Wednesday, November 16, 2011

ACH / WireTransfer Failed spam goes crazy!

Yesterday we saw two HUGE spam campaigns that continue into this morning advertising various alternatives of "your wire transfer failed" as subject lines.

We saw at least 86,197 copies of this spam on November 15th, that I am mentally dividing into "Named Institution / zfin" spam and "random intermediary" spam.

The "zfin" spam was far more prevalent, with 62,331 copies of the 86,197 copies pointing to a URL that contained "zfin.php" in the path.

The "zfin" spam has a mail message that reads something like this:

Dear Account Holder,

Money Transfer sent by you or on your behalf was hold by our bank.

Transaction ID: 17019302204565051
Current status of transaction: on hold

Please review transaction details as soon as possible.

N. B. Abel
Treasury Management


The "non-zfin" email has a message that reads something like this:

Dear Bank Account Operator,
I regret to inform you that Wire transfer initiated by you or on your behalf was hold by us.

Transaction: 238006864683285
Current transaction status: Pending

Please review transaction details as soon as possible.


In both versions a very large number of "intermediary" spam domains are used. These are "page forwarders" that have been placed on compromised web servers. The hackers have gathered a very large list of website userids and passwords where they can place new content at will, without the knowledge of the webmaster. They log in as the webmaster, upload their "forwarder" page, and then use that newly created page as the destination in spam messages.

More than 15% of the spam that we saw at the UAB Spam Data Mine yesterday belonged to this pair of campaigns, and the volume is still extremely high this morning.

Many of the emails used the faked "from" domains:

uba.org 5785
lba.org 5762
aba.com 5724
bankersonline.com 5681
cbanet.org 5674
vabankers.org 5672
mbaa.org 5645
nationalbankers.org 5634
icba.org 5620
allbankers.org 5604
fiba.net 5532
direct.nacha.org 5024


Forty-seven destinations were listed by the "zfin" spam, where a Financial Institution was included in the subject line. These destinations heavily favored Argentinian domain names:

adsr.com.ar /zfin.php
alarpargentina.com.ar /zfin.php
amhbra.com.ar /zfin.php
berlinonbike.de /zfin.php
blbtranslations.com.ar /zfin.php
cargadedatos.com.ar /zfin.php
cienciarama.com /zfin.php
diagonalpro.com.ar /zfin.php
diloplas.com.ar /zfin.php
f-guazzaroni.com.ar /zfin.php
grupoaie.com /zfin.php
healthsolution.com.ar /zfin.php
hebamme-hindenberg.de /zfin.php
horsejack.com.ar /zfin.php
horuz.com.ar /zfin.php
iguazuwonderful.com /zfin.php
imevial.cl /zfin.php
juliancortary.com /zfin.php
mecanicamm.zzl.org /zfin.php
mikromesh.de /zfin.php
mileycyrusdaily.com /zfin.php
monialberti.com.ar /zfin.php
ohoven.de /zfin.php
onpacker.de /zfin.html
picturereport.net /zfin.php
playamarinaestates.com /zfin.php
regionalvanesaduran.com.ar /zfin.php
saboresdecordoba.com /zfin.php
safarisfotograficos.com.ar /zfin.php
schoss-objekt.de /zfin.php
sindy.com.ar /zfin.php
sindy-arg.com.ar /zfin.php
tamandua-transporte.com.ar /zfin.php
vanessahudgens.bz /zfin.php
video-professionell.de /zfin.php
visiondelnoroeste.com.ar /zfin.php
viveroelparaiso.com.ar /zfin.php
whitehorsemedia.de /zfin.php
www.ava-kunden.de /zfin.php
www.bx000471.ferozo.com /zfin.php
www.enpuntasdepie.com.ar /zfin.php
www.profileinformatica.com.ar /zfin.php
www.samavi.com.ar /zfin.php
www.seebek.com.ar /zfin.php
www.tecnosistemas.com.ar /zfin.php
www.tecnotrucos.com.ar /zfin.php
www.tetraisotopos.com /zfin.php

By mixing a "prefix" with an "institution name" more than 10,000 unique subject lines were created. 702 Financial Institutions have been named so far . . .

The prefix for the subject is selected from this list:

ACH debit transfer was hold by
ACH debit transfer was not accepted by
ACH payroll payment was hold by
ACH payroll payment was not accepted by
ACH Transfer was hold by
ACH Transfer was not accepted by
Bill Payment was hold by
Bill Payment was not accepted by
Domestic Wire Transfer was hold by
Domestic Wire Transfer was not accepted by
Funds transfer was hold by
Funds transfer was not accepted by
Money Transfer was hold by
Money Transfer was not accepted by
Payment was hold by
Payment was not accepted by
Wire Transfer was hold by
Wire Transfer was not accepted by

and then suffixed with a financial institution name from the list found at the end of this email. . . .

The "non-zfin" form of the list uses one of these subjects: (Random number use is notated by #RND#)

ACH payment canceled
ACH payment rejected
ACH transaction canceled
ACH Transfer canceled
ACH transfer rejected
ACH transfer was hold by our bank
Declined Direct Deposit payment
Direct Deposit payment ID #RND# rejected
Direct Deposit payment was cancelled
Direct Deposit payment was declined
Direct Deposit payment was rejected
Disallowed Direct Deposit payment
Fwd: Wire Transfer (#RND#)
Fwd: Wire Transfer Confirmation
Fwd: Wire Transfer Confirmation (FED #RND#)
Fwd: Your Wire Transfer
Notification about the rejected Direct Deposit payment
Payment ID #RND# rejected
Re: your Direct Deposit payment ID #RND#
Regarding your Direct Deposit via ACH
Rejected ACH payment
Rejected ACH transaction
Rejected ACH transfer
Urgent notice about your electronic payments
Your ACH transaction
Your ACH transfer
Your Direct Deposit payment ID #RND# was declined
Your Direct Deposit payment via ACH was declined
Your Direct Deposit payments were disallowed
Your Direct Deposit payments were rejected

These spam messages directed users to one of 1962 unique URLs that all SEEM to be compromised websites, with the exception of some "free hosting" sites, and a handful of URL shortening services. That list is presented below, with the list reduced to 671 instances by eliminating all but a single example URL per host computer:

015cc13.netsolhost.com /7o1otl/index.html
119.245.150.188 /
163.30.58.134 /
164.125.9.9 /~kimjw/gigl.php
173.193.15.56 /~assalamt/13xwph/index.html
193.59.73.242 /
194.51.85.73 /~tlariviere/zmtg.html
195.244.192.61 /
200.13.224.125 /
200.58.114.11 /
202.43.73.66 /
203.174.34.130 /
210.239.8.82 /~kenmin/akatx.php
212.110.96.163 /
213.191.128.17 /
216.172.186.5 /~peacock/9f46fnr/index.html
38.103.167.38 /
4a.4b.354a.static.theplanet.com /~playcas/5be1urt/index.html
60.251.4.82 /
62.193.216.26 /
62.233.121.21 /
62.233.121.25 /
66.133.129.5 /~nsmarc1166/gbsmofb.html
74.86.158.236 /
82.140.32.161 /
82.223.150.99 /
83.243.20.173 /
84.32.77.200 /
87.98.187.244 /
90plan.ovh.net /~aventureo/1k87cy0/index.html
a.md /9Q6
abandonedontario.ca /
abbastravel.com /
ad.f8.5546.static.theplanet.com /~outdoors/0nnpob/index.html
adagadoxig.freecities.com /acjxur.html
adamant.az /deuhgi.html
adanovan968.100megsfree5.com /oduarg705.html
adi-tobyfatud.fcpages.com /oprirtir.html
ady-ufodopyrub.envy.nu /bezuvee0.html
afucezox706.bigheadhosting.net /nofloudabuse.html
agrooyl.ro /inlcude.html
airteksystems.com /
airworkscompressors.com /
ajubecujal-tope.freewebsitehosting.com /lrosperousneslaa08.html
akapela.gr /7as4xe/index.html
akat-tech.com /
alahpe.notlong.com /
alasimipi-akad.maddsites.com /poadkh.html
ale-jygowesop.lookseekpages.com /leonijii785.html
aleksrdest.com /
alfra-tools.be /contents/index11.html
alfra-tools.nl /
alided-isig.freewebportal.com /noninfecluoufyy45.html
all-expo.eu /0uktna/index.html
alphametal.info /
alphashop.nl /
alugiceb34.lookseekpages.com /pptopwaner.html
alzmetall.be /shared_files/index11.html
alzmetall.nl /contents/index11.html
amanibap105.envy.nu /pdiasamd.html
amidopysud.greatnow.com /pytacinc.html
amolijuza795.freewaywebhost.com /novdurabbebii57.html
amylo.ca /
annelotte.com /
anu-efitodose.maddsites.com /pinuda.html
anwaltskanzlei-apw.de /dxocq8/index.html
apibopeco-isex.maddsites.com /pammtqqaw.html
apnea-creativa.net /
apollox.net /
aqas-rijaxatoc.virtue.nu /polivlex.html
aqo-awiwyzyhot.lookseekpages.com /phaxa12.html
aquastats.nl /
ariane-services.com /~ph_laura/1trr7oh/index.html
asewad722.freewebsitehosting.com /petrqeisec.html
askara.ca /
assilphone.com /46in4f/index.html
assistantarea.com /0dt038i/index.html
astola.com.au /03ajwnt/index.html
athmajothi.com /2kejqlu/index.html
atlas.nseasy.com /~athmajot/995rxv/index.html
atomicdigitalcapture.com /4srpft/index.html
atscaf.fr /0w019w/index.html
audier.nl /1vz1hs/index.html
aunesty.com /34n6z2t/index.html
aurorabraces.com /
autodc.fr /5s82w4/index.html
auvalon.sk /0wffuo/index.html
aviorr.com /0jlklp6/index.html
axux-oxylule.s-enterprize.com /nikeuu5.html
aze-seqyqan.dreamstation.com /rorihigotikano.html
aziatische-ingredienten.nl /52n8pw/index.html
azuma.co.th /
babytake.com /7r7hr4p/index.html
badcompanyeredar.ba.ohost.de /2m23xd6/index.html
balconesdelparque.com /3sdl39/index.html
baldimanuela.it /inlcude.html
bandzaagmachine.nl /
banyanchildrenlibrary.com /qbbxnth/index.html
barpetra.com /hsldl6/index.html
bb4f.net /0pwbvz/index.html
bedrijftekooptiel.nl /
bedrijftekoopzetten.nl /
benice.pytalhost.de /8ir8he9/index.html
berufskolleg-brilon.de /2jt3oy/index.html
beststockbook.com /21jrj7g/index.html
bidenurefu-upi.servetown.com /nixqczzn.html
bifapuniho-nyna.digitalzones.com /jypajpa.html
birchip.com /c2xollw/index.html
biru.web.id /nemi5k/index.html
bi-vent.de /51kk7o/index.html
bizalgerie.com /92usm9/index.html
bjay12.com /2pamuex/index.html
blog.forumfan.pl /
blog.tedinet.com /kissnza/index.html
boatbooks.ca /
boatlicences.com.au /msp9nc/index.html
boncukhaliyikama.com /echhgst/index.html
boroth.servers.rbl-mer.misp.co.uk /~attract/3vpite/index.html
bosokovemi1800.maddsites.com /wizim.html
bosugixe.sdhost.tk /ugisogu.html
brouze.fr /inlcude.html
brutalfun.net /0p4tl4/index.html
bumblebeeman.enixns.com /~bookmi/726d5mn/index.html
buwynobolo.freehostyou.com /wlrbo.html
buzeqok.222mb.tk /aruvivy.html
byqopoveni-apyl.fcpages.com /redberunnez290.html
c2.16.344a.static.theplanet.com /~peterfur/hqrgv4/index.html
caddcentre.org /1do876d/index.html
caddcentre.ws /4yeqtja/index.html
cadokeduzi207.100freemb.com /paxhokuh.html
cafeamerika.de /2n7a13/index.html
cahev.com /
caqiwy-mora.greatnow.com /pgonham.html
casinospoker-online.info /3z0ugvx/index.html
casu-urenywyje.lookseekpages.com /sasg0211.html
cazonof1845.greatnow.com /nisolicoo8933.html
celluloidtamil.com /inlcude.html
cgworkshops.net /inlcude.html
ChaitanyaHolidays.in /
champagne-ruelle-pertois.com /
chateau-haut-gachin.com /
chilp.it /496e27
ciata.be /
cihawuva.webclot.org /yruwevu.html
cim-byzowofy.freewaywebhost.com /polairs.html
citydibo1446.exactpages.com /protenluuu41.html
citynewsservice.de /g5nfpqn/index.html
cizomixo.freehosting.bg /uxicutov.html
classicknits.co.in /6j3o6e/index.html
click1.goshadowshopping.com /iyyvyncqkbpwvhkcwbmpkwtnthwhmyhthfmyfkmynymzmc_lkhdmzdwhjzw.html
clickandclaimcouk.site.securepod.com /5n4uxw/index.html
cm.digiportal.com /php/CR/cmregister.php%3Fdata=cR2NA4mi3ED%2B9KZ3KbHZoLUlSJRqo2hCZWTTw7FA86yfesTTa7T5mz8nIfQIsOEJqCYEjlrSL2Kb22pt1bCNT9YgXTqnV9Hq0szMhVjmIj7KYTbpAXf8d9rdvs9EUK7IwIuiNhR4mho%3D
cocynuvoxo.virtue.nu /pabter255.html
cojojibi.4sql.net /amematy.html
conred.com /65q7jj/index.html
contimac.eu /
copofude.freehost.artonat.com /ugisogux.html
cornwell.cz /f.html
cos-ovaxyrex.mindnmagick.com /pashtetdqivuz.html
cp05.digitalpacific.com.au /~austraqc/6g6dif/index.html
crm.ndr.it /
cukydyvu.exactpages.com /uu3920.html
cuzihyket1405.bigheadhosting.net /dosf882.html
cygnus.inc.cl /~planhost/jgf5m7/index.html
cyta-qorizatovy.greatnow.com /onarban303.html
czester.freehost.pl /
dab-gynyto.1accesshost.com /ofyt745.html
dachshund.ru /
dahlih.nl /
dashramspa.com /79q2h6/index.html
daxilymapo-ymeg.exactpages.com /atextn858.html
degogoyi.hosto2.info /ruvivyfu.html
deko-bett.de /04eozwl/index.html
dembs.com /
denohifi.builtfree.org /xqibitaa90.html
desmidspijk.nl /inlcude.html
dhseminars.com /5zn712w/index.html
dialog-translations.com /00kzr4/index.html
diamanza.50webs.com /
dirimukysu.1accesshost.com /polarbead7610.html
disasterrecovery.org /
djxcube.com /
dollysgroceries.com /
domuxurasu.envy.nu /pyia234.html
dos-ykyratih.fcpages.com /lromisemyngerii62.html
douglasgwynnsmith.com /
dubimajis1142.bigheadhosting.net /noncallapsabmeyy05.html
durl.me /mikas
dykutimopa.servetown.com /nanablelutionuu14.html
edenindustries.ca /
egifat-kysi.maddsites.com /wlsejenro.html
ehykigicos1194.freehostyou.com /plogmafter111.html
eishohwa.notlong.com /
eja-upigewary.fcpages.com /nokh529.html
ekuin.notlong.com /
ekuxylylak-zowo.100freemb.com /osazatu.html
em003.czechian.net /
enafej1554.digitalzones.com /jity890.html
enfantsdoprata.org /
enyqypuhys.lookseekpages.com /pvopyliticii404.html
eqywazogif-uno.lookseekpages.com /paniauu96.html
eterysam.1accesshost.com /deipmus.html
europa-haus-leipzig.de /7k75p9/index.html
evil-knievel.gmxhome.de /
evy-evaqahup.freewebsitehosting.com /odbug.html
ewamosy1959.freewaywebhost.com /mttygesyy87.html
ewivisabec-jig.envy.nu /opium206.html
ewoutjonker.nl /
exirevoka.builtfree.org /kfhyra.html
eyeicu.notlong.com /
ezexezeba703.100megsfree5.com /sawv636.html
ezomusic.ez.funpic.de /
ezuwaqi-zoqa.1accesshost.com /wereipacd.html
fej-anepyveruw.fcpages.com /paradyseii170.html
f-guazzaroni.com.ar /
finsko.hostuju.cz /
fiwawax.10gb.tk /uhezivog.html
france-azur.nl /
fullmex.iblogger.org /inlcude.html
fyparor1321.freecities.com /rushantassdanov.html
galaxy.host-care.com /~perthbe1/fmkvw3/index.html
gia-jp.net /
gibobe1829.freewebportal.com /mutmitchell.html
gihujakabu.greatnow.com /promutzeis.html
giloziz-ijub.envy.nu /rorf.html
gofipipy-syg.100freemb.com /olofjolindur.html
goksenmuhendislik.com /
gozaqoba.eg.vg /nezivogo.html
gtpikes.com /6cqmid/index.html
gud-exonad.lookseekpages.com /nizibc.html
gulohr.notlong.com /
guptaservices.com /
guwe-syginyn.100megsfree5.com /fapux250.html
gyk-yrubecata.digitalzones.com /gacezoo7.html
halliemgt.com /59ybsd/index.html
hamibukike-qan.builtfree.org /sonyxplosivoee56.html
hammerrassebande.de /8jz5glg/index.html
harmonie-travaux.com /1lvsq8k/index.html
hax1234.ha.funpic.de /
hepidyzozo.1accesshost.com /ppoisee90.html
hero.host-care.com /~pin/9es7srf/index.html
hetigy-kyju.builtfree.org /urangahoua.html
himalayanweavers.org /
hipuhaq.simik.net /nezivog.html
hiralix.mblogger.info /vozalah.html
hiranobag.co.jp /
hitcombo.com /inlcude.html
hitechcsi.com /
hiz-ysupyso.100megsfree5.com /pbiccehc.html
hockeydykeincanada.ca /images/main.html
hoepner-lacke.de /89fj0g/index.html
hoguzud.blogerpa.com /nezivog.html
hokifuxu.greatnow.com /outsmature.html
homesatthebeach.ca /
honestlawyer.ca /
honkafusion.ch /o55zj1/index.html
honkafusion.es /bpmxh6/index.html
honkafusion.fr /1h0wgog/index.html
honmononoyosa.sakura.ne.jp /
hotelkayisi.com /inlcude.html
hsh-sh.de /04y855/index.html
icppo.ic.funpic.de /
icyryxure.digitalzones.com /paracletasiz.html
iduposywa.freewebsitehosting.com /pumilaoo62.html
iheartmypet.ca /
ihoje.notlong.com /
ijicuzajy-esu.arcadepages.com /ppkboris.html
ijy-ymexegahix.freewebsitehosting.com /nintwove.html
ikiwulete.mindnmagick.com /jordert1711.html
ikylec1342.o-f.com /bobico.html
ilidavy-pow.mindnmagick.com /zilku.html
ilipinyqez1193.fcpages.com /rickaa3447.html
inkwellgraphics.ca /
inteligus.pl /0xp8fz/index.html
interasia.co.in /
iphoneipadexperts.com /
ipigipo-ese.lookseekpages.com /nocregs.html
iqiturixug1179.lookseekpages.com /baljk891.html
iqodew493.o-f.com /bonsaa93.html
iqopuc-himi.100freemb.com /nurlajidealmarky.html
iru-ynonywecid.mindnmagick.com /rutipog.html
is.gd /2vNBBj
i-sites.hu /inlcude.html
ivywej69.s-enterprize.com /purtygmress.html
iwefedoj.dreamstation.com /viomondas.html
iwynokybar-ovu.virtue.nu /phantomnrue.html
ixoboqyqe-eme.greatnow.com /pajvar.html
jabowabi.zbyte.org /edoruvyh.html
japodubyj254.envy.nu /alexee94.html
japuseny.fcpages.com /paasoz.html
jaylau.com /
jel-acofuhagi.envy.nu /gapereno7210.html
jemadab1072.exactpages.com /owylfrudu.html
jeqy-qogiqyw.100megsfree5.com /qeeml.html
jimpruden.com /html/main11.html
jixucewa.arcadepages.com /hrovidableoo414.html
joakimdo.com /main11.html
johannessendesign.com /
john-adams.ca /main11.html
johnspassmonsterkingfish.com /
jozacupub.mindnmagick.com /proliderousnyaa88.html
ju-kreis-olpe.de /13z229/index.html
jup-oqupiwyf.lookseekpages.com /rickeskenmop.html
jydinoxoto.dreamstation.com /phit47tiz37.html
kakexo-xyho.builtfree.org /packran866.html
kamiqudob.lookseekpages.com /memgaful8510.html
karlo-b.de /1wls5te/index.html
kierwinski.pl /
kinditech.org /
kisyholy971.arcadepages.com /vsynu.html
kizodyxy.1accesshost.com /pesrul7910.html
klu-inkleur.nl /
kociqaw.websitehostfree.com /nezivog.html
kon.wheel.sk /4ypcij5/index.html
kowalczyk.cz /
ks31295.kimsufi.com /~palmthre/3dg825m/index.html
ks355256.kimsufi.com /~pool/bdw27yh/index.html
kuczka.eu /j9xiw3/index.html
kukawow.heikalhost.tk /ugisogu.html
kumquatphoto.com /
kutrite.ca /
laboiteabonheur.fr /
langleykinsmen.ca /
latiwusa.freewebportal.com /mipailmironuxko.html
latunogu.blogstar.tk /ovyruwev.html
lavegliacarlone.it /inlcude.html
lexisutherland.com /4fbf35l/index.html
lezisah.notlong.com /
lieuwedevries.com /
lifeart-petra-eischeid.de /7pm4la2/index.html
liveinconcerto.nl /08e4wt2/index.html
LNK.by /ff843
locker-ba.com.br /site/inlcude.html
loru-lazetes.o-f.com /ovtorko.html
lozamita.freewebportal.com /pallelundttjoeg.html
lusepewe.sertdisk.net /ugisogu.html
lutesylo421.100megsfree5.com /mfyainyy7.html
luyized.metrohosting.info /erygegy.html
lywobaneb-omic.1accesshost.com /oo90rufat.html
lyxnia.gr /2khjpzg/index.html
macservice.vn /
maddogphotography.ca /images/main11.html
majs.ca /
mcars.pl /
mesinuangku.net /2krnil/index.html
migre.me /69SRA
miron.notlong.com /
mixland.ca /
mkmdevcenter.ca /
mohidumo.sooot.cn /ubijemat.html
molihove.goearni.info /gizazago.html
moq-ydygafyko.greatnow.com /povuuk.html
moruyime.pi6.info /nezivog.html
muguhesi.3host.tk /furuser.html
mysejofov1845.fcpages.com /selegaaa0808.html
myuu.de /
n2testing.co.uk /
naf-tufamur.dreamstation.com /vherzodjor8810.html
nailandhammer.net /
nakayimahotel.com /
nefelefi1879.fcpages.com /niskish.html
netdekorasyoninsaat.com /
ntlauf.nt.ohost.de /inlcude.html
nyjicited.freewebportal.com /nurdete.html
nylaneri-mac.servetown.com /ditonii1167.html
nytezuva-pyh.100megsfree5.com /eqq6911.html
nz-wolfenhausen.de /kpqnpk/index.html
obehumekid.lookseekpages.com /ovenhrehv.html
ochrona-almar.neostrada.pl /inlcude.html
ocig-ujaforisoc.exactpages.com /podvouskiialezj.html
oficinasvirtualesimc.cl /5j4k0ke/index.html
oguce.notlong.com /
ohquudi.notlong.com /
okeg-gyhydyq.dreamstation.com /oo67ao.html
okywijejaf.maddsites.com /ssorpuonu1.html
one-egizad.fcpages.com /vavilugxa.html
onipuwavy-oge.dreamstation.com /pwuptro.html
ontariobuildingtrades.com /5vfe149/index.html
ooblu.com /
ooquoobe.notlong.com /
opezopan.100freemb.com /pvodateconnection.html
opibak-baw.freewebportal.com /mobodultyy04.html
oqomijoh.virtue.nu /nyculmoaa0.html
oral-hekegudu.arcadepages.com /zrooo72000.html
ostwestfalen-lippe.de /8ffzcx1/index.html
otrasexshopmas.com /81p88fk/index.html
ourdogz.nl /04x6pt/index.html
oursdes4saisons.com /~oursdess/fjnopyy/index.html
outsourcemanpower.com /~outso4/4jz88e/index.html
outtheboxmusik.com /1vpj9l/index.html
ovarc.us /3df0ta/index.html
overnightclippingpath.com /a3g2pwc/index.html
ovijujase.exactpages.com /rmren.html
owehyrufiz.freewebportal.com /wubuyukiyndo.html
owips.square7.ch /pc6ypb1/index.html
oxodopi-cuce.maddsites.com /uurnorld15.html
oxu-yvurobuboh.freehostyou.com /topcaf881.html
oxymarketing.com.br /inlcude.html
oyuncumusun.com /2sfjyh2/index.html
ozcanymm.net /
ozinocug.o-f.com /njuf.html
p131879.webspaceconfig.de /d07a0hw/index.html
p7902.typo3server.info /9f9bp6n/index.html
paetzold-beratung.de /cvo8xq/index.html
PageDr.com /d1mqfg7/index.html
pagedrakemusic.com /1o1eis/index.html
paintball-bohinj.si /00vb7md/index.html
paiportacf.com /7t62aei/index.html
palathinkalktm.org /hogm7g/index.html
panmotorsports.com /53412dc/index.html
panteleon.de /6t73qt/index.html
panzercrom.com /1yd59f/index.html
paokvolos.gr /13abr4/index.html
paperequipment.com /1lt2bt/index.html
ParkGina.com /2xi5al/index.html
partnersarl.lu /a6c9j6d/index.html
pascal-bellefroid.be /627bqd6/index.html
paspartoy.gr /77j0m9/index.html
passgo.ca /
paszczak.pl /6vgjxor/index.html
paynterparmesan.com.au /0tnx3ta/index.html
pcapinvest.com /t373ygr/index.html
p-center.biz /169mdzp/index.html
pchelpch.pc.ohost.de /1fdlwp/index.html
pcmswitch.co.uk /1so14g/index.html
pc-tuning.be /5mgsw8z/index.html
pcwbc.ca /
pdc.bplaced.net /5c9tin/index.html
pdrg.zxq.net /5rte95/index.html
pdsignatures.com /o1l5a4/index.html
peachesandcreamspas.com /
peelcruise.com /3xw40nk/index.html
peluangusahaonlines.com /57tt9o/index.html
penisenlargementcourse.com /bb8yhu/index.html
perfilthermik.com /lkpeam/index.html
perso.ovh.net /~polyverr/74r128/index.html
personalinjuryaccidents.com /dogsyd/index.html
peruvision.de /95nivmn/index.html
PeshawarJin.com /13d4tx/index.html
peveduto.com.br /
pheebaha.notlong.com /
philipdc.ph.funpic.de /cx52om/index.html
philippe-decotte.fr /~philippezm/i7nsv9i/index.html
philippinetyphoons.com /25jy8gd/index.html
phobiaman.co.uk /9af3v8/index.html
ph-online.net /37tyaxa/index.html
photosdumonde.info /
phprecdb.bplaced.net /7s4y1p/index.html
pictureahealthierworld.org /4e7h78z/index.html
piefaez.notlong.com /
pies.edu.pk /~piesedup/f0grdvr/index.html
pifadew.bdlike.com /buluvivy.html
pinskylickstein.com /h3fywd/index.html
pioneerweb.in /a9zkq8i/index.html
pite-olacelyb.100freemb.com /gvizdikvk.html
pixa-design.de /4xmbbut/index.html
pixe.mx /
pixelyn.co.za /~pbxnet/0p9gu8/index.html
pkphotography.com /93b6jfu/index.html
plasticimages.com /504mcxt/index.html
playgroupstudio.com /4ycljge/index.html
playweb.6po.pl /
plexuscomms.com.au /chu594/index.html
plummessage.com /lt7joa/index.html
pmtm.com /78gr9so/index.html
poizonroze.com /1ujn1kg/index.html
Pokerworld.com.au /4mebwl2/index.html
polidor.eu /29e41h/index.html
polimitlc.altervista.org /119976/index.html
poliprodukt.pl /frjawen.html
popihug.indiv.in /ugisogu.html
poppenhouse.ru /2x1gsy/index.html
porezi.rs /
portonesautomaticos-ferrobone.cl /260je7o/index.html
portrait-skulpturen.de /6d138g6/index.html
prismproductions.net /0edicf/index.html
prodomoelec.com /
pronutrition.ca /
prosolv.se /
puqupity-sase.bigheadhosting.net /lapwevuu04.html
pushkardesigns.com /
putovuve.arcadepages.com /abee680.html
qarehuq.hosthost.info /ruvyhupa.html
qejazocuf-adus.dreamstation.com /nightshado257.html
qejuticu.pubwebhost.com /ygegysed.html
qezevosak.s-enterprize.com /dcbadur.html
qibuxumu-gen.freewebportal.com /ovehdiligenz.html
qim-tajomuhu.virtue.nu /xnryy596.html
qoge-wigiqiber.freewebportal.com /hhaj.html
qr.net /fqv2
queller-gemeinschaft.de /3rysoo/index.html
quze-fegabugage.freewebportal.com /qbohrint.html
qybo-hubybewu.freewebsitehosting.com /nonplatentiluu21.html
qyn-otomibezo.1accesshost.com /nobolybo13.html
qyxozoxija.dreamstation.com /ptym2111.html
racogad-upy.greatnow.com /plaloj.html
ramebeny1368.greatnow.com /prompncyyy42.html
rapidosports.com /
raum-wolfenhausen.de /39zvuv3/index.html
redir.ec /8aOr5
rekufel.3host4.info /wuvyhup.html
rerajo-qaz.digitalzones.com /onioo8.html
restaurantposthalterey.de /1gml2xu/index.html
rid-yzytawaj.1accesshost.com /bursopaff.html
riteyolu.0fees.net /lodugiz.html
safe.mn /3tJR
safer63and881.com /
saform.com.pl /
sahecafa.3net.tk /furuser.html
saracens-fhc.ca /
scrapbookersbliss.com /
seasonal56.ca /
semineedevis.ro /
sensalights.com /in11.html
senuyave.yk0.net /wuvyhupa.html
sezaylighting.com /
sezogoca-epy.mindnmagick.com /restole.html
shangpalace.com.vn /
shorl.com /difratresutyby
siamrestaurant.ca /
simurl.com /bepnac
siperbinvestments.com /
smx1.hostdime.com.mx /~periodic/0hfmuib/index.html
snipr.com /2oalgv
snipurl.com /2oalwc
sojesif.hostingforfree.org /gagicyb.html
sorupemu.4ever20bucks.info /kejaruv.html
sothbys.ho.ua /
srisaipearls.com /
stepnik.de /9u4ougo/index.html
stykky.pl /
succesvol.su.funpic.org /
sudarom-dyke.dreamstation.com /qfoiio6g.html
surarena.rs /inlcude.html
sweetroute.com /
sytixytex140.s-enterprize.com /nicolahg.html
taklitci.com /
tamilsudartv.com /fejkb8e/index.html
tasaqifa.hostingwithu.com /uhezivo.html
tassilomusic.com /
taximihywe-pyri.bigheadhosting.net /kipusyy00.html
tbspirit.com /
tcjc.ca /
tcproperties.co.za /
teamprimerib.com /12evdr/index.html
tegikobi.w9l.in /edoruvy.html
telusplanet.net /~polihale/40ht0fa/index.html
teqaqybu.freewebportal.com /nermox.html
ternama.com /
tesuzuma-tah.freehostyou.com /zhavneree1971.html
thaore.notlong.com /
thegrandehaven.com /
thesacredvoicegallery.com /
thesurl.com /11
ticoyez.297m.com /gudylog.html
tie.ly /_ggeqie
tisilume.qualityprohost.com /sedejodu.html
tllg.net /aUm4
tm-studio.com.pl /
tolenaars.nl /
topolema.koon.pl /ivyfurus.html
toronto-orienteering.com /pictures/main.html
totavalaw-zejy.freewebportal.com /nunes.html
toyamakitokito.web.fc2.com /
trmfiltration.com /
trucksidefunding.ca /
tujeqexo.000adz.com /nezivogo.html
tuvoca1466.freewebportal.com /rdobyllo.html
u-china-consulting.com /1qvkcx5/index.html
uci-nyhiguve.fcpages.com /trobexso.html
ucugywyl.fcpages.com /brntschrmnf.html
ugi-ypuwewipax.freewebportal.com /otakunojoworo.html
uhocekef.servetown.com /heaami.html
ujugob-ytoz.100megsfree5.com /ivadpomidorivf.html
ulmer-shop.de /2rsl1a/index.html
ultraline.it /
umy-qekuqi.dreamstation.com /irnuschel.html
unbrockandice.ca /images/in11.html
unitedbookgroup.com /
upihigajar.1accesshost.com /pipkertyn.html
upmarketing.mx /
url.ie /dia9
usifof-ufy.o-f.com /prosencaphalecii21.html
usyrepihon-elaz.1accesshost.com /pronessorsii62.html
vabefod-uron.greatnow.com /ldnrkaa5.html
vahaxisasu.mindnmagick.com /vokolak.html
valanali.cuccfree.com /icutovov.html
vaneenoo.eu /images/index11.html
vbvastgoed.nl /
velvetropemiami.com /jl3o9c/index.html
vesadofefy.freewaywebhost.com /nuhedreampirls.html
vetmobile.ca /
video.web2001.cz /
viphoco.notlong.com /
vlamos-homerealty.gr /
voyibopa.cuscovirtual.tk /ivefuquw.html
vugojape.mindnmagick.com /nonspors.html
vuhyzeto1234.exactpages.com /wroromunticii71.html
walther-reinhardt.de /bvbiohh/index.html
wanaqecu.onlin-e.net /lodugiz.html
wca8532g2.homepage.t-online.de /d2gcop/index.html
webresourcecentral.com /2858sa/index.html
webseosmoservices.com /
welfare114.net /
welfens.de /8tc00m/index.html
wetyqifu1471.1accesshost.com /sluvataxo.html
whistleradio.com /
wiyetipa.webhostingforfree.org /ymanibu.html
wohi-xygumu.1accesshost.com /dystemhakem.html
wp.tedinet.com /bx0koa/index.html
wsconsulting.ca /
wuda-lolexu.maddsites.com /murokchiok.html
www.africanelections.org /4qtmbt/index.html
www.athmainfosolutions.com /29ial3/index.html
www.avtkhyber.com /1tcnzx/index.html
www.bakou.gr /h1hmsp/index.html
www.casainlegnohonka.it /wmi34d/index.html
www.desmidspijk.nl /
www.dldsrl.it /
www.flooringin.ae /
www.garagevanstraelen.be /
www.hadi-art.com /
www.honkafusion.it /t8xfifq/index.html
www.jenabakery.com /
www.lumhongye.com /13f2em/index.html
www.mesinuangku.net /~peluang4/sa0hxip/index.html
www.parimpood.ee /16e6beb/index.html
www.pcrutchfield.com /1g9wxxn/index.html
www.peluangusahaonlines.com /28dvhds/index.html
www.pension-kleinekorte-guestrow.de /
www.phobiaman.co.uk /81ccngg/index.html
www.photoeditingservices.co.uk /3sr31z5/index.html
www.physicaltherapy.co.ke /9a54nqy/index.html
www.pies.edu.pk /2nktlke/index.html
www.plasticsurgeryinstituteofcalifornia.com /aojaas/index.html
www.poodlesislandwear.com /eoqf7q/index.html
www.postandparcel.net /52xxjn/index.html
www.proalkoholici.cz /atb.html
www.publishingoutsourcing.com /2e0dh9/index.html
www.seriilanlar-antalya.com /
www.stockkamp.com /
www.wouda-assu.nl /
xagemume.bdlike.com /iticuto.html
xechuyendung.net /
xikuga486.1accesshost.com /anrrey216vorkuta.html
xizakobiv1963.freewebsitehosting.com /avevbroaren.html
xoragam.hostingperron.com /cacejodu.html
xumubowo.johaneswisnu.info /ejodugiz.html
ycomefy1524.bigheadhosting.net /aanbelochik.html
yeasheve.notlong.com /
ygo-foxucobyzy.virtue.nu /mojoqens.html
yiprint.com.tw /
yjoliveba.freewebsitehosting.com /demonidi9.html
ymob-cezulu.freewaywebhost.com /quak0610.html
ymoz-afydybime.mindnmagick.com /pichugana627.html
yosulag.freehost.artonat.com /oruvyhup.html
yulasuhu.adsfree.ru /xubijema.html
yusaduy.123bemyhost.com /uhezivo.html
yxydyt-caxa.mindnmagick.com /oxueywro.html
yzic-kuligu.lookseekpages.com /oupslyng.html
yzid-ufehupuse.servetown.com /mlitvyaj.html
zawizifani366.freewaywebhost.com /qumusegu.html
zebuana.de /
zeh-patinuli.lookseekpages.com /nicsfev.html
zespol-millenium.home.pl /
zil-vakahidyti.lookseekpages.com /umnyk.html
zoom.nsjet.com /~pochince/28nz9l/index.html
zulu-ezaxodevic.freewebsitehosting.com /dimenhofigan.html
zymuzymugo271.s-enterprize.com /bcretkon.html
zyvu-umodecy.1accesshost.com /rvm.html
zyxukifuzo.1accesshost.com /dmimkac.html



====================
List of Financial Institutions used by the "zfin" spam . . .

1st Bank Yuma
1st Capital Bank
1st Centennial Bank
1st Enterprise Bank
1st National Bank of Scotia
1st Pacific Bank of California
1st Source Bank
Abacus Federal SAvings Bank
ABC International Bank
ABN AMRO Bank
Abrams Centre National Bank
Affinity Bank
Agriland FCS
AgTexas
Aig Federal SAvings Bank
Alamerica Bank
Aliant Bank
Allegiance Community Bank
Alliance Bank
Alliance Bank of Arizona
Allied Irish Bank
Alta Alliance Bank
Amalgamated Bank of Chicago
Amarillo National Bank
Amcore Bank
Amegy Bank of Texas
Ameriana Bank and Trust
America California Bank
American Bank
American Bank of Commerce
American Bank of Texas
American Business Bank
American Express Bank Limited
American National Bank
American National Bank of Texas
American River Bank
American Riviera Bank
American Savings Bank
American State ABnk
American State Bank
Americas United Bank
Amsouth Bank
Amsterdam Savings Bank
ANZ Bank
Applied Card Systems
Archer Bank
Artisans Bank
Atlantic Bank of New York
Atlantic Pacific Bank
Atlas Savings Bank
AuburnBank
Austin Bank
Austin County State Bank
Austin Telco Federal Creit Union
Balboa Thrift and Loan Association
Balcones Bank
Ballston Spa National Bank
Bank Atlantic
Bank Calumet
Bank Independent
Bank of Agriculture and Commerce
Bank of Akron
Bank of Amador
Bank of Baroda
Bank of Castile
Bank of Evergreen
Bank Of Illinois
Bank of India
Bank of Los Altos
Bank of Marin
Bank of Marion
Bank of New York
Bank of Orange County
Bank of Pensacola
Bank of Petaluma
Bank of Pine Hill
Bank of Prattville
Bank of Quincy
Bank of Rantoul
Bank of Rio Vista
Bank of Sacramento
Bank of Santa Barbara
Bank of Santa Clarita
Bank of Springfield
Bank of Stockton
Bank of Tampa
Bank of the Orient
Bank of the Sierra
Bank of the Southwest
Bank of the West
Bank of Tidewater
Bank of Tuscaloosa
Bank of Vernon
Bank of Walnut Creek
Bank of Waukegan
Bank One
Bank United
BankChampaign
Bankers Trust Company
BankFIRST
BankUnited Express
Barclays Bank
Barrington Bank and Trust
Bay Area Bank
Bay Cities National Bank
Bay Commercial Bank
Beal Bank
Belvidere Bank
Benchmark Bank
Beverly Bank
Bluestem National Bank
Borel Bank
Borrego Springs Bank
Brady National Bank
Brenham National Bank
Brickyard Bank
Bridgehampton National Bank
Broadway Bank
Broadway Federal Bank
Broadway Federal Bank FSB
Broadway National Bank
Brooklyn Federal Savings Bank
Brown Brothers Harriman
Busey Bank
Business Bank of California
Business First National Bank
Butte Community Bank
Caledonian Fund Services
California Bank and Trust
California Community Bank
California Federal Bank
California National Bank
California Oaks State Bank
California State Bank
Canadaigua National Bank and Trust Company
Canyon Community Bank
Canyon National Bank
Capital City Bank
Capital Farm Credit
Cardinal Services Corp
Carlinville National Bank
Carver Federal SAvings Bank
Cathay Bank
Cattaraugus County Bank
Centier Bank
Central California Bank
Central Illinois Bank
Central National Bank of Waco
Central Trust and Savings Bank
Central Valley Community Bank
Century Bank
CFS Bank
Champlain National Bank
Chang Hwa Commercial Bank Ltd
Charlotte State Bank
Charter National Bank
Charter Oak Bank
Chase Manhattan Bank
Chicago Community Bank
Chino Commercial Bank NA
Circle Bank
Citibank
Citizens Bank
Citizens Bank Baytown
Citizens Bank of Northern California
Citizens Business Bank
Citizens Community Bank
Citizen's Federal Savings Bank
Citizens First Bank
Citizens National Bank
Citizens National Bank of Macomb
Citizens State Bank
Citrus Bank NA
City Bank Lubbock
City National Bank
City National Bank of Florida
City State Bank of Palacios
CivicBank of Commerce
Clarendon Hills Bank
Claritybank
Clay County Bank
Clear Lake National Bank
Coast Commercial Bank
Coast National Bank
Cohen Financial
Cohoes SAvings Bank
Coldwell Banker Commercial PR
Columbia Bank
Comerica
Commerce Bank of Folsom
Commerce National Bank
Commercial Bank of California
Commercial National Bank
Commerzbank
Commonwealth Business Bank
Commonwealth Trust Company
Community 1st Bank
Community Bank
Community Bank and Trust
Community Bank of Elmhurst
Community Bank of Florida
Community Bank of Naples
Community Bank of San Joaquin
Community Bank of Santa Maria
Community Bank of the Bay
Community Bank Texas
Community Banks of Northern California
Community Business Bank
Community Commerce Bank
Community First Bank of Howard County
Community Savings
Community West Bank
Compass Bank
Coppermark Bank
Cornerstone Community Bank
Coronado First Bank
Corus Bank
County Bank
Credit Suisse First Boston
Cross County Federal Savings Bank
Crown Bank
Crystal Lake Bank
DeAnza National Bank
Delaware National Bank
Delta Bank
Delta National Bank
Delta National Bank And Trust Company
Demotte State Bank
DEPFA BANK
Desert Commercial Bank
Deutsche Asset Management
Deutsche Bank
Devon Bank Online
Downers Grove National Bank
Downey Savings
Eagle Bank
East West Bank
Edens Bank
Edgar County Bank and Trust
Effingham State Bank
EFG Capital International Corp
Eisenhower National Bank
El Dorado Savings Bank
El Paseo Bank
Eldorado Bank
Elgin Financial Savings Bank
Elmira Savings Bank FSB
Emerald Coast Bank
Englewood Bank
Esse Hypothekenbank
Eureka Bank
Eurohypo Aktiengesellschaft
European American Bank
Evans National Bank
Evertrust Bank
Excel National Bank
Exchange Bank
Fairport Saving Bank
Falcon International Bank
Far East National Bank
Farm Credit Bank of Texas
Farmers and Merchants Bank
Farmers National Bank
Farmers State Bank of Hoffman
Federal Home Loan Bank
Federal Home Loan Bank of Dallas
Federal Land Bank
Federal Reserve Bank of Chicago
Federal Reserve Bank of Dallas
Federal Reserve Bank of New York
Federal Reserve Bank of San Francisco
Federal Trust Bank
Fidelity Federal Bank
Fidelity Federal Savings Bank
Fifth Third Bank
Fireside Bank
First American Bank
First Bank
First Bank and Trust
First Bank and Trust Company
First Bank of Clewiston
First Bank of San Luis Obispo
First California Bank
First Chicago Capital
First Choice Bank
First Citrus Bank
First City Bank
First Commerce Bank
First Commercial Bank
First Commercial Bank of Florida
First Community Bank
First Convenience Bank
First Federal Bank
First Franklin Bank
First General Bank
First Gulf Bank
First Home Bank
First Indiana Bank
First Internet Bank of Indiana
First Mercantile Bank
First Metro Bank
First Mountain Bank
First National Bank
First National Bank and Trust
First National Bank of Abilene
First National Bank of Ashford
First National Bank of Bellville
First National Bank of Brookfield
First National Bank of Central California
First National Bank of Chillicothe
First National Bank of Danville
First National Bank of Dryden
First National Bank of Eagle Lake
First National Bank of Jasper
First National Bank of Marengo
First National Bank of Mineola Texas
First National Bank of North County
First National Bank of Northern California
First National Bank of Northern New York
First National Bank of Paris
First National Bank of San Benito
First National Bank of Scottsboro
First National Bank of Steeleville
First National Bank of Trenton
First National Bank of Valparaiso
First National Bank of Waterloo
First Navy Bank
First Niagara Bank
First Northern Bank
First of America
First Priority Bank
First Regional Bank
First Savings Bank FSB
First SAvings Bank of Hegewisch
First Southern National Bank
First Standard Bank
First State Bank
First State Bank Frankston
First State Bank of Eldorado
First State Bank of Shallowater
First State Bank of the Florida Keys
First State Bank of Western Illinois
First United Bank
First USA Bank
First Victoria National Bank
FirstBank of Palm Desert
Five Star Bank
Flatbush Federal Savings
FLBA of Texas
Florida Choice Bank
Florida First Bank
Folsom Lake Bank
Foothill Independent Bank
Fort Hood National Bank
Founders Bank
Founders Community Bank
Franklin Bank
Fremont Bank
Frontier Bank
Frost Bank
Frost National Bank
Fullerton Community Bank
Gateway National Bank
Geddes Federal Savings
General Bank
Genesee Regional Bank
Gerard Klauer Mattison
Gibraltar Bank
Global Resource Bank
Golden Security Bank
Goleta National Bank
Grabill Bank
Grand Bank of Florida
Grand National Bank
Grapeland State Bank
Guaranty Bank
Guaranty Bond Bank
Guaranty Federal Bank
Gulf State Community Bank
Habib American Bank
Hanmi Bank
Hardware State Bank
Harris Trust and savings Bank
Hendricks County Bank and Trust
Heritage Bank East Bay
Heritage Bank of Central Illinois
Heritage Bank of Commerce
Heritage Bank South Valley
Heritage Commerce Corp
Heritage Land Bank
Heritage National Bank
Hickory Point Bank and Trust
Highwood Bank
Hinsdale Bank and Trust
Hinsdale Bank Trust Co
Home National Bank
Honda Bank
Horizon Bank
HSBC Bank
Hudson Valley Bank
Humboldt Bank Merchant Services
Hypo Real Estate Bank International
Illini State Bank
Imperial Bank
Imperial Capital LLC
Independent National Bank
Independent Online
ING Capital LLC
Intercredit Bank
International Bancshares
Interstate Bank of Oak Forest
Invex Grupo Financiero
Irwin Financial Corporation
Israel Discount Bank of New York
Itasca Bank and Trust Co
Jackson County Bank
Jacksonville Savings Bank
Jefferson Heritage Bank
Jefferson State Bank
Jourdanton State Bank
JP Morgan Chase Bank
Key West Bank
Kookmin Bank
Lafayette Bank And Trust
Lafayette Savings Bank
Lake Forest Bank and Trust
Lake Shore SAvings And Loan
Lamar National Bank
Landmark Bank
LaSalle State Bank
Lavine Financial Capital
Legacy Bank of Texas
Lehman Brothers
Liberty Bank
Liberty Federal Bank
Liberty Federal Savings Bank
Libertyville Bank
LIFE Bank
Lone Star Federal Land Bank Association
Long Island Commercial Bank
Long Island Savings Bank
Los Angeles National Bank
Lubbock National Bank
Luther Burbank Savings
Madison Bank
Malaga Bank
Mansfield Bank
Manufacturers Bank
Marathon National Bank
Marina Bank
Marketplace Bank
Mazon State Bank
Mellon 1st Business Bank
Melon Bank by
Mercantile Bank
Mercantile Trust and Savings Bank
Merchants and Southern Bank
Merchants Bank of California
Merchants Bank of Jackson
Merchants National Bank of Aurora
Meridian Bank
Merrill Lynch
MetroBank
Metropolitan Bank
MFB Financial
Mission Community Bank
Mission Oaks National Bank
Modern Bank
Mohave Community
Mohave State Bank
Monroe County Bank
Montecito Bank and Trust
Moody National Bank
Morgan Stanley
Morton Community Bank
Murphy Wall State Bank
Mutual Federal Savings Bank
Mutual of Omaha Bank
Nara Bank National Association
NatBank
National Bank
National Bank of California
National City Bank
New Century Bank
New South Federal Savings Bank
Nexity Bank
North Coast Bank
North Community Bank
North County Bank
North County Savings Bank
North Houston Bank
North Valley Bank
Northern Trust Bank
Northern Trust Company
Northfield Savings Bank
NorthShore Trust Saving
NorthStar Bank
Oak Brook Bank
Oak Lawn Bank
Oak Valley Community Bank
Oceanic Bank
Oceanmark Bank
Oceanside Bank of Jacksonville
Old Florida Bank
Old National Bank
Old Second Bancorp
Old Second Bank of Aurora
OptimumBank
Ossian State Bank
Oswego Community Bank
our bank
Overton Bank and Trust
Owen County State Bank
Pacesetter Bank
Pacific Crest Bank
Pacific National Bank
Pacific Trust Bank
Palm Desert National Bank
Palmer Bank
Park Avenue Capital
Park National Bank
Partners Bank
PathFinder Bank
Peoples Bank of Graceville
Peoples Bank of Lubbock
Peoples Bank of North Alabama
Peoples National Bank
People's Trust Company
Permanent Federal Savings Bank
Perryton National Bank
Pff Bank Trust
Phillipine National Bank
Pilgrim Bank
Pinnacle Bank
Pioneer Savings Bank
Plains National Bank Financial
Plaza Bank
Plumas Bank
Pna Bank
Pointe Bank
Ponce de Leon Federal Savings Bank
Popular Bank of Florida
Power Project Financing
Premier Valley Bank
Prosperity Bank
Provident Bank
Queens County Savings Bank
Raiffeisen Zentralbank AG
Randolf County Bank
Redding Bank of Commerce
Regents Bank
Reliance Bank
Ridgewood Bank
Ripley County Bank
River City Bank
Riverside National Bank
Robertson Stephens
Rondout Savings Bank
Roseville Banking Center
Roslyn Savings Bank
Royal Oaks Bank
RZB Finance LLC
Salin Bank and Trust Company
San Diego National Bank
San Jose National Bank
Sand Ridge Bank
Santa Barbara Bank and Trust
Santa Monica Bank
Saratoga National Bank
Scott State Bank
Seacoast National Bank
Second Federal Savings
Security Federal Savings Bank
Seneca Federal Savings and Loan
Sierra Vista Bank
Silicon Valley Bank
Silverado Bank
Six Rivers National Bank
Sonoma Valley Bank
South Alabama Bank
South County Bank
South Pointe Bank
Southern California Funding
Southern Security Bank
Southwest Bank
Southwest Bank of Texas
Sovereign Bank
Spencer County Bank
Star Bank
Star Bank of Texas
Star Financial Bank
State Bank of Ashland
State Bank of Countryside
State Bank of India
State Bank of Lizton
State Bank of Long Island
State Bank of Texas
State Bank of The Lakes
State Bank of Waterloo
State Farm
State National Bank of West Texas
Staten Island Savings Bank
Sterling Bank
Sterling National Bank
Stone City Bank
Strategic Partners
Success National Bank
Suffolk County National Bank
Sumitomo Bank of California
Summit Bank
Surety Bank
Synergy Bank
Tallahassee State Bank
TCB Bank
TCF National Bank
Tempo Bank
Terre Haute Savings Bank
Texas Bank
Texas Capital Bank
Texas Champion Bank
Texas First Banks
Texas Independent Bank
Texas Land Bank
Texas State Bank
The Astoria Federal Savings Bank
The Bank
The Bank and Trust
The Carson Medlin Company
The Dime Savings Bank of New York
The First American Investment Banking Corporation
The First National Bank of Hico
The First National Bank of Long Island
The First State Bank of North Dakota
The Foothills Bank
The Gifford State Bank
The Independent Bankers Bank
The Laredo National Bank
The Mechanics Bank
The SAvings Bank of Utica
The South Holland Bank
The State National Bank
The Warwick Savings Bank
TIB Bank of the Keys
Tokai Bank of California
Tompkins County Trust Company
Town North Bank
Tremont SAvings Bank
Troy Bank and Trust
Troy Savings Bank
Trustbank
Ulster Savings Bank
Unicredito Italiano
Union Bank of Arizona
Union Bank of California
Union Federal
Union Federal Savings Bank
Union Planters Bank
Union State Bank
United Bank
United California Bank
United Commercial Bank
United Community Bank
United Fidelity Bank
United Security Bank
United Southern Bank
Universal Bank
Upstate Niagara Cooperative
us
Valley Business Bank
Valley Commerce Bank
Valley Independent Bank
Valrico State Bank
Vantage Bank of Alabama
Ventura County Business Bank
Viewpoint Bank
Village Banc of Naples
Vineyard Bank
Vintage Bank
VirtualBank
Visalia Community Bank
Vista Bank
Walden Savings Bank
Warrington Bank
Washington Federal Bank
Washington Savings and Loan
Wells Fargo Bank
West Coast Bank
West Suburban Bank
Western Financial Bank
Western Security Bank
Western Springs Bank
Western Springs National Bank
Whisperwood National Bank
Wilber National Bank
Wilmington Trust
Wilshire State Bank
Wintrust Financial Corporation
Woodforest National Bank
Worth National Bank
WSFS bank
Yolo Community Bank

==========================

Wednesday, November 09, 2011

Operation Ghost Click: DNSChanger Malware Ring Dismantled

Since 2007 computers around the internet have been suffering from a secret ailment. Sometimes when their owners clicked on a link, they didn't go where they were supposed to go! The problem was caused by a fairly simple piece of malware called a DNSChanger. This family of malware only does one thing -- it changes the DNS settings on your computer from the one that you are supposed to use, to one that a cyber criminal has chosen for you to use.

Today the FBI and NASA's Office of the Inspector General (NASA-OIG) announced "Operation: Ghost Click" and the arrests of six Estonian criminals who have been involved in this scam since 2007.

Those arrested by the Estonian Police and Border Guard Board were:

Vladimir Tsastsin, age 31
Timur Gerassimenko
Dmitri Jegorov
Valeri Aleksejev
Konstantin Poltev
Anton Ivanov

Andrey Taame, age 31, Russian, is still at large

We were especially pleased by the sidebar entitled "Success Through Partnerships".

A complex international investigation such as Operation Ghost Click could only have been successful through the strong working relationships between law enforcement, private industry, and our international partners.

Announcing today’s arrests, Preet Bharara, (above left) U.S. Attorney for the Southern District of New York, praised the investigative work of the FBI, NASA’s Office of Inspector General (OIG), the Estonian Police and Border Guard Board, and he specially thanked the National High Tech Crime Unit of the Dutch National Police Agency. In addition, the FBI and NASA-OIG received assistance from multiple domestic and international private sector partners, including Georgia Tech University, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, University of Alabama at Birmingham, and members of an ad hoc group of subject matter experts known as the DNS Changer Working Group (DCWG).


The Manhattan U.S. Attorney's office released a much more detailed announcement with the headline Manhattan U.S. Attorney Charges Seven Individuals for Engineering Sophisticated Internet Fraud Scheme That Infected Millions of Computers Worldwide and Manipulated Internet Advertising Business:
Malware Secretly Re-Routed More Than 4 Million Computers, Generating at Least $14 Million in Fraudulent Advertising Fees for the Defendants
.

Congratulations to all who were involved! Especially to the FBI's Botnet Threat Focus Cell, NASA's incredible Office of the Inspector General, the FBI's Southern District of New York office, and those who attended Bar-Con in 2009.

What is DNS? DNS, or Domain Name Services, is what tells your computer how to find the website you are looking for by turning the name you type, such as www.fbi.gov, into an IP address, such as 205.128.73.105. For most users, this happens by asking the Name Server at your Internet Service Provider.

Pay Per Click Fraud



If you were infected by this DNSChanger malware, instead of asking your ISP for that information, you would be asking a criminal. MOST of the time the criminals would simply give you the same answer that your ISP would give you ... but whenever they wanted to make some extra money, they could tell your computer the wrong answer!

In an example taken from the indictment, an infected user goes to Google and types in "itunes". The first link that they are returned shows the destination "www.apple.com/itunes/" which the real Apple website where someone can download the iTunes software.


(source: Tsastsin Indictment)

When an infected computer clicks the link, the user's computer would go to the criminal's nameserver who would send them to the wrong computer. In this case, instead of going to "apple.com" the user is sent to "www.idownload-store-music.com" which looks just like the Apple store, but which charges your credit card to sell you iTunes! The criminals received a payment each time they sent someone to this fake websites.

In other examples, the company where the traffic is sent to is a legitimate company. For example, H&R Block, the Tax preparation people, have an affiliate program. If you have a website, you can put an ad on your website that advertises the H&R Block website. If people click on your ad, you might receive a tiny amount of money, and if they buy something at the H&R website, you might receive a larger amount of money. Instead of advertising, the criminals made a link that redirected you to the H&R Block website if you tried to visit www.irs.gov. So, because you were using the criminal's nameserver, if you typed or clicked on "irs.gov" you could be redirected to H&R Block, earning an "affiliate payment" for the criminals!

Ad Replacement


The other way the criminal earned money was to replace your ads with their ads. How does that earn money? The most common way is that when your computer is told to go get an advertisement from a certain website, such as Google or Bing or Yahoo, instead of showing you the advertisement from those organizations, it would show you an ad from an organization that was run by the criminal instead.

In an example for the court documents, a visitor to ESPN's webpage should have seen an advertisement for Dr. Pepper. But when the infected computer visited the webpage, the criminal's nameserver redirected the request to an advertisement for a timeshare instead!

More than 4 million computers in 100 countries, including 500,000 computers in the United States were infected with this malware. The earnings generated by these young men from the false advertisements exceeded $14 Million Dollars!

Blocking Antivirus


In addition to using the nameserver to send false advertisements, the criminals also used the nameserver to stop infected computers from being able to reach their anti-virus vendors. This prevented the user from being able to install new anti-virus products or to update the definitions on their existing anti-virus products. If the computer attempted to visit any major anti-virus, it would simply give an error saying the server was unavailable.

The Charges


All the criminals are charged with:
1. Wire fraud conspiracy
2. Computer intrusion conspiracy
3. Wire fraud
4. Computer intrusion (furthering fraud)
5. Computer intrusion

In addition, the ringleader, Vladimir Tsastsin was charged with:
6. Money laundering
7. Engaging in monetary transactions of value over $10,000 involving fraud proceeds.

So, Are you infected?



The Protective Order associated with this case lists the IP addresses involved in the fake nameserver business.

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

The FBI has provided a helpful document that explains how to check your DNS settings to see whether you are using one of these "Rogue DNS Servers". See DNSChanger Malware.

If your IP address is on the list, you are encouraged to fill out the form Register as a Victim of DNS Malware.

The criminals used many different data centers, some of which were featured more prominently in the case than others.

Pilosoft, in New York City known as "The Manhattan Data Center" in the court documents.

ColoSecure, in Chicago, Illinois

ThePlanet, in Houston, Texas

Multacom Corporation, in Canyon County, California

Layered Technologies, in Plano, Texas

Network Operation Center, in Scranton, Pennsylvania

Wholesale Internet, in Kansas City, Missouri

SingleHop, in Chicago, Illinois

PremiaNet, in Las Vegas, Nevada

Interserver, in Secaucus, New Jersey

ISPrime, in Weehawken, New Jersey

Global Net Access, in Atlanta, Georgia

The Challenge



The big challenge faced by this case was this -- if the FBI were to simply "turn off" all of these nameservers, four million computers would no longer be able to find anything on the Internet! If your computer has been programmed by the DNSChanger malware to look up names using the criminals' nameserver, and that nameserver goes away, there is no "fall back" to use some other nameserver, your computer just stops being able to look up names! If that had happened, when you typed in "www.facebook.com" your computer would say something like "No Such Server" or "Host Unknown". Then you couldn't play Farmville! How sad!

To address this challenge, the FBI filed a Protective Order that identified all of the Rogue DNS Servers, and assigned the IP addresses belonging to those servers to the Internet Systems Consortium, or ISC. ISC established "replacement DNS servers" that would behave properly, and replaced all of the "Rogue DNS servers" with properly configured DNS servers. After this was accomplished, none of the infected computers would be redirected to the wrong content anymore, and they would once again be able to update their anti-virus software.

The other benefit of this action is that ISC is now in a position to be able to compile a list of the computers that have been infected. Each time a computer uses one of the formerly Rogue DNS servers, ISC will log that action so that we can have accurate knowledge of how many computers have been infected, and this class of victims can be offered assistance.

The Protective Order was approved by the Honorable William H. Pauly III on November 3rd in the Southern District of New York.

The Criminal Companies


The Estonian criminals controlled a number of corporations to enable this activity.

Rove Digital, in Estonia, was a software development company that created and managed the malware.

Tamme Arendus, also in Estonia, was a real estate development business that acquired most of Rove's assets.

SPB Group was the name of the company that leased the Manhattan Data Center from Pilosoft.

Cernel Inc, in California, Internet Path Limited, in New York, Promnet Limited, in Ukraine, ProLite Limited, in Russia, Front Communications, in New York, and others were involved with registering thousands of IP addresses that were used by the criminals for various activities.

Furox Aps (Gathi.com), Onwa Limited (Uttersearch.com), Lintor Limited (Crossnets.com) and others were used to create and broker advertising deals which would be used in the Replacement Ad schemese.

Other Things You Must Read


TrendMicro's Malware Blog - EstHost Taken Down - Biggest Cybercriminal Takedown in History - An important link that must be pointed out. Vladimir Tsastsin, the CEO of Rove Digital, was also the CEO of EstHost, one of the first registrars to have its ICANN Accreditation pulled because of criminal activity.

TrendMicro: A Cybercrime Hub - this report, in August 2009, laid out the basics of the criminal activity that Trend had been able to identify. Industry contributions such as this are part of the "Partnership for Success" that the FBI spoke about today, and TrendMicro really lead the way on this case!

Brian Krebs authoritative journalism on Vladimir - "EstDomains: A Sordid History and a Storied CEO"

SpamHaus ROKSO file on Rove Digital - ROKSO File (Registry Of Known Spam Offenders) on Rove Digital

Newsweek calls Rove Digital one of the "Top Ten Spammers" -(December 2009).

Friday, November 04, 2011

Duqu: You're safe unless you use TrueType Fonts?

Two of the malware analysts in my lab have been complaining to me that the malware they see everyday is getting boring - the primary attacks that we see in the largest volume are the same thing over and over and over again.

Let's be thankful for that! The big news in the malware world yesterday came when Microsoft announced a work around for Duqu, named by researchers in the CrySyS Lab (the Laboratory for Cryptography and System Security at Budapest University of Technology and Economics) because it prefixes some created filenames with the letters "~DQ".

On October 14, 2011, CrySyS contacted Symantec to get some help analyzing the malware, and Symantec released an extremely informative 67 page PDF report called W32.Duqu: The Precursor to the next Stuxnet. (The link is to version 1.3 of the report, updated on November 1, 2011).

There have been two IP addresses confirmed to be associated with Duqu and serving as Command & Control. The first IP was in India - 206.183.111.97. The second was in Hungary - 77.241.93.160. Traffic flow to either of these IP addresses would be a strong positive indicator of a Duqu infection! Both sites are down now.

The first server was announced to be down on October 31st in stories such as this one -- India Shuts Server Linked to Duqu Computer Virus that shares some details of a server located at 200 employee data center Web Werks.

The second server was at Combell in Belgium -- as described in stories such as this one -- Duqu Hackers Shift to Belgium After India Raid.

Duqu is a data stealing program that shares several blocks of code with Stuxnet. In fact, one of the two pieces of malware we've seen that is described as being Duqu is also detected as Stuxnet by some AV vendors.

Here's a VirusTotal report of the better detected of those pieces of code, which had the MD5 value e1e00c2d5815e4129d8ac503f6fac095. This file is not "Duqu" but is rather "an .exe file related to Duqu" which is a much larger program (this one is only 9k in size).

(Click for VirusTotal Report)

Non "generic" definitions for this malware included:

Avast: Win32:Duqu-F
Emsisoft: Trojan.Win32.Stuxnet!IK
Ikarus: Trojan.Win32.Stuxnet
Microsoft: Trojan:Win32/Duqu.E
NOD32: probably a variant of Win32/Duqu.A
TrendMicro: TROJ_DUQU.AJ


Symantec mentioned MD5s



9749d38ae9b9ddd81b50aad679ee87ec
Wed Jun 01, 03:25:18 2011
Stealing information

4c804ef67168e90da2c3da58b60c3d16
Mon Oct 17 17:07:47 2011
Reconnaissance module

856a13fcae0407d83499fc9c3dd791ba
Mon Oct 17 16:26:09 2011
Lifespan extender

92aa68425401ffedcfba4235584ad487
Tue Aug 09 21:37:39 2011
Stealing information

In each of those above, the link on the MD5 will show you the VirusTotal report. I find it interesting that TrendMicro consistently names these files "TROJ_SHADOW.AG" which makes me wonder if they had independently discovered this malware family prior to the naming as Duqu by the CrySyS team.

Symantec calls attention to the fact that several of these files show compile dates AFTER the public disclosure of the existence of Duqu.

Delivery Mechanism


Symantec disclosed in their report that one of the infections they were analyzing had been infected via a Word Document that exploited the system using a previously unknown 0-day attack.

We now know from Microsoft more about this exploit. On November 3, 2011, Microsoft released this Microsoft Security Advisory (2639658)
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege
. The advisory starts with an executive summary which says, in part:

Microsoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware.


Microsoft has released a work around. The exploit is taking advantage of the fact that there is a problem in one of the DLL's called by TrueType in certain circumstances. If a system denies access to that .DLL, T2EMBED.DLL, then the exploit would fail to work.

The workaround can be executed like this, but Microsoft cautions that applications that rely on EMBEDDED TrueType fonts could then fail to display properly:

(For older Windows versions)
Echo y| cacls "%windir%\system32\t2embed.dll" /E /P everyone:N

(For newer Windows versions)
Takeown.exe /f "%windir%\system32\t2embed.dll"

For more details on the workaround, please see Microsoft Security Advisory: Vulnerability in TrueType font parsing could allow elevation of privileges which offers a "Fix It For Me" button to apply the work around for you.

Duqu Compared to Stuxnet



The Symantec report has 22 or so pages of original Symantec content, and then has as the majority of it's body the report by the CrySyS Lab, which has a section that compares the Duqu and Stuxnet code. In particular, the Decryption function seems to be nearly identical.