to your friends' walls, this tricky Facebook worm causes you to "Like" its page. The more "Likes" a page has, the more people are convinced it's real, so it is helpful to go "UNLIKE" the page. (if you've liked it, it will be a choice on the left side menu.)
If a friend is posting suspicious messages to your wall, they may have malicious software on their computer, or may have clicked something bad themselves. Facebook Help says the best thing to do is tell your friend to contact Facebook Help.
If YOU are the one posting the message, this Facebook Help post is for you: Wall posts were sent from my account, and I didn’t send them. It has helpful hints about anti-virus, not clicking on spam, and how to reset your password.
Have up-to-date anti-virus software
Keep an eye for messages that often feature misspellings, poor grammar and nonstandard English. If it doesn't look like a message your friend would type, REPORT IT! It may be related to malware or a malicious app that is using your friend's account!
Do not open spam mails, including clicking links contained within those messages.
Don’t copy and paste any scripts in your Facebook profile. Several scams have worked by encouraging you to paste something odd in your profile. Some of those scripts install apps, grant permissions, or make you do things you wouldn't want to do!
If you’re using Chrome, make sure you don’t paste any scripts in your browser bar, as the browser tries to preload anything you type in the ‘awesome’ bar.

Geek Alert!

Here's an example stream of what happens if you click one of these links ...
In this case, the link is going to pass through several rounds of redirection, which we can see by doing a "wget" of the destination URL. A "301" command makes your browser move on to another web address without really adding any new content.

In the top example, the destination URL is tinyurl.com/3b8uayr

wget http://tinyurl.com/3b8uayr
Resolving tinyurl.com... 64.62.243.89, 64.62.243.90
Connecting to tinyurl.com|64.62.243.89|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://zamakoko.mo.tl/ [following]
--19:51:27-- http://zamakoko.mo.tl/
=> `index.html'
Resolving zamakoko.mo.tl... 174.122.44.67
Connecting to zamakoko.mo.tl|174.122.44.67|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://on.fb.me/jM9tNF [following]
--19:51:47-- http://on.fb.me/jM9tNF
=> `jM9tNF'
Resolving on.fb.me... 168.143.174.97
Connecting to on.fb.me|168.143.174.97|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.facebook.com/pages/0sama-tape/121566207922629 [following]
--19:51:59-- http://www.facebook.com/pages/0sama-tape/121566207922629
=> `121566207922629'
Resolving www.facebook.com... 69.63.189.16
Connecting to www.facebook.com|69.63.189.16|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://www.facebook.com/common/browser.php [following]
--19:52:05-- http://www.facebook.com/common/browser.php
=> `browser.php'
Connecting to www.facebook.com|69.63.189.16|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

[ <=> ] 11,771 --.--K/s
19:52:24 (1.40 MB/s) - `browser.php' saved [11771]

Which leaves us sitting here:

Bold FBI Move Shutters COREFLOOD Bot

2011-04-13T21:25:00.000-07:00

In February 2005, John Leyden told the story of Joe Lopez a 42 year old businessman in Miami Florida who sued his bank after having $90,348 wired out of his account to Parex Bank in Riga, Latvia. The US Secret Service examined his computer and found that his system was infected with the Coreflood trojan.

Where did the money go? According to USA Today's Byron Acohido, someone named Yanson Arnold withdrew $20,000 of the money three days later.

The story was featured on NBC Nightly News on December 14, 2004, in a story called The Fleecing Of America which indicated the money had been stolen via the CoreFlood Virus.

In June of 2008, Joe Stewart, International Grandmaster of Malware Reverse Engineering, released a report called Coreflood/AFcore Trojan Analysis. He started his report by calling attention to five highlights:

1. One of the oldest botnets in continuous operation (+6 years)
2. Motive turned from DDoS to selling anonymity services to full-fledged bank fraud
3. Entire Windows domains infected at once (thousands of computers at some organizations)
4. Over 378,000 computers infected during 16-month time frame
5. Infected businesses, hospitals, government organizations, and even a state police agency

When Joe worked with Spamhaus back then to investigate an active C&C they found FIFTY GIGABYTES of compressed data, stolen over the course of two years, with a MySQL database that the criminal was using to track which information it had stolen from 378,758 unique bots over a period of 16 months. At one point, Joe's report shows "a major hotel chain" with over 7,000 infected computers, and a State Police agency with over 110 infected computers! Among the data stolen were 8,485 bank passwords, 3,233 credit card passwords, 151,000 email passwords, and 58,391 social networking site passwords. At that time, in 2008, the controller domains were: mcupdate.net, joy4host.com, and antrexhost.com.

Here we are in April 2011 -- almost three years later, and "antrexhost.com" is still an active C&C for the domain, which is still stealing money, despite being featured on NBC Nightly News, USA Today, and discussed by name by the White House's Howard Schmidt.

All of that may have come to an end today, as announced by today's FBI Press Release headline was Department of Justice Takes Action to Disable International Botnet. The botnet in question is known as Coreflood, and according to court papers released by the FBI's New Haven Field Office, a pair of Command & Control servers, located at 207.210.74.74 and 74.63.232.233 were controlling 2,336,542 infected computers as of February 2010. Of those, 1,853,005 were located in the United States.

207.210.74.74 is a server on the Global Net Access system, that hosted a domain called jane.unreadmsg.net. vaccina.medinnovation.org was the C&C name on 74.63.232.233

From the request for a Temporary Restraining Order filed by Assistant US Attorney Edward Chang:

12. The Coreflood Botnet was used, among other things,
to commit financial fraud. Infected computers in the Coreflood
Botnet automatically recorded the keystrokes and Internet
communications of unsuspecting users, including online banking
credentials and passwords. The stolen data was then sent to one
or more Coreflood C&C servers, where it was stored for review by
the Defendants and their co-conspirators. The Coreflood C&C
servers also stored the network and operating system
characteristics of the infected computers. The Defendants and
their co-conspirators used the stolen data, including online
banking credentials and passwords, to direct fraudulent wire
transfers from the bank accounts of their victims.

13. The victims of the fraud scheme described above
included, inter alia:

a. A real estate company in Michigan, from whose bank
account there were fraudulent wire transfers made in a
total amount of approximately $115,771;

b. A law firm in South Carolina, from whose bank account
there were fraudulent wire transfers made in a total
amount of approximately $78,421;

c. An investment company in North Carolina, from whose
bank account there were fraudulent wire transfers made
in a total amount of approximately $151,201; and

d. A defense contractor in Tennessee, from whose bank
account there were fraudulent wire transfers attempted
in a total amount of approximately $934,528, resulting
in an actual loss of approximately $241,866.

The full extent of the financial loss caused by the Coreflood
Botnet is not known, due in part to the large number of infected
computers and the quantity of stolen data.

Here are some of the hostnames that were used by Coreflood -- some dates are in the future, indicating that the bot had the ability to change to new names over time, to prevent just the sort of shutdown that occurred today:

C&C SERVER ASSIGNED 207.210.74.74
Month Primary Domain Alternate Domain
1/2011 a-gps.vip-studions.net old.antrexhost.com
2/2011 dru.realgoday.net marker.antrexhost.com
3/2011 brew.fishbonetree.biz spamblocker.antrexhost.com
4/2011 jane.unreadmsg.net ads.antrexhost.com
5/2011 exchange.stafilocox.net cafe.antrexhost.com
6/2011 ns1.diplodoger.com coffeeshop.antrexhost.com
7/2011 a-gps.vip-studions.net old.antrexhost.com
8/2011 dru.realgoday.net marker.antrexhost.com
9/2011 brew.fishbonetree.biz spamblocker.antrexhost.com
10/2011 jane.unreadmsg.net ads.antrexhost.com
11/2011 exchange.stafilocox.net cafe.antrexhost.com
12/2011 ns1.diplodoger.com coffeeshop.antrexhost.com

C&C SERVER ASSIGNED 74.63.232.233

Month Primary Domain Alternate Domain
1/2011 taxadvice.ehostville.com taxfree.nethostplus.net
2/2011 ticket.hostnetline.com accounts.nethostplus.net
3/2011 flu.medicalcarenews.org logon.nethostplus.net
4/2011 vaccina.medinnovation.org imap.nethostplus.net
5/2011 ipadnews.netwebplus.net onlinebooking.nethostplus.net
6/2011 acdsee.licensevalidate.net imap.nethostplus.net
7/2011 wellness.hostfields.net pop3.nethostplus.net
8/2011 savupdate.licensevalidate.net schedules.nethostplus.net
9/2011 wiki.hostfields.net mediastream.nethostplus.net
10/2011 taxadvice.ehostville.com taxfree.nethostplus.net
11/2011 ticket.hostnetline.com accounts.nethostplus.net
12/2011 flu.medicalcarenews.org logon.nethostplus.net

In addition to the affidavit for the TRO, FBI Special Agent Kenneth Keller got a most unusual Seizure Warrant. With the warrant, they requested that the court compel the Registrars of the 24 domain names posted above to change the DNS settings for the servers, so that they would resolve to SINKHOLE-00.SHADOWSERVER.ORG and SINKHOLE-01.SHADOWSERVER.ORG.

To maximize the difficult of taking down this bot, the criminal spread his domain registrations all over the world. He used Wild West Domains (US-AZ), Above.com (of Australia), Big Rock Solutions (of Mumbai), LiquidNet (UK), Network Solutions (US-Virginia), Active Registrar (SIngapore), 1&1 Internet (Germany), TuCows (Toronto), Dotster (US-Washington), MyDomain, Inc (US-Washington), DomainRegistry.com (US-New Jersey), and Melbourne IT (which is Yahoo!'s registrar of choice), Mesh Digital (UK), Misk.com (US-NY), Moniker (US-Florida), and Directi (India).

Obviously a US court order has little impact in Mumbai or Singapore, so it was important to get this done when the "active" domains were US-based.

A "SinkHole" in the cyber security world is a trick that is invoked to cause botnets who are trying to talk to a criminal server to instead talk to a computer owned by a researcher or investigator. Its a great way for both measuring levels of infection and also for preventing the bad guy from being able to talk to his bots.

In this case, the sinkhole went beyond this though. Here comes the cool part from this Temporary Restraining Order issued by the Honorable (and very smart!) Vanessa L. Bryant.

WHEREAS the Government has shown good cause to believe: (a) that hundreds of thousands of computers are infected by Coreflood, known collectively as the "Coreflood Botnet"; (b) that the computers infected by Coreflood can be remotely controlled by the
Defendants, using certain computer servers known as the "Coreflood C&C Servers" and certain Domains"; (c) that, on or about April 12, 2011, the Government will execute seizure warrants for the Coreflood C&C Servers and the Coreflood Domains; (d) that the Government's seizuer of the Coreflood C&C Servers and the Coreflood Domains will leave the infected computers still running Coreflood; (e) that allowing Coreflood to continue running on the infected computers will cause a continuing and substantial injury to the owners and users of the infected computers, exposing them to a loss of privacy and an increased risk of further computer intrusions; and (f) that it is feasible to stop Coreflood from running on infected computers by establishing a substitute command and control server;

WHEREAS the Coreflood Domains are listed in Schedule A, together with the corresponding registry, registar, and domain name service ("DNS") provider (collectively, the "Domain Service Providers") used by the Defendants with respect to each of the Coreflood Domains;

WHEREAS the Government has shown good cause to believe that: (a) it is reasonably likely that the Government can show that the Defendants are committing wire fraud and bank fraud and are engaging in unauthorized interception of electronic communications, as alleged; (b) it is reasonably likely that the Government can show a continuing and substantial injury to a class of persons, viz., the owners and users of computers infected by Coreflood; and (c) it is reasonably likely that the Government can show that the requested restraining order will prevent or ameliorate injury to that class of persons;

(etc...)

Pursuant to the authority granted by 28 U.S.C. $ 566, the United States Marshal for the District of Connecticut ("USMS") shall execute and enforce this Order, with the assistance of the Federal Bureau of Investigation ("FBI") if needed, by establishing a substitute server at the Internet Systems Consortium...that will respond to requests addressed to the Coreflood DOmains by issuing instructions that will cause the Coreflood software on infected computers to stop running, subject to the limitation that such instructions shall be issued only to computers reasonably determined to be in the United States.

The Restraining Order gave blanket permission for anything that was using the DNS servers "NS1.CYBERWATCHFLOOR.COM" (204.74.66.143) or "NS1.CYBERWATCHFLOOR.COM" (204.74.67.143) to instead point to Special Agent Kenneth Keller's server 149.20.51.124.

Of course, some people may not want the Department of Justice telling their computer what to do. Because of that possibility, the FBI Press Release offers the option:

The Department of Justice and FBI, working with Internet service providers around the country, are committed to identifying and notifying as many innocent victims as possible who have been infected with Coreflood, in order to avoid or minimize future fraud losses and identity theft resulting from Coreflood. Identified owners of infected computers will also be told how to "opt out" from the TRO, if for some reason they want to keep Coreflood running on their computers.

The Epsilon Phishing Model

2011-04-08T08:17:00.000-07:00

There is a saying "if you give a man a fish, he'll eat for a day, but if you teach a man to fish, he can feed himself for a lifetime."

In the case of the Epsilon email breach the saying might be "if you teach a man to be phished, he'll be a victim for a lifetime."

In order to illustrate my point, let's look at a few of the security flaws in the business model of email-based marketing, using Epsilon Interactive and their communications as some examples.

NOTE: Epsilon has released another Press Release to assure the public that no Personally Identifiable Information was released. The point of this article is not to argue that point, but rather to say there is something flawed in training users to click on links in emails.

Targeted Mailing Lists Help Avoid Detection

One of the advantages to phishers in using destination email addresses from the Epsilon Breach is that it helps keep their emails out of the hands of the security research and anti-phishing communities. Phishers, especially the less-skilled ones, tend to buy or steal large email address lists. Many researchers and anti-phishers (including us!) have managed to get their "spam-trap" email addresses onto those lists, which gives us visibility to spam campaigns. At UAB, as an example, we receive more than a million spam email messages each day. Some of these emails are phishing emails, which we then share with law enforcement and our strategic partners. Using a combination of automated and manual tools, we review tens of thousands of URLs each day to learn the addresses of the criminals new phishing sites. But what if a phisher only sends his phishing email to "confirmed" customer email addresses? This greatly reduces the ability of the anti-phishing community to respond to these phishing sites.

Guaranteed Delivery "From:" Addresses

Another thing a phisher would like to accomplish is to make sure that his message arrives without being blocked. Perhaps his victim is running spam filtering software. What is the first things that would be desirable? He would like his email to be sent from an address that will guarantee delivery. The easiest way to make sure that spam is delivered is to make sure that the "From:" address is in the potential victim's address book. This is why so many email messages arrive with the "from" and "to" addresses being the same. The spammers assume that you will have your own address in your address book, and therefore spam-filtering rules will not be applied to that address.

How else could they do that? Epsilon helpfully instructs their customers to add their email addresses to their address book. If a phisher now imitates those addresses, their email will bypass many phishing filters:

This email was sent to you by Ethan Allen.
Please add ethanallenstyle@email.ethanallen.com to your address book. This will ensure delivery to your inbox.

You are receiving this e-mail because you have requested information about CRESTOR(R) (rosuvastatin calcium) Tablets. Add CRESTOR@email.CRESTOR.com to your address book so future e-mails from us will not be marked as spam.

Add citicards@info.citibank.com to your address book to ensure delivery.

To ensure delivery to your inbox, please add Walgreens@email.walgreens.com to your address book.

This e-mail was sent to you by Eddie Bauer Friends. To ensure delivery to your inbox (not junk or bulk), please add info@eddiebauerfriends.com to your address book.

To ensure receipt of your Red Roof RediCard emails, please add redicard@redroofinn.bfi0.com to your address book.

To ensure receipt of our emails, please add targetdailydeals@targetnewsletter.bfio.com to your Contacts or Address Book.

etc . . .

So if the phisher makes his "from" address one of these "trusted" addresses, what happens?

Teach a man (or woman) to Click

One of the main pieces of advice that security professionals give to audiences and readers when they are speaking or writing about the topic of phishing is DO NOT CLICK ON LINKS IN YOUR EMAIL!

This is exactly the opposite advice that customers in the Epsilon databases receive. Epsilon and other email senders work on the theory of full-visibility communications. They know which email messages they send to which users, and they prove their value to the companies they represent by providing deep intelligence on the "click behavior" of the customers they email on behalf of those companies. Each link in an Epsilon email is customized with a URL that tells Epsilon who clicked on the link.

The whole point of emails from Epsilon is to get customers to click on links! I've truncated the URLs to protect privacy, but here's an example of one from Target. Clicking on this one takes me to their "Daily Deals. One Day Only. Always Free Shipping."

http://target.bfi0.com/145d56598layfousibljoi2iaaaaaaq5mirqsi2bcpuyaaaaa/C?V=bF9pbmRleAEBcHJvZmlsZV9pZAExMTM1MzYzMTY5AXppcF9jb2RlAQFfV0FWRV9JRF8BNjEwODA0MzQ5AV9QTElTVF9JRF8BMjE1NDI2MjUBZ19pbmRleAEBZW1haWxfYWRkcgFnYXJAYXNrZ2FyLmNvbQFfU0NIRF9UTV8BMjAxMTA0MDMxMjAwMDABcHJvZmlsZV9rZXkBMjU4NTkyMDM%3D&k2hXe6YFbcPUoDxGzFz1FA

which means I can get "juniors" denim skinny jeans for $12.49 today only! (which also means my daughter probably gave my email account to Target....hmmmm.....)

Here's a few examples:

Greetings from the National Geographic Online Store!

You are invited to join an exclusive community of individuals interested in National Geographic. As a member, you will...
* Help us choose catalog covers.
* Get sneak peeks at new products we=92re considering.
* Give valuable advice to people at National Geographic who decide what products we should offer.
* Get an insider=92s view of how our catalog and online store help fund the Society's Mission programs in the areas of research,

conservation, exploration, and education.

Click here to join the NG Store Insider panel. http://newsletters.nationalgeographic.com/1####....

Now through April 10, 2011

$50 OFF YOUR PURCHASE OF $250 OR MORE*
ENTER CODE > =

Txx3-4xxxxx-xx3xx2

HAUTE SALE
HURRY, ENDS TODAY!
40% OFF select styles. In-store & online.

http://bebeonline.bebe.com/#####...

Introducing the NY DEAL of the DAY! Extra savings on a must have style! In stores & online. Today only! The Hudson wide leg pant,
only $14.99 today only! Check our homepage every day of this sale for our new DEAL!

Shop now >
http://email.nyandcompany.com/1####...

Today Only! Save 30% at Gap Outlet

To get this coupon, copy and paste this url:
http://mail.goAAA.com/1#####...

------------------------
DAILY DEALS. ALWAYS FREE SHIPPING.
------------------------

Fun, cool stuff at amazing prices, available for one day only.

Shop Now:
http://targetenewsletter.bfi0.com/####...

BBC AMERICA NEWSLETTER
Doctor Who in America for the Very First Time
April 6, 2011
Doctor Who: Brand New Season
The Tardis is hopping the pond and the stakes have never been higher. =

WATCH THE EXTENDED TRAILER
http://bbcamerica.bfi0.com/1####...

The statement for your account ending in 4616 is now available online.
Log in to Online Banking to view your statement and pay your bill.
Please visit
http://email.capitalone.com/1####...

The point of every one of those emails is HEY YOU! CLICK ON THIS LINK!!!

The Warnings & The Future

If you live in the United States and you have ever used a credit card, your inbox is already flooded with Epsilon notices, so I hesitate to show you very many. We've heard of warnings from more than fifty companies, and personally seen the warnings from at least:

1-800-Flowers begin_of_the_skype_highlighting 1-800-Flowers end_of_the_skype_highlighting
Abe Books
AIR MILES Reward Program
Ameriprise Financial
Barclays Bank of Delaware (US Airways Dividend Miles MasterCard, DIRECTV Rewards, iTunes Rewards, LLBean etc... )
Beachbody
Brookstone
Capital One
Citibank (AT&T Universal Card, Exxon Mobile, Home Depot, Shell)
Disney Destinations
Eddie Bauer
Ethan Allen
Hilton Honors
Krogers
Lacoste USA
Marriott
McKinsey Quarterly
M&T Bank
New York & Company
Red Roof Inn
Soccer.com
Target
Tastefully Simple
TD Ameritrade
TIAA-CREF
Tivo
Verizon
World Financial Network National Bank (WFNNB) (Ann Taylor, Catherine's, Chadwick's, Eddie Bauer, Gander Mountain, HSN, Maurice's, Newport News, Peeble's, The RoomPlace, United Retail Group, Victoria's Secret, Woman Within)
Walgreens

The warnings are missing the point of MY warning. All of them assure you that they aren't going to ask you for your personal information, and that your personal information hasn't been lost, "only your email address."

They tell you though NOT TO OPEN EMAILS FROM PEOPLE YOU DON'T KNOW. I don't know anyone named "shellcreditcard@info.accountonline.com" and I certainly don't know anyone named "TargetNews@target.bfio.com"

Of course that also misses entirely the fact that ANYONE can make their "From:" email anything they would like it to be! Email is not a form of trusted communication! So, how does the end-user know that the email really came from a real sender? Its a growing problem. Certain vendors have had luck with certain large mail providers -- for example eBay and Gmail. Because eBay signs all of their outbound email with a "digital signature" and Gmail knows what digital signature eBay uses, Gmail will reject any email that claims to be from eBay but really isn't.

There is a whole association, The Online Trust Alliance, filled with great companies dedicated to trying to fix this problem, but where they stand right now is that acceptance has been limited, and "traditional" email solutions don't come out of the box with the ability to interact richly with these forms of signatures and authentications.

Imagine for example that you are a global brand with more than 500,000 employees. In order to "turn on" digital authentication, you have to make sure that every single email sent by any of your 500,000 employees has a valid "digital signature" that proves the email really came from you! On the other end of the spectrum, if everyone locks down their email clients to only allow emails that are signed and certified, emails from individuals like you and me are likely to be thrown away!

In the meantime, we're stuck with imperfect solutions -- the need of the corporation to get their messages delivered and clicked on -- and the need of the consumer to NOT CLICK on messages that may lead to malware infections.

One-Click Malware - Drive-By Infections

Kaspersky Labs had a recent headline on this topic: Malware in February: Cybercriminals Perfect Drive-By Tactics.

In most of the top reported malware for February, the infection method was to convince a user to click on a link which took them to a "poisoned" webpage -- one on which some hostile code was present that could take advantage of security flaws in the webpage visitor's browser, PDF reader, flash player, or other code to place malware on the visitor's computer. Kasperky's February Report showed more than 70 million times where a Kaspersky customer had tried to visit a website that would have infected their computer if they had not been blocked!

The Warnings in the Epsilon Breaches can't warn you of that though. If they gave you the advice I would give you, they would be saying "Please don't click on the things our marketing department sends you!" which would result in them losing their jobs.

I have to say that the Citibank group of warnings do have a form that I appreciate.

As a means of proving email is REALLY from them, they provide the final four digits of your account number, your name, and the year you joined their card program on all of their official emails. I have to say that I find this very effective.

Unfortunately, yet another problem at Bigfoot/Epsilon ruined my joy on this one for today:

The error tells me "Secure Connection Failed" "images.bigfootinteractive.com:443 uses an invalid security certificate ... This could be a problem with the server's configuration or it could be someone trying to impersonate the server."

It's probably just something wrong as they try to re-issue security certificates related to tightening up their shop, but still it sends the wrong message at a critical time for their company!

Kingpin by Kevin Poulson of WIRED

2011-03-26T23:55:00.000-07:00

I love to read, but it's been quite a long time since I had one of those "books I can't put down" evenings. Tonight was one of those nights. I had been delaying the start of reading "KINGPIN: How one hacker took over the billion-dollar cybercrime underground" not because I thought it would be a book I couldn't put down, but because honestly, I thought I knew the story already.

If you were interested in the hacking scene around the turn of the millenium, you would definitely know the name Max Butler. Max made a name for himself in the IDS world, helping with the earliest days of Snort, and running a database for IDS signatures called arachnIDS. I remember when Max went to jail the first time, chatting with my friend Dan Clemens of PacketNinjas, LLC, who was also into IDS systems and snort in a heavy way, about the arrest. It was troubling to see someone running a website called "WhiteHats.com" and ending up in jail. The version of the story I thought I knew was that Max had been asked by the Feds to help them patch their systems from the BIND bug that was so popular in 1998-1999, but that Max couldn't resist the urge to
put a back door into the patch.

White Hat Hacker in Court - April 13, 2000 - "Open source hacker "Max Vision" aided the FBI while allegedly cracking the Pentagon."

Max Vision: FBI Pawn? - May 8, 2001 - "FBI agents called him 'the Equalizer': a security expert and confessed hacker who infiltrated the electronic underground to help the Bureau. When he drew the line at bugging a friend, they threw the book at him."

Max Vision Begins 18-Month Term - July 5, 2001 - "Intrusion detection guru joins a growing hacker population in federal stir."

All of those stories are by Kevin Poulsen, who has "owned" this story from the very beginning.

The popular theory at the time was that Max had been sent to DefCon and was only charged with his crimes after refusing to be a snitch for the Feds at DefCon. See for instance this conversation thread from 2001, Max Butler AKA Max Vision-Iceman-Aphex Now Retired.

I've spoken to investigators at extremely large companies who actually used Max Butler to test the security of their systems as a Penetration Tester, only learning later that he was actually stealing from them at the same time!

In addition to remembering the story very well from the "old days," I also know the story as a friend of the NCFTA who has had the chance to meet and work with FBI Special Agent Keith Mularski. Keith's work, announced by the FBI in their October 20, 2008 press release, 'Dark Market' Takedown -- Exclusive Cyber Club for Crooks Exposed lead to the arrest of more than 50 cyber criminals who were in the credit card stealing and trading business. (More details on DarkMarket arrests are available from WIRED: Dark Market ring leader pleads guilty in London.

Like the more recent arrest of Albert Gonzales AKA Segvec Max has a long story of helping the Feds and working against them at the same time. Gonzales was a US Secret Service informant against the ShadowCrew, while simultaneously breaching the Heartland Payments systems, TJX, and many other places.

The difference though, was that while Gonzales was a two-timing crook who was playing the system, Max started off as a troubled soul who wanted desperately to be the hero, but couldn't resist the thrill of the hack.

Like I said, I thought I already knew the story. Reading Kevin's book brought out so many details I couldn't possibly have known though. Kevin did a great job getting into the early life of the characters, and exploring the formation of their personalities and motivations. As Kevin reels out the lives of the characters, its clear to see that there were several types of criminals in the stories. His ability to create a sympathetic protagonist out of a criminal who caused $80 Million in credit card fraud is a feat in itself.

This book belongs on the shelf next to Steven Levy's Hackers. If you haven't read it yet, pick a rainy Saturday and start early in the day, you aren't going to be able to stop until you get to the last page.

Order Kingpin from Amazon

Be sure to read more stories by Kevin at WIRED by following his Author Page at Threat Level and elsewhere.

Federal Reserve Spam

2011-03-14T14:43:00.000-07:00

UK Government counts the Cost of Cybercrime

2011-03-12T08:25:00.000-08:00

The British government has released a report on the annual cost of cybercrime to the United Kingdom. The study mechanism seems greatly flawed, in that it relies almost exclusively on published reports and expert opinions, rather than on any structured gathering of information from victims.

The news was announced in the press this week, for example in the Independent.

They came up with a 2010 annual cost of cyber crime of £27 billion (or $43 billion US Dollars). If the costs were projected evenly from the $2.2 trillion UK economy to the $14.1 trillion US economy, that would estimate our own costs of cybercrime at $275 billion (roughly 6.4 times larger economy.) There is no basis to believe that projection is accurate, but the scale is probably similar.

The study was paid for by the OCSIA, the Office of Cyber Security and Information Assurance. It was conducted by Detica, a BAE Systems company.

The full 32 page report is available from the Cabinet Office

They place costs at:

£3.1 billion to citizens with
£1.7 billion in Identity Theft
£1.4 billion to online scams.

£2.2 billion to the government

£21 billion businesses of which:

£9.2 billion in Intellectual Property theft
£7.6 billion in industrial espionage
£2.2 billion in extortion
£1.3 billion from direct theft
£1 billion in costs related to lost customer data

The Intellectual Property theft was certainly not evenly distributed. They put the most likely industries as:

£1.8 billion = pharmaceuticals & biotech
£1.7 billion = electronic & electrical material
£1.6 billion = software & computer services
£1.3 billion = chemicals
£800 million = automobiles & parts
£800 million = non-profits
£400 million = aerospace & defence

The greatest risk in Intellectual Property theft was believed to be untrustworthy insiders who fell to the pressure of bribery.

The Espionage Impact was largely in three areas:

£2.1 billion = financial services
£1.6 billion = mining
£1.3 billion = aerospace and defence
£900 million = software & computer services

More ACH Spam from NACHA

2011-03-11T10:48:00.000-08:00

While we wait for the Japanese Earthquake scams to begin, we noticed another on-going spam campaign. We wrote about the ACH Transaction Rejected spam back in February, but another round is active, with another 350+ freshly registered domains.

The body of the email this time around reads:

The ACH transfer (ID: 65388185980), recently sent from your checking account (by you or any other person), was cancelled by the other financial institution.

Please click here (link) to view details

If you have any questions or comments, contact us at info@nacha.org. Thank you for using http://www.nacha.org.

/This messages is intended for use by addressee only and may contain privileged and confidential information. If you are not the intended recipient, dissemination of this communication is prohibited. If you have received this communication in error, please delete all copies of the message and attachments and notify the sender immediately. /

The spam has one of the following ten subject lines:

ACH payment canceled
ACH payment rejected
ACH transaction canceled
ACH Transfer canceled
ACH transfer rejected
Rejected ACH payment
Rejected ACH transaction
Rejected ACH transfer
Your ACH transaction
Your ACH transfer

Each claims to be from "nacha.org" - the National Automated Clearing House Association - the people who handle electronic payments between banks.

The from addresses are:

ach@nacha.org
admin@nacha.org
alert@nacha.org
alerts@nacha.org
info@nacha.org
payment@nacha.org
payments@nacha.org
risk@nacha.org
risk_manager@nacha.org
transactions@nacha.org
transfers@nacha.org

Here are the domain names we are seeing this time around. I haven't checked all of them, but the ones I checked were GoDaddy. (GoDaddy and Affilias have been notified, and many of the domains are already disabled.)

machine
-----------------------------------
ACHDESCRIBES.INFO
ACH-DETAILS-EMERGE.INFO
ACHDETAILSEMERGE.INFO
ACH-DETAILS.INFO
ACHDETAILS.INFO
ACH-DETAILS-MAGAZINE.INFO
ACHDETAILSMAGAZINE.INFO
ACHDETAILSNOW.INFO
ACHDETAILSONLINE.INFO
ACHDETAILSSHOP.INFO
ACHDETAILSSITE.INFO
ACHDETAILSSTORE.INFO
ACHDETAILSTODAY.INFO
ACHELEMENTS.INFO
ACH-INFORMATION-ARCHITECTURE.INFO
ACHINFORMATIONASSURANCE.INFO
ACHINFORMATIONBLOG.INFO
ACH-INFORMATION.INFO
ACHINFORMATION.INFO
ACHINFORMATIONLITERACY.INFO
ACHINFORMATIONNOW.INFO
ACHINFORMATIONONLINE.INFO
ACH-INFORMATION-SCIENCES.INFO
ACHINFORMATIONSCIENCES.INFO
ACH-INFORMATION-SHARING.INFO
ACHINFORMATIONSHARING.INFO
ACHINFORMATIONSHOP.INFO
ACHINFORMATIONS.INFO
ACHINFORMATIONSITE.INFO
ACHINFORMATIONSTORE.INFO
ACHINFORMATIONTODAY.INFO
ACHINFORMATIONWARFARE.INFO
ACHINFORMS.INFO
ACHREPORTBLOG.INFO
ACH-REPORT-CARD.INFO
ACHREPORTCARD.INFO
ACH-REPORT-CARDS.INFO
ACHREPORTCARDS.INFO
ACH-REPORT-COVERS.INFO
ACHREPORTCOVERS.INFO
ACH-REPORT.INFO
ACHREPORT.INFO
ACHREPORTNOW.INFO
ACHREPORTONLINE.INFO
ACHREPORTSHOP.INFO
ACHREPORTS.INFO
ACHREPORTSITE.INFO
ACHREPORTSTORE.INFO
ACHREPORTTODAY.INFO
ACHREVIEW.INFO
ATRANSFERADMISSION.INFO
ATRANSFERAGENT.INFO
ATRANSFERAPPLICANTS.INFO
A-TRANSFERBLOG.INFO
ATRANSFERFILES.INFO
ATRANSFERGUIDES.INFO
ATRANSFER.INFO
A-TRANSFERNOW.INFO
A-TRANSFERONLINE.INFO
ATRANSFERPRICING.INFO
ATRANSFERREQUEST.INFO
A-TRANSFERSHOP.INFO
A-TRANSFERS.INFO
A-TRANSFERSITE.INFO
A-TRANSFER-STATION.INFO
ATRANSFERSTATION.INFO
A-TRANSFERSTORE.INFO
A-TRANSFERTODAY.INFO
B-ACH-ACCOUNTS.INFO
BACHACCOUNTS.INFO
B-ACHBLOG.INFO
B-ACH.INFO
B-ACHNOW.INFO
B-ACHONLINE.INFO
B-ACH-PAYMENT.INFO
BACHPAYMENT.INFO
B-ACH-PAYMENTS.INFO
BACHPAYMENTS.INFO
B-ACHSHOP.INFO
B-ACHS.INFO
B-ACHSITE.INFO
B-ACHSTORE.INFO
B-ACHTODAY.INFO
B-ACH-TRANSACTIONS.INFO
BACHTRANSACTIONS.INFO
BESTACHDETAILS.INFO
BESTACHINFORMATION.INFO
BESTACHREPORT.INFO
BESTA-TRANSFER.INFO
BESTB-ACH.INFO
BESTD-PAYMENT.INFO
BESTG-PAYMENT.INFO
BESTP-ACH.INFO
BESTQ-ACH.INFO
BESTQ-PAYMENT.INFO
BESTQ-TRANSFER.INFO
BESTR-TRANSFER.INFO
BESTT-TRANSFER.INFO
BESTV-ACH.INFO
BESTW-ACH.INFO
BESTZ-PAYMENT.INFO
D-PAYMENTBLOG.INFO
D-PAYMENT.INFO
DPAYMENT.INFO
DPAYMENTMETHOD.INFO
DPAYMENTMETHODS.INFO
D-PAYMENTNOW.INFO
D-PAYMENTONLINE.INFO
DPAYMENTOPTION.INFO
DPAYMENTPROCESSING.INFO
DPAYMENTPROCESSOR.INFO
D-PAYMENTSHOP.INFO
D-PAYMENTS.INFO
D-PAYMENTSITE.INFO
DPAYMENTSOLUTION.INFO
DPAYMENTSOLUTIONS.INFO
D-PAYMENTSTORE.INFO
DPAYMENTTERMINAL.INFO
D-PAYMENTTODAY.INFO
DPAYMENTTRANSACTION.INFO
ELECTRONIC-ACH-DETAILS.INFO
ELECTRONICACHDETAILS.INFO
ELECTRONIC-ACH-REPORT.INFO
ELECTRONICACHREPORT.INFO
FREEACHDETAILS.INFO
FREEACHINFORMATION.INFO
FREEACHREPORT.INFO
FREEA-TRANSFER.INFO
FREEB-ACH.INFO
FREED-PAYMENT.INFO
FREEG-PAYMENT.INFO
FREEQ-ACH.INFO
FREEQ-PAYMENT.INFO
FREEQ-TRANSFER.INFO
FREER-TRANSFER.INFO
FREET-TRANSFER.INFO
FREEV-ACH.INFO
FREEW-ACH.INFO
FREEZ-PAYMENT.INFO
G-PAYMENTBLOG.INFO
G-PAYMENT.INFO
GPAYMENT.INFO
GPAYMENTMETHOD.INFO
GPAYMENTMETHODS.INFO
G-PAYMENTNOW.INFO
G-PAYMENTONLINE.INFO
GPAYMENTPROCESSING.INFO
GPAYMENTPROCESSOR.INFO
G-PAYMENTSHOP.INFO
G-PAYMENTS.INFO
G-PAYMENTSITE.INFO
GPAYMENTSOLUTIONS.INFO
G-PAYMENTSTORE.INFO
GPAYMENTTERMINAL.INFO
G-PAYMENTTODAY.INFO
GPAYMENTTRANSACTION.INFO
MASTER-P-ACH.INFO
MASTERPACH.INFO
MYACHDETAILS.INFO
MYACHINFORMATION.INFO
MYACHREPORT.INFO
MYA-TRANSFER.INFO
MYB-ACH.INFO
MYD-PAYMENT.INFO
MYG-PAYMENT.INFO
MYP-ACH.INFO
MYQ-ACH.INFO
MYQ-PAYMENT.INFO
MYQ-TRANSFER.INFO
MYR-TRANSFER.INFO
MYT-TRANSFER.INFO
MYV-ACH.INFO
MYW-ACH.INFO
MYZ-PAYMENT.INFO
NEWACHDETAILS.INFO
NEWACHINFORMATION.INFO
NEWACHREPORT.INFO
NEWA-TRANSFER.INFO
NEWB-ACH.INFO
NEWD-PAYMENT.INFO
NEWG-PAYMENT.INFO
NEWP-ACH.INFO
NEWQ-ACH.INFO
NEWQ-PAYMENT.INFO
NEWQ-TRANSFER.INFO
NEWR-TRANSFER.INFO
NEWT-TRANSFER.INFO
NEWV-ACH.INFO
NEWW-ACH.INFO
NEWZ-PAYMENT.INFO
P-ACH-ACCOUNTS.INFO
PACHACCOUNTS.INFO
P-ACHBLOG.INFO
P-ACH.INFO
P-ACHNOW.INFO
P-ACHONLINE.INFO
P-ACH-PAYMENT.INFO
PACHPAYMENT.INFO
P-ACH-PAYMENTS.INFO
PACHPAYMENTS.INFO
P-ACHSHOP.INFO
P-ACHS.INFO
P-ACHSITE.INFO
P-ACHSTORE.INFO
P-ACHTODAY.INFO
P-ACH-TRANSACTIONS.INFO
PACHTRANSACTIONS.INFO
Q-ACH-ACCOUNTS.INFO
QACHACCOUNTS.INFO
Q-ACHBLOG.INFO
Q-ACH.INFO
QACH.INFO
Q-ACHNOW.INFO
Q-ACHONLINE.INFO
Q-ACH-PAYMENT.INFO
QACHPAYMENT.INFO
Q-ACH-PAYMENTS.INFO
QACHPAYMENTS.INFO
Q-ACHSHOP.INFO
Q-ACHS.INFO
Q-ACHSITE.INFO
Q-ACHSTORE.INFO
Q-ACHTODAY.INFO
Q-ACH-TRANSACTIONS.INFO
QACHTRANSACTIONS.INFO
Q-PAYMENTBLOG.INFO
Q-PAYMENT.INFO
QPAYMENTMETHOD.INFO
QPAYMENTMETHODS.INFO
Q-PAYMENTNOW.INFO
Q-PAYMENTONLINE.INFO
QPAYMENTOPTION.INFO
QPAYMENTPROCESSING.INFO
QPAYMENTPROCESSOR.INFO
QPAYMENTSCHEDULE.INFO
Q-PAYMENTSHOP.INFO
Q-PAYMENTS.INFO
Q-PAYMENTSITE.INFO
QPAYMENTSOLUTION.INFO
QPAYMENTSOLUTIONS.INFO
Q-PAYMENTSTORE.INFO
QPAYMENTTERMINAL.INFO
Q-PAYMENTTODAY.INFO
QPAYMENTTRANSACTION.INFO
QTRANSFERADMISSION.INFO
QTRANSFERAGENT.INFO
QTRANSFERAPPLICANTS.INFO
Q-TRANSFERBLOG.INFO
QTRANSFERFILES.INFO
QTRANSFERGUIDES.INFO
Q-TRANSFER.INFO
QTRANSFER.INFO
Q-TRANSFERNOW.INFO
Q-TRANSFERONLINE.INFO
QTRANSFERPRICING.INFO
QTRANSFERREQUEST.INFO
Q-TRANSFERSHOP.INFO
Q-TRANSFERS.INFO
Q-TRANSFERSITE.INFO
Q-TRANSFER-STATION.INFO
QTRANSFERSTATION.INFO
Q-TRANSFERSTORE.INFO
Q-TRANSFERTODAY.INFO
RTRANSFERADMISSION.INFO
RTRANSFERAGENT.INFO
RTRANSFERAPPLICANTS.INFO
R-TRANSFERBLOG.INFO
RTRANSFERFILES.INFO
RTRANSFERGUIDES.INFO
R-TRANSFER.INFO
RTRANSFER.INFO
R-TRANSFERNOW.INFO
R-TRANSFERONLINE.INFO
RTRANSFERPRICING.INFO
RTRANSFERREQUEST.INFO
R-TRANSFERSHOP.INFO
R-TRANSFERS.INFO
R-TRANSFERSITE.INFO
R-TRANSFER-STATION.INFO
RTRANSFERSTATION.INFO
R-TRANSFERSTORE.INFO
R-TRANSFERTODAY.INFO
TERMINAL-B-ACH.INFO
TERMINALBACH.INFO
THEACHDETAILS.INFO
THEACHINFORMATION.INFO
THEACHREPORT.INFO
THEA-TRANSFER.INFO
THEB-ACH.INFO
THED-PAYMENT.INFO
THEG-PAYMENT.INFO
THEP-ACH.INFO
THEQ-ACH.INFO
THEQ-PAYMENT.INFO
THEQ-TRANSFER.INFO
THER-TRANSFER.INFO
THET-TRANSFER.INFO
THEV-ACH.INFO
THEW-ACH.INFO
THEZ-PAYMENT.INFO
TTRANSFERADMISSION.INFO
TTRANSFERAGENT.INFO
TTRANSFERAPPLICANTS.INFO
T-TRANSFERBLOG.INFO
TTRANSFERFILES.INFO
TTRANSFERGUIDES.INFO
TTRANSFER.INFO
T-TRANSFERNOW.INFO
T-TRANSFERONLINE.INFO
TTRANSFERPRICING.INFO
TTRANSFERREQUEST.INFO
T-TRANSFERSHOP.INFO
T-TRANSFERS.INFO
T-TRANSFERSITE.INFO
T-TRANSFER-STATION.INFO
TTRANSFERSTATION.INFO
T-TRANSFERSTORE.INFO
T-TRANSFERTODAY.INFO
V-ACH-ACCOUNTS.INFO
VACHACCOUNTS.INFO
V-ACHBLOG.INFO
V-ACH.INFO
V-ACHNOW.INFO
V-ACHONLINE.INFO
V-ACH-PAYMENT.INFO
VACHPAYMENT.INFO
V-ACH-PAYMENTS.INFO
VACHPAYMENTS.INFO
V-ACHSHOP.INFO
V-ACHS.INFO
V-ACHSITE.INFO
V-ACHSTORE.INFO
V-ACHTODAY.INFO
V-ACH-TRANSACTIONS.INFO
VACHTRANSACTIONS.INFO
W-ACH-ACCOUNTS.INFO
WACHACCOUNTS.INFO
W-ACHBLOG.INFO
W-ACH.INFO
W-ACHNOW.INFO
W-ACHONLINE.INFO
W-ACH-PAYMENT.INFO
WACHPAYMENT.INFO
W-ACH-PAYMENTS.INFO
WACHPAYMENTS.INFO
W-ACHSHOP.INFO
W-ACHS.INFO
W-ACHSITE.INFO
W-ACHSTORE.INFO
W-ACHTODAY.INFO
WACHTRANSACTIONS.INFO
WARRENGPAYMENT.INFO
ZPAYMENTARRANGEMENT.INFO
Z-PAYMENTBLOG.INFO
ZPAYMENTCARD.INFO
ZPAYMENTCARDS.INFO
ZPAYMENTDATES.INFO
ZPAYMENTDEADLINE.INFO
ZPAYMENTDEFINITION.INFO
ZPAYMENTINSTRUMENTS.INFO
ZPAYMENTLOCATIONS.INFO
Z-PAYMENTONLINE.INFO
ZPAYMENTPLATFORM.INFO
ZPAYMENTPROTECTION.INFO
Z-PAYMENTSHOP.INFO
Z-PAYMENTS.INFO
Z-PAYMENTSITE.INFO
Z-PAYMENTSTORE.INFO
Z-PAYMENTTODAY.INFO

ENISA on Botnets - Ten Tough Questions

2011-03-10T08:37:00.000-08:00

Yesterday was the beginning of the "Workshop on Botnet Detection, Measurement, Disinfection & Defence" in Cologne, Germany. ( agenda here )

The tracks for Wednesday were "Anti-Botnet Policy Initiatives" and "Legal and Regulatory Issues" both featuring panelists from the Council of Europe and NATO.

Today's tracks included "Anti-Botnet Policy Initiatives Part 2," "State of the Art on Measurements, Countermeasures, and Botnets," "Industry View on Fighting Botnets," "Research and Academia on Fighting Botnets." Some great speakers are on the agenda, including Peter Kruse and Dennis Rand from CSIS Security Group, Mikko Hypponen from F-Secure, and Vitaly Kamluk from Kaspersky.

Two significant documents were released at the conference this morning that pretty much need to go on the Must Read list for anyone interested in Botnets:

Botnets: Detection, Measurement, Disinfection & Defence

After a keynote address by Professor Dr. Udo Helmbrecht, the executive director of ENISA (European Network and Information Security Agency), Daniel Plohmann and Dr. Giles Hogben shared a presentation of ENISA's 154 page document called "Botnets: Detection, Measurement, Disinfection & Defence", editor Dr. Giles Hogben, which you may find on their website here:

http://www.enisa.europa.eu/act/res/botnets/botnets-measurement-detection-disinfection-and-defence

The document calls attention to the highest priorities that we should collectively address:
- Mitigation of existing botnets
- Prevention of new infections
- Minimizing the profitability of botnets and cybercrime

In the first of these, there is a call for a new model of engaging, encouraging, and incentivizing Internet Service Providers to be an asset in the botnet fight. Current business models and in some cases current laws both reduce the effectiveness of ISPs in helping to fight botnets. Other MITIGATION issues encourage improved botnet identification and monitoring, increased information sharing, and bringing cybercrime laws into harmony internationally. Other advice had to do with making sure the entire botnet can be killed before attempting a "partial shutdown."

Under the PREVENTION category, public awareness, and improvements to software defenses are encouraged.

Under the PROFITABILITY category, it is necessary to improve anti-fraud mechanisms, and to address the social level of the crimes rather than only the technological level, by increasing deterrence through tougher prosecution and sentencing of offenders.

Specific guidance is provided for Regulators, End-users, Research Institutions, and
any information holders.

With regards to the Research Institutions, the recommendation was that they should be "more strongly integrated, and where appropriate, empowered in the fight against botnets. Research should focus on techniques which can be implemented in large-scale operations environments subject to typical cost constraints. They should be supported in studying methods for the detection of botnets and the analysis of malware, in order to provide efficient tools to reduce the reaction time when dealing with complex and sophisticated malware threats. As the results of research may be of interest for ongoing investigations, the process of publishing these results should reflect the responsibility associated with them." (extracted from the Executive Summary, p. 7)

Towards that end, I want to mention that the Anti-Phishing Working Group is trying to encourage this level of interaction between Researchers, Law Enforcement, and Industry through events such as next week's "eCrime Researchers Sync-Up." My colleague, Kent Kerley, and I will be attending from the University of Alabama at Birmingham to work on building these international relationships, not just among EU nations, but around the world. APWG sponsors the eCrime Researchers Summit, the eCrime Operations Summit, and now the eCrime Researchers Sync-up to try to encourage exactly the types of interactions described in this report. To learn more about APWG events, visit the APWG eCrime Research page.

Botnets: Ten Tough Questions

Second, ENISA's document called "Botnets: 10 Tough Questions" which is an 18 page summary of some of the major issues facing us regarding Botnets.

Botnets: Ten Tough Questions.

The Ten Tough Questions document is described as a document that "distills the major issues which need to be understood and addressed by decision-makers in all groups of stakeholders."

Here's a list of the Questions to whet your appetite. I highly recommend consuming both documents!

Q1. How much trust to put in published figures?

Q2. What are the main challenges associated with jurisdiction?

Q3. What should be the main role of the EU/National Governments?

Q4. Which parties should take which responsibilities?

Q5. Where to invest money most efficiently?

(HINT! EDUCATION AND RESEARCH!!)

Q6. What are key incentives for cooperative information sharing?

Q7. What are key challegnes for cooperative information sharing?

Q8. Are there unseen/undetected botnets?

Q9. Which aspects are still missing in the fight against botnets?

Q10. What are future trends?

Ghostmarket Carders Sentenced in UK

2011-03-09T14:08:00.001-08:00

Back in November we ran a story Schoolboy Hackers steal $18 Million regarding the case against the operators of the online credit card trading forum known as Ghostmarket. Today's post is just a quick follow-up to share details of their sentences from New Scotland Yard.

The defendants had harvested more than 130,000 compromised credit card numbers, and had successfully installed Zeus on more than 15,000 computers in 150 countries, gathering more than 4 million lines of data from the compromised computers.

The Metropolitan Police of London sentenced the Ghostmarket criminals on March 2, 2011, as they share in this Press Release.

An audio clip by Detective Inspector Colin Wetherill explains the accomplishment.

[A] Gary Paul Kelly, 21 (14.04.89) unemployed of Clively Avenue, Clifton, Swinton, Manchester -- sentenced to Five Years

Kelly was arrested on November 3, 2009 as a result of a search warrant of his home. Detectives were able to build a working copy of the GhostMarket forum from the database files recovered from Kelly's PC.

[B] Nicholas Webber, 19 (10.10.91) a student of Cavendish Road, Southsea; -- sentenced to Five Years

[C] Ryan Thomas, 18 (8.7.92) a web designer of Howard Road, Seer Green, Beaconsfield, Herts; -- sentenced to Four Years

Webber and Thomas were arrested on October 12, 2009 while partying in a five star London hotel, paid for with stolen credit cards. A big hint that they may be associated with the crime of carding and the GhostMarket website was that both were in possession of GhostMarket business cards in their name, calling the site "A new era in virtual marketing" and stating "I'm a carder, ask about me..."

After being released on bail, the pair were rearrested at the Gatwick airport on January 29, 2010 as they returned from a trip to Palma, Majorca.

[D] Shakira Ricardo, 21 (14.11.89) unemployed of Flat 13, J Shed, Kings Road, Swansea SA1; -- sentenced to 18 Months.

A fifth defendant, Samantha Worley, pleaded guilty earlier and received a sentence of 200 hours community service.

Full details of the charges against the five are available from The Metropolitan Police of London

"ACH Transaction Rejected" payments lead to Zeus

2011-02-25T02:52:00.000-08:00

Anonymous DDOSers Arrested and Searched

2011-01-30T05:13:00.000-08:00

Back in December we shared a couple blog stories about a cyber attack being called Operation Payback. In the first, Internet Anarchy: Anonymous Crowds Flex Their Muscles I discussed with UAB Justice Sciences Chair, John Sloan, some of the sociology behind these actions, especially the ideas of Diffuse Crowds and Convergence Theory. In the second article, Operation Payback Origins we dug deeper into the activities of the group behind Operation Payback, a group tied back to the internet forums at 4Chan who call themselves Anonymous. On Friday, the FBI and other law enforcement agencies around the world began to show their hand.

In a January 27th FBI press release, the FBI announced that they had conducted forty search warrants around the country to gain evidence to identify some of the key US-based actors behind the DDOS attacks. They also revealed that IDS signatures had been shared with many of the key Internet Service Providers in the country to help them identify which of their subscribers were using a DDOS attack tool called LOIC. The press release contained a warning as well:

The FBI also is reminding the public that facilitating or conducting a DDoS attack is illegal, punishable by up to 10 years in prison, as well as exposing participants to significant civil liability.

The LOIC, or Low Orbit Ion Cannon, is a tool reminiscent of the tools distributed during the controversy surrounding the Iranian Elections. We wrote about those in an article called Armchair CyberWarriors, Twitter, and the Iran Election. In the DDOS tools of ancient days (five to ten years ago -- "ancient" in Internet years), DDOS attacks were performed primarily by hacking many home computers to form a botnet, and then instructing those computers to overwhelm a target by generating massive amounts of traffic towards that target. These attacks are called a "Distributed Denial of Service" attack, or DDOS. What changed with Iran was that many individuals were being invited to join the attack by intentionally installing DDOS software on their machines.

So, who are the forty FBI search warrants served against? We won't know for a while. In the United States, a search warrant is an investigative tool, used upon demonstration of "probable cause" to gather further information that will be used to create an indictment. While law enforcement agencies typically do not identify who search warrants have been served upon, it is quite often the case, especially in protests such as this, that those served may choose to share that information to begin rallying public support for their upcoming case. If the search warrant and other information gathered provides sufficient evidence to conclusively identify a criminal and document the crimes they have performed, the law enforcement agency will ask the prosecutor's office for an indictment. (In Federal cases, this would be a prosecutor at a United States Attorney's Office, usually chosen because a significant victim or a significant number of victims are located in their jurisdiction.) Even once the indictment has been issued, it is not unusual for the indictment to be "sealed" until the accused are arrested and have had a chance to appoint an attorney and to be "arraigned" when their charges are formally presented to them in a court setting. In some other countries, such as England, the law enforcement agencies are not allowed to name the accused so early in the case.

Speaking of England, they executed their own action against the Anonymous DDOSers of Operation Payback this week. The UK's Metropolitan Police released a statement about the arrests that shared the following details:

Detectives from the Metropolitan Police Service's Police Central e-Crime Unit (PCeU) have arrested five people in connection with offences under the Computer Misuse Act 1990. The five males aged, 15, 16, 19, 20 and 26, are being held after a series of coordinated arrests at residential addresses in the West Midlands, Northants, Herts, Surrey and London at 07:00hrs today (27 January).

Anonymous responded in an Open Letter to the UK Police saying

Not only does it reveal the fact that you do not seem to understand the present-day political and technological reality, we also take this as a serious declaration of war from yourself, the UK government, to us, Anonymous, the people.

and continuing:

So our advice to you, the UK government, is to take this statement as a serious warning from the citizens of the world. We will not rest until our fellow anon protesters have been released.

These were not the first DDOSers arrested in this case. The Dutch were the first to make an arrest. First, one of the AnonOps spokespersons screwed up and left their name embedded in a PDF that they used for a press release. Alex Tapanaris and his website both disappeared the same day, as reported by Open Topic which shares a PDF showing the properties and the text of that press release. The website "TorrentFreak" posted speculations about the online monicker of the next Dutch hacker, also arrested back on December 10th. These arrests lead the AnonOps attackers (Anonymous Operations = AnonOps) to then attack the Dutch Ministry of Justice.

How This Will Go Down

Obviously no one can say exactly how these cases will go down, but a brief look at history should help the current miscreants understand what they are likely to face.

AnonOps conveniently forgets to tell people about others in their little cyber protest army who have been arrested for DDOS attacks in the past. Dmitry Guzner, age 19, was the first. New Jersey-based Dmitry Guzner received a 366 day sentence for his involvement in DDOS attacks sponsored by 4Chan's Anonymous against the Church of Scientology. Right on his heels was Brian Thomas Mettenbrink of Grand Island, Nebraska. Brian pleaded guilty to also being involved in the DDOS, and as part of his guilty plea "only" received a one year sentence. (Thanks to @lconstantin of Softpedia for reminding us of those prior examples.)

To put this in perspective, that's two hackers getting a year in jail each for attacking the Church of Scientology and causing "approximately $5,000 in damages." How much do you suppose the damage was for taking Mastercard and Visa offline?

Those who are choosing to involve themselves in this criminal behavior should take a look at the record of those who have gone before them before choosing to pick up their own criminal records.

Here's some more reading for those interested in becoming criminals, spending a year in prison, and paying between $20,000 and $37,000 of their own money by participating in an AnonOps DDOS:

Dmitriy Guzner's Guilty Plea

Dmitriy Guzner's Sentencing Documents

Brian Mettenbrink's Indictment

Brian Mettenbrink's Guilty Plea

Brian Mettenbrink's Sentencing Memo

Brian Mettenbrink's Sentencing documents, Attachments A-E including Brett having to pay the $20,000 fee that Scientology paid to Prolexic for DDOS protection.

Got Updates?

As we learn more about the forty search warrants from public sources, we'll add them here.

The Atlanta Progressive News shares that one of the Search warrants was executed at a Georgia Tech Dorm room belonging to Zhiwei "Jack" Chen.

Drifters Bar in Dixon Illinois was also searched during this investigation. The bar's computer was disassembled and the hard drive imaged, but it is believed the computer sought probably belonged to a patron who was taking advantage of the free WiFi to participate in Operation Payback.

The Guardian reveals that the UK 20 year old mentioned above is Chris Wood, who uses the AnonOps alias ColdBlood.

2010 CyberCrime & Doing Time: Year In Review

2011-01-01T10:20:00.000-08:00

As we look back on 2010, I'd like to thank our 132,325 Visitors who read more than 214,000 stories on the blog which is a bit more than a 10% increase over our 2009 readership. I thought it might be interesting to go through the year month by month and review what stories were most interesting to our readers, based on the number of times each article was read.

May

I actually didn't blog in May between grading finals and getting ready for several firsts at UAB, including our first Computer Foreniscs Camp for high schoolers, and our first National Science Foundation Research Experiences for Undergraduates in Cybercrime Investigations.

(Note: We are already taking applications for the UAB Crime REU which has three tracks, Criminal Justice, Forensic Science, and Computer Forensics. If you know an undergrad with a passion for Cybercrime investigation who would like to earn $450 per week, plus room and board, have them follow that link for an application!)

So, instead of giving you a CyberCrime & Doing Time story, let's look at MY favorite Security Blog, Krebs On Security.com.

My top story in May was probably the Fraud Bazaar Carders.cc Hacked.

June

Anna Chapman and Mikhail Semenko vs. the FBI

Pro-Gaza Hackers Target Israeli Websites

IRS Malware: "Notice of Underreported Income" spam

Four Russian Spay Couples (& Two Solo Acts)

Russian Spies - Tradecraft and Follow the Money

178 International Credit Card Fraudsters Arrested

July

PakBugs Hackers Arrested

Stealing $10 Million, 20 cents at a time

The Future of Cyber Attack Attribution

ICE Operation In Our Sites

August

New Facebook Attack gives a One-Two Punch

Major Fraud Ring Busted in Largest Chinese Cybercrime Operation

September

17 Zeus Money Mules wanted by New York FBI

"Here You Have" spam spreads email worm

"Here You Have" Hype & Electronic Jihad

October

FBI's Operation ACHing Mule

November

Lin Mun Poo: Hacker of the Federal Reserve Bank and . . . ?

USAA Phish: Avalanche Uses many "Redirectors"

Another M00P Group Member Arrested

December

Oleg Nikolaenko, Mega-D Botmaster, to Stand Trial

Operation: Payback Origins

Internet Anarchy: Anonymous Crowds Flex Their Muscles

36 Million Americans Buy Drugs Online -- Illegally!

2010-12-23T05:23:00.000-08:00

On December 14th, the White House Intellectual Property Health and Safety Forum was held by Victoria Espinel, the first U.S. Intellectual Property Enforcement Coordinator (IPEC) appointed by President Obama.

Intellectual Property Rights Advancement under President Obama

In June the IPEC released the Joint Strategic Plan on Intellectual Property Enforcement, which was released by Victoria's office, with support from the Departments of Agriculture, Commerce, Health & Human Services, Homeland Security, Justice, State, and the Executive Office of the President. One of the strategic parts of that plan was "Identify Foreign Pirate Websites as Part of the Special 301 Process."

The United States Trade Representative is required by Section 182 of the Trade Act of 1974 (Title 19 USC 2242) to produce an annual review of the global state of intellectual property rights, which is called the "Special 301 Report." One portion of that annual review is the "Notorious Markets List." Listed in the 2010 Special 301 Report as Notorious Markets are Baidu (China) for music piracy, TaoBao (China) and Alibaba (China) for game piracy, TV Ants (China) for sporting event piracy, AllofMP3.com (Russia) for music piracy, Webhards (Korea) for many types of illegal content,

In the December 14th forum, the focus was not so much on "general" Intellectual Property or piracy, but Intellectual Property rights violations that have the capacity to impact the health and safety of Americans.

This focus area, especially with regards to the Internet portion, has been under development for several months, with President Obama calling for a meeting between ICANN and other stakeholders back in September. See Obama seeks action on online pharmacies domain names as reported by the Securing Pharma website. This action expands from a previous report back in May by LegitScript, a company working to verify online pharmacies. After blasting the industry in general, and eNom in specific, for failing to respond to domain names registered through their company, (See Knujon report: Audit of the gTLD Internet Structure, Evaluation of COntractual Compliance and Review of Illicit Activity by Registrars, and the LegitScript/Knujon report: Rogues and Registrars: Are some Domain Name Registrars safe havens for Internet Drug rings?), eNom came full circle and entered an agreement September 21, 2010 with LegitScript and the National Association of Boards of Pharmacies to ensure that rogue pharmacies are not able to use eNom to register their domain names. (The criminals responded to this news by registering hundreds of horrible porn and bestiality websites using the name and contact information of LegitScript founder John Horton, as reported by Brian Krebs.)

The Forum

In case you missed it, CNN Image Source has a One hour video of the panel, chaired by Victoria Espinel. What a panel - Attorney General Eric Holder, DHS secretary Janet Napolitano, and John Morton, Director of Immigration and Customs Enforcement.

"We need more data to inform our policies and ensure that we are making smart decisions."

"The Alliance for Safe Online Pharmacies estimate that there are between 30,000 and 40,000 active online drug sellers operating at any one time."

(09:43:35)"The Partnership at Drugfree.org announced the results of a suvey of consumers of online drug purchasing behavior. The survey's results? 1 in 6 adults, approximately 16% of adult population have bought or currently buy medications online without a doctor's prescription."

The report was sponsored by the Alliance for Safe Online Pharmacies and sponsored by The Partnership at Drugfree.org.

The survey was conducted by CARAVAN Survey. 1,015 adults were contacted by telephone from November 4-7, 2010. The margin of error is +/- 3%.

(09:45:30) A group of founding private sector partners announced today that they will form a non-profit to work with each other and the US Government to rid the Internet of illegal online pharmacies. Today they have issued priniciples that will guide those efforts.

(09:46:00) The list of eleven companies participating in the initiative was invited to stand and be recognized: American Express, eNom, Go Daddy, Google, Mastercard, Microsoft, Neustar, Network Solutions, PayPal, Visa, and Yahoo!

In case any of them are reading this, UAB Computer Forensics Research Laboratory is ready, willing, and able to help!

The next speaker was Attorney General Eric Holder, who has posted a transcript of his remarks on the Department of Justice website. He pledged his support to the Strategic Plan, and shared some recent successes, including a counterfeit cancer drugs case in August, a Texas case involving he seizure of 6,000 counterfeit pills that actually contained ground-up sheetrock as an ingredient, and a groundbreaking $100 million case in Richmond Virginia. (That last would be the case against Chong Lam, and Siu Yung Chan, who were found guilty on June 11. They were arrested back in January 2008 for smuggling more than 300,000 counterfeit handbags from China. Eric Yuen was actually found not guilty.

Holder was praised during his introduction for re-establishing the DOJ Intellectual Property Task Force, which he announced in February 2010.

Secretary Napolitano spoke next (09:59:40), stressing that both CBP and ICE are seizing more counterfeit goods than ever (seizures increased 97% over 2009), and pledging support for IPEC's Strategic Plan. The National Intellectual Property Rights Coordination Center (which I was able to visit December 7th, and which I blogged about recently regarding their Cyber Monday Operation in Our Sites enforcements.) ICE initiated more than 1,000 IPR cases in 2010, and criminal charges increased 79% over 2009. DHS also participated in Operation Pangea and Operation Mercury this year, coordinated through the World Customs Organization. Her full remarks are transcribed by LexisNexis.

John Morton, whose full title is "Assistant Secretary of Homeland Security for Immigration and Customs Enforcement", also has his remarks transcribed thanks to LexisNexis. He stressed that we needed to speak in plain English and get our message out, and the message is that "counterfeiting spells trouble for America." It robs Americans of jobs, innovation, and creativity. It is organized crime, and creates a risk of harm to consumers. He mentioned counterfeit toothpaste, heart medicine, and air bags, and discussed counterfeit engine parts and ball bearings, not just in cars, but in aircraft with GE Engines. Fake kevlar in Iraq, fake baby formula, fake CISCO routers, and counterfeit Christmas lights were also on his list. One case he went deeper on was the Kevin Xu case in Houston that AG Holder also mentioned.

Xu imported more than $9 million in counterfeit medicines, including Plavix (heart medicine), Casodex (cancer medicine) and Zyprexa (schizophrenia and bipolar medicine). He was arrested in 2007 and sentenced in January 2009 to 78 months and $1.28 million in restitution. Xu was arrested when he flew to Chicago to meet with undercover agents. Forensic Chemists working for the FDA determined that his drugs had less of the active ingredient than claimed on the label and had countless impurities of unknown origin. Some of the drugs had no active ingredient at all. He had managed to get his counterfeits into the real supply chain in the United Kingdom, prompting massive recalls of the drugs in June 2007.

First Panel: Dangers of Counterfeit Pharmaceuticals

The First Panel was moderated by Tony West, Assistant Attorney General, Civil Division, including enforcement of the Food, Drug, and Cosmetic Act.

Panelists included:
John Clark, VP of Global Security at Pfizer (former assistant deputy at ICE)
Tom Kubic, President of the Pharmaceutical Security Institute
Carmen Catizone, President of the Natioanl Association of Boards of Pharmacies
and John Taylor, Counselor to Commissioner of the FDA

After introductions, John Clark of Pfizer did a presentation about counterfeit drugs.

One counterfeit's ingredients were shown: roach powder, powdered brick, road paint, and floor wax. Clark showed slides of the difference between a real drug manufacturer and a fake one. He played a telephone interview where a drug maker was counseling his undercover agent on what he would need to set up his own manufacturing facilities.

John Taylor shared information on how FDA provides consumer alerts, which are also a means to gather further information for investigators.

(continues in part 2 CNN Image Source )

Tom Kubic of PSI has been investigating and measuring counterfeits since 2002. There has been a 700% increase in drug counterfeiting from 2002 to 2009. They have identified at least 800 unique medicines that were counterfeited worldwide just in 2009. (In 2002, there were around 250.) The ones they have reviewed "are neither safe nor effective."

Carmen Catizone made several points. Quoted (with a slight paraphrase):

When you obtain a medication that has been approved by the FDA, [prescribed] by a licensed practitioner, [dispensed] by a licensed pharmacy, that product is safe.
When you go out of the system, you are dealing with criminals who have found it is easier to sell drugs online than to sell crack or heroin on the street. Consumers and legislators don't understand that this is a serious consumer health risk. Carmen says several years ago he was told by legislators they would not take action until they were shown the dead bodies.

John Taylor follows up on Carmen's comment showing that the fakes don't have to produce death in order to be harmed. In one case the supplier of an active ingredient component TO the manufacturer caused an effective epilepsy drug to be suddenly ineffective. Patients around the country began to have seizures!

A guest from the audience joined the panel to share his story. As an AIDS patient, taking nearly 10,000 pills a year, found that his injectable medications were now giving him pain that had not been previously present when injecting. It turns out that his medicine, obtained from a national pharmacy chain, with a prescription, was a counterfeit. For six week period, he has no idea what he was injecting into himself.

Second Panel: Health and Safety Risks of the Counterfeiting of Trademarks

The Second Panel was moderated by Lanny Breuer, Assistant Attorney General, Criminal Division. This panel focused more on computer and electronic components. A bit off topic for today's blog post.

Panelists include:
Neal Rubin, VP and Director of Litigation at Cisco
Keith Williams, President of Underwriter Laboratories
Robert Barchiesi, President of the International Anti-Counterfeiting Coalition
Brett Brenner, President of the Electrical Safety Foundation International

(continues in part 3 CNN Image Source)

Conclusion

CNN Image Source

Prior activities

Many of the companies named in the new announcement have already been taking strides to reduce the sale and advertising of online drugs. In October, the National Assocation of Boards of Pharmacies released their report Internet Drug Outlet Identification Program: Progress Report for Federal Regulators which shared some of the findings of the International Internet Week of Action (IIWA). During October 5-12, 2010, the Food & Drug Administration, Interpol, and agencies in 45 countries took a concerted week of enforcement actions. Interpol calls the enforcement actions Operation Pangea III.

During the operation which saw the 45 participating countries send intelligence to a dedicated operations centre at INTERPOL's General Secretariat headquarters in Lyon, Internet monitoring revealed 694 websites engaged in illegal activity, 290 of which have now been shut down. In addition, some 268,000 packages were inspected by regulators and customs, almost 11,000 packages were seized and just over 1 million illicit and counterfeit pills were confiscated - including antibiotics, steroids, anti-cancer, anti-depression and anti-epileptic pills, as well as slimming or food supplement pills. Some 76 individuals are currently under investigation or under arrest for a range of offences, including illegally selling and supplying unlicensed or prescription-only medicines.

Operation Pangea III featured a series of YouTube videos themed "Don't Be Your Own Killer". Here are two examples:

Other organizations and actions

In 2009, US Customs & Border Protection (CBP) and Immigration and Customers Enforcement (ICE) seized over $260 million worth of couterfeit goods arriving at US ports.

The International AntiCounterfeiting Coalition (IACC) President, Robert Barchiesi, attended the forum as well.

DIICOT: Romanians Bust Up VOIP Ring

2010-12-20T03:50:00.000-08:00

Any day that starts with a video of DIICOT in action is a good day! Over the weekend I saw Lucien Constantin share the good news on Softpedia that a Major VOIP Fraud Gang was Dismantled in Romania. Lucien was kind enough to point to the DIICOT press release from December 14th.

A Google translated version of the press release can be found here: bit.ly/VOIPRo. For those who prefer to read their own Romanian, see here: DIICOT Press Release.

DIICOT is the Directorate for Investigating Organized Crime and Terrorism, and they have been gaining a world-wide reputation for scooping up cyber criminals. Regular readers of this blog will know I am in the DIICOT Fan Club, as we've previously written about on several occasions, including:

23SEP2010: eBay Spear Phisher Liviu Mihail Concioiu Arrested in Romania

12APR2010: Nicolae Popescu, Romanian hacker, at large!

06APR2010: 70 Romanian Phishers & Fraudsters Arrested

16JUL2008: 22 More Romanians meet the Long Arm of the Law

VOIP Raid

On 14DEC2010, there were 42 houses searched, with 31 in Constanta, 4 in Neamt, 3 in Brasov and others in Olt, Maramures, Cluj, and Dolj counties.

From Oct 2009 to Feb 2010, Cătălin Zlate is accused of running a team of over 50 individuals to commit computer crimes and to use fraudulent access to data to commit VOIP Fraud. Team members configured a VOIP client called "ZoIPer" to allow members to place Voice Over IP calls using fraudulently obtained credentials from other VOIP services. During the period Oct 2009 to Feb 2010, they generated 23,500 calls or 315,000 minutes of long distance charges, stealing from companies in Romania, South Africa, United Kingdom, Italy, and the United States.

Zlate is no stranger to computer crime. He was actually arrested in 2009, and sentenced to 1.5 years in jail for phishing. Unfortunately, the court system in Romania allowed him to be released with a suspended sentence. While I believe Romania has some of the best investigators and some of the hardest working police officers, they also have one of the most corrupt court systems in Europe. All the police can do is keep doing their job, and pray for a change in the court system.

According to EVZ.ro, Zlate used the handle "Roşcatu" and was involved in a phishing gang with Manuel Sorin Paun, AKA "Puia", Mangue Barry, AKA "Dumbo", and Bogdan Nistor, AKA "Bobo". The four received "suspended sentences" of 2.5 years, 1.5 years, 3 years, and 3 years respectively for phishing, creating fake ATM cards, and withdrawing money from ATMs using those cards. DIICOT has been following "Roşcatu"'s exploits since at least 2006. The news of their previous conviction made the Ziu Constanta back on November 20, 2009.

Zlate came back with a passion, founding a new business in March of 2010.

That's when things really got out of hand. Through a new fraud company called "Shadow Communication Company Ltd", from February through June 12, 2010, 1,541,187 fraudulent calls were made, running up 11,094,167 minutes of talk time! The defendants were selling these fraudulently obtained minutes at about a 90% discount. While the actual costs should have been more than 11 MILLION EUROS, they actually sold the minutes for just over 1 MILLION EUROS. (Hint: If your telephone company is named something league "Shadow Communications" or "League of Evil", perhaps you should consider switching to AT&T.)

Charges brought against the group include:

- Article 7, Paragraph 1.3 - membership and support of an organized criminal group
- Article 18 Section 2 letter b of law 39/2003 - Money laundering
- Article 23 Paragraph 1 letter a, b, & c of law 656/2002 - Wireless access to a computer system to obtain data by breaching security measures
- Article 42 Paragraph 2.3 of law 161/2003 - Possession of a computer program in order to commit offenses
- Article 49 of law 161/2003 - Causing a loss of property through the introduction of computer code in order to obtain benefit for oneself or another

42 people have been brought to Bucharest to be charged of these crimes.

Here's the DIICOT video of the arrests and seizures:

Hopefully, this time the criminals will actually serve time in prison!

Month	Primary Domain	Alternate Domain
1/2011	a-gps.vip-studions.net	old.antrexhost.com
2/2011	dru.realgoday.net	marker.antrexhost.com
3/2011	brew.fishbonetree.biz	spamblocker.antrexhost.com
4/2011	jane.unreadmsg.net	ads.antrexhost.com
5/2011	exchange.stafilocox.net	cafe.antrexhost.com
6/2011	ns1.diplodoger.com	coffeeshop.antrexhost.com
7/2011	a-gps.vip-studions.net	old.antrexhost.com
8/2011	dru.realgoday.net	marker.antrexhost.com
9/2011	brew.fishbonetree.biz	spamblocker.antrexhost.com
10/2011	jane.unreadmsg.net	ads.antrexhost.com
11/2011	exchange.stafilocox.net	cafe.antrexhost.com
12/2011	ns1.diplodoger.com	coffeeshop.antrexhost.com