What is this graphic about? Read on, Gentle Reader!
Malcovery: Email Based Threat Intelligence and GameOver Zeus
At Malcovery Security we have become EXTREMELY familiar with GameOver Zeus. Our malware analysts create multiple reports each day documenting the top Email-based threats, and as the FBI's news releases (covered earlier this week in this blog, see Is it GameOver for GameOver Zeus? document, the criminals behind GameOver Zeus have been devastatingly thorough in compromising computers. Unlike some sandboxes, when Malcovery reports on a piece of malware, we actually report on "the activity that would result on a computer compromised by this malware" in a holistic view that we call Contextual Analysis. The goal of Malware Contextual Analysis is to help answer questions like:
- How would one of my users likely be infected by this malware?
- What email subjects or messages may have sent this malware?
- Did that spam campaign deliver other malicious attachment or malicious URLs?
- If one of my users were compromised by this malware, what network activity may result?
- What additional malicious files might be downloaded by a computer compromised with this malware?
- . . . and other questions, depending on the nature of the malware
GameOver Zeus's Encrypted Drop Sites
Back in February, Malcovery reported that GameOver Zeus was being prominently loaded by means of UPATRE malware downloading an Encrypted file from the Internet, and then executing that file. (See our post: GameOver Zeus Now Uses Encryption to Bypass Perimeter Security) With GameOver Zeus possibly taking a significant hit due to the coordinated law enforcement and researcher efforts, I wanted to look at the network infrastructure that we have been warning about in our T3 reports, and just illustrate how the T3 reports can be used to alert you to activity not just from the current day's malware, but for malware that touches any part of the extensive shared infrastructure of GameOver Zeus.Since that initial post, we've seen GameOver Zeus-related encrypted files drop from more than 200 different internet locations, get decrypted by the Dropper malware, and execute themselves to begin communicating with the Peer to Peer GameOver Zeus infrastructure. The full list of many of those URLs, with the date on which we saw the spam campaign, the brand, item or company being imitated in that spam campaign, and the URLs where the GOZ binary were accessed, is available at the end of this article. Here is a sampling of some of the most recent ones for now to help understand the process...
2014-05-13 | Xerox | url::moraza.com.my/images/1305UKdp.zip |
2014-05-13 | NatWest | url::luxesydiseno.com/images/powerslide/Concha/1305UKdw.zip |
2014-05-14 | Microsoft | url::elpenterprisesinc.com/wp-content/uploads/2014/05/1405UKdw.enc |
2014-05-14 | Sage | url::ballroom-intergalactica.com/wp-content/themes/twentythirteen/css/1405UKdp.enc |
2014-05-14 | Intuit | url::mindinstitute.ro/Web3/Upload/Targ-rhc1405.dat |
2014-05-14 | NatWest | url::jessicahann.co.uk/wp-content/uploads/2013/13/1405UKmp.enc |
2014-05-14 | ADP | url::mindinstitute.ro/Web3/Upload/Targ-rhc1405.dat |
2014-05-15 | eFax | url::factoryrush.com/test/1505UKmp.zip |
2014-05-15 | UK Ministry of Justice | url::sugarlandrx.com/media/css/1505UKdp.zip |
2014-05-15 | eFax | url::dubaimovers.info/scripts/Targ-1505USdp.tar |
2014-05-15 | Fidelity | url::www.entrepreneurindia.com/css/Targ-1505USdp.tar |
2014-05-15 | Dun & Bradstreet | url::dubaimovers.info/scripts/Targ-1505USdp.tar |
2014-05-16 | Bank of America | url::kuukaarr01.com/wp-content/uploads/2014/05/Targ-1605USdp.tar |
2014-05-19 | Santander | url::paperonotel.com/Scripts/heap170id2.exe |
2014-05-19 | Wells Fargo | url::mersinprefabrik.com/Css/1905USmw.dct |
2014-05-20 | HSBC | url::task-team.com/css/2005UKmw.zip |
2014-05-20 | NYC Govt | url::lospomos.org/images/button/2005USmw.zip |
2014-05-20 | UPS | url::alamx.com/images/RCH2005.zip |
2014-05-20 | UPS | url::evedbonline.com/images/RCH2005.zip |
2014-05-20 | Royal Bank of Scotland | url::lospomos.org/images/button/2005UKmw.zip |
2014-05-20 | LexisNexis | url::evedbonline.com/images/RCH2005.zip |
2014-05-21 | Credit Agricole | url::eleanormcm.com/css/2105UKdp.rar |
2014-05-21 | HSBC | url::cedargrill.sg/css/2105UKdw.rar |
2014-05-21 | HSBC | url::chezalexye.com/css/2105UKdw.rar |
2014-05-21 | JP Morgan | url::footballmerch.com/media/css/Targ-2105USmw.tar |
2014-05-27 | Hewlett-Packard | url::lotwatch.net/images/2705UKdp.rar |
2014-05-27 | Xerox | url::auracinematics.com/acc/b02.exe |
2014-05-29 | Visa | url::qadindunyasi.az/images/Targ-2905USmp.tar |
2014-05-30 | Sky | url::3dparsian.com/images/banners/3005UKdp.rar |
2014-05-30 | HSBC | url::bag-t.com/css/3005UKmw.rar |
2014-05-30 | HSBC | url::seminarserver.com/html/3005UKmw.rar |
For each of the campaigns above, Brendan, Wayne, and J, our malware analysis team, pushed out both an XML and STIX version of the machine readable T3 reports so that our customers could update themselves with information about the spam campaign, the IP addresses that sent that spam to us, the hashes of the spam attachment, the hostile URLs, and the IP addresses associated not only with the GameOver Zeus traffic, but whatever other malware was dropped in the same campaign. As the FBI indicated, it was extremely common for GameOver Zeus infected computers to ALSO become infected with CryptoLocker.
T3: Protection for Today and Tomorrow
But how often did we see "re-use" of network infrastructure? We like to say that Malcovery's T3 report, which stands for Today's Top Threat, is really "T3: Protection for Today and Tomorrow". To illustrate this, I did some data mining in Malcovery's Threat Intelligence database.First - I isolated network activity for the 92 distinct spam campaigns illustrated above. (There were many more GameOver Zeus campaigns than that, but I was sticking to those samples that used the "encrypted file decrypted by the dropper" version that I had written about in February, so this is a sampling ...)
For each IP address that showed up in network traffic within those 92 campaigns, ranging from February 6, 2014 to May 30, 2014, I counted how many distinct campaigns that indicator had been seen in. Fifty-six IP addresses showed up in ten or more of those campaigns.
I took those IP addresses, and asked the Malcovery Threat Intelligence Database "which spam campaigns delivered malware that caused traffic to those IP addresses?" and was surprised to see not just the original 92 campaign I started with, but 360 distinct spam campaigns!! I culled that down by eliminating the campaigns that only touched ONE of those 56 IP addresses of high interest. The remaining 284 campaigns could be placed into 103 groups based on what they were imitating. Most of the top brands should be familiar to you from Malcovery's Top 10 Phished Brands That Your Anti-Virus is Missing report.
Brand Imitated in Spam | # of Campaigns Seen |
Ring Central | 30 campaigns |
HMRC | 15 campaigns |
HSBC | 13 campaigns |
Royal Bank of Scotland | 14 campaigns |
NatWest | 11 campaigns |
eFax | 11 campaigns |
Sage | 10 campaigns |
Lloyds Bank | 8 campaigns |
UK Government Gateway | 8 campaigns |
Xerox | 8 campaigns |
ADP | 6 campaigns |
Companies House | 6 campaigns |
IRS | 6 campaigns |
New Fax | 5 campaigns |
Paypal | 5 campaigns |
Sky | 5 campaigns |
UPS | 5 campaigns |
Amazon | 4 campaigns |
Bank of America | 4 campaigns |
BT.com | 4 campaigns |
Microsoft | 4 campaigns |
QuickBooks | 4 campaigns |
Wells Fargo | 4 campaigns |
4 campaigns |
I threw the data into IBM's i2 Analyst Notebook, my favorite tool for getting a quick visualization of data, and did some arrangement to try to show the regionality of the data. I know the graph is too dense to see what is in the interior, but let me explain it here:
On the left are IP addresses that are owned by Microsoft. They are arranged by Netblock, with the size of the Computer icon representing how many malware campaigns that IP was linked to. Top to bottom numerically by Netblock, these are from the 23.96 / 23.98 / 137.116, 137.135, 138.91, 168.61, 168.63, 191.232 blocks. The Microsoft traffic only started appearing in late April, so it is possible this is traffic related to "sinkholing" or attempting to enumerate the botnet as part of the investigation. I have no insider knowledge of any such activity, just stating what we observed. We *DID* go back and look at the packet captures for these runs (we keep all of our PCAPs) and the traffic was exactly like the other Peer to Peer chatter for GameOver Zeus.
On the top are IP addresses in APNIC countries. Flag test: Japan, Hong Kong, China
On the right are IP addresses in ARIN countries. (Canada, USA)
In the bottom right corner is one LACNIC IP. (Venezuela)
And on the bottom are RIPE countries. (Netherlands, Moldova, Switzerland, Great Britain, Ukraine, Sweden, Belgium, France, and Austria)
The IP addresses on the chart above are also included here in tabular form:
Prominent IP addresses Associated with GameOver Zeus and associated malware
Country | ASN# | ASN Organization | IP |
CN | 4837 | CHINA169-BACKBONE CNCGROUP China169 Backbone,CN | 221.193.254.122 |
HK | 4515 | ERX-STAR PCCW IMSBiz,HK | 113.28.179.100 |
HK | 9269 | HKBN-AS-AP Hong Kong Broadband Network Ltd.,HK | 61.244.150.9 |
HK | 4760 | HKTIMS-AP PCCW Limited,HK | 218.103.240.27 |
JP | 9365 | ITSCOM its communications Inc.,JP | 101.111.248.177 |
JP | 45687 | MCT-INTERNET Minamikyusyu CableTV Net Inc.,JP | 27.54.110.77 |
JP | 38628 | WINK-NET HIMEJI CABLE TELEVISION CORPORATION,JP | 115.126.143.176 |
JP | 9617 | ZAQ KANSAI MULTIMEDIA SERVICE COMPANY,JP | 125.4.34.229 |
CA | 577 | BACOM - Bell Canada,CA | 174.89.110.91 |
US | 36352 | AS-COLOCROSSING - ColoCrossing,US | 172.245.217.122 |
US | 22773 | ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc.,US | 98.162.170.4 |
US | 7018 | ATT-INTERNET4 - AT&T Services, Inc.,US | 75.1.220.146 |
US | 7018 | ATT-INTERNET4 - AT&T Services, Inc.,US | 99.73.173.219 |
US | 33588 | BRESNAN-AS - Charter Communications,US | 184.166.114.48 |
US | 6128 | CABLE-NET-1 - Cablevision Systems Corp.,US | 68.197.193.98 |
US | 6128 | CABLE-NET-1 - Cablevision Systems Corp.,US | 75.99.113.250 |
US | 33490 | COMCAST-33490 - Comcast Cable Communications, Inc.,US | 67.168.254.65 |
US | 7015 | COMCAST-7015 - Comcast Cable Communications Holdings, Inc,US | 73.182.194.83 |
US | 6939 | HURRICANE - Hurricane Electric, Inc.,US | 50.116.4.71 |
US | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 137.116.225.57 |
US | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 137.116.229.40 |
US | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 137.117.197.214 |
US | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 137.117.72.241 |
US | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 137.135.218.230 |
US | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 138.91.18.14 |
US | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 138.91.187.61 |
US | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 138.91.49.30 |
US | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 168.61.80.142 |
US | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 168.61.87.1 |
US | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 168.63.154.114 |
US | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 168.63.211.182 |
US | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 168.63.62.72 |
US | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 23.96.34.43 |
US | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 23.97.133.13 |
US | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 23.98.41.229 |
US | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 23.98.42.224 |
US | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 23.98.64.182 |
BR | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 191.234.43.118 |
BR | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 191.234.52.206 |
BR | 8075 | MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US | 191.236.85.223 |
VE | 8048 | CANTV Servicios, Venezuela,VE | 190.37.198.162 |
AT | 8437 | UTA-AS Tele2 Telecommunication GmbH,AT | 81.189.6.76 |
BE | 5432 | BELGACOM-SKYNET-AS BELGACOM S.A.,BE | 194.78.138.100 |
CH | 15600 | FINECOM Finecom Telecommunications AG,CH | 77.239.59.243 |
FR | 16276 | OVH OVH SAS,FR | 94.23.32.170 |
GB | 2856 | BT-UK-AS BTnet UK Regional network,GB | 109.153.212.95 |
GB | 2856 | BT-UK-AS BTnet UK Regional network,GB | 213.120.146.245 |
GB | 2856 | BT-UK-AS BTnet UK Regional network,GB | 86.159.38.32 |
MD | 31252 | STARNET-AS StarNet Moldova,MD | 89.28.59.166 |
NL | 1103 | SURFNET-NL SURFnet, The Netherlands,NL | 130.37.198.100 |
NL | 1103 | SURFNET-NL SURFnet, The Netherlands,NL | 130.37.198.90 |
SE | 39287 | FLATTR-AS Flattr AB,SE | 95.215.16.10 |
UA | 13188 | BANKINFORM-AS TOV _Bank-Inform_,UA | 37.57.41.161 |
UA | 21219 | DATAGROUP PRIVATE JOINT STOCK COMPANY _DATAGROUP_,UA | 195.114.152.188 |
UA | 42471 | FALSTAP-AS OOO TRK Falstap,UA | 85.198.156.189 |
UA | 29688 | VOSTOKLTD VOSTOK Ltd.,UA | 31.42.75.203 |
Encrypted GameOver Zeus URLs seen by Malcovery
2014-02-06 | UK Govt Gateway | url::newz24x.com/wp-content/uploads/2014/02/pdf.enc |
2014-02-06 | UK Govt Gateway | url::oilwellme.com/images/banners/pdf.enc |
2014-02-06 | TNT UK | url::newz24x.com/wp-content/uploads/2014/02/pdf.enc |
2014-02-06 | TNT UK | url::oilwellme.com/images/banners/pdf.enc |
2014-02-10 | UK2fax | url::agrimarsystem.pe/images/10UKrh.enc |
2014-02-10 | UK2fax | url::pro-viewer.com/images/10UKrh.enc |
2014-02-12 | Royal Bank of Scotland | url::buzzers.in/media/catalog/category/12UKp.mp3 |
2014-02-12 | Royal Bank of Scotland | url::erp.zebronics.com/images/12UKp.mp3 |
2014-02-18 | RingCentral | url::iatablet.com/oc-content/uploads/HTML/al1402.pic |
2014-02-18 | RingCentral | url::vietdongatravel.com/image/data/logo/al1402.pic |
2014-03-05 | Standard Chartered Bank | url::broadproductz.zapto.org/ndu/guru/config.bin |
2014-03-05 | Standard Chartered Bank | url::broadproductz.zapto.org/ndu/guru/gate.php |
2014-03-06 | RingCentral | url::thebaymanbook.com/wp-content/uploads/2014/03/al2602.big |
2014-03-06 | RingCentral | url::dominionfoodie.com/images/al2602.big |
2014-03-06 | Adobe | url::cdn.cmatecdnfast.us/os/js/OfferScreen_240_EN.zip |
2014-03-06 | Adobe | url::cdn.cmatecdnfast.us/os/js/OfferScreen_260_EN.zip |
2014-03-06 | Adobe | url::cdn.cmatecdnfast.us/os/OfferScreen_243_FP_spws243.zip |
2014-03-06 | Adobe | url::cdn.eastwhitecoal.us/Advertisers/FlashPlayer_Installer.exe |
2014-03-06 | Adobe | url::downloadupdates.in/MB1/downloadupdate.in/style.css |
2014-03-06 | Adobe | url::downloadupdates.in/MB1/flash_thankyou.php |
2014-03-06 | French Government | url::adultagencyads.com/images/2010/0603UKp.big |
2014-03-06 | French Government | url::trudeausociety.com/images/flash/0603UKp.big |
2014-03-18 | Citi | url::jswcompounding-usa.com/images/TARGT.tp |
2014-03-18 | Citi | url::thesymptomatologynetwork.com/images/TARGT.tp |
2014-03-20 | BankofAmerica | url::lovestogarden.com/images/general/TARGT.tpl |
2014-03-20 | BankofAmerica | url::villaveronica.it/gallery/TARGT.tpl |
2014-03-21 | Companies House | url::fidaintel.com/images/2103UKp.qta |
2014-03-21 | Companies House | url::premiercrufinewine.co.uk/wp-content/uploads/2014/03/2103UKp.qta |
2014-03-21 | New Fax | url::gulf-industrial.com/images/2103USa.qta |
2014-03-21 | QuickBooks | url::bodyfriend.co.uk/images/2103USp.qta |
2014-03-21 | QuickBooks | url::overtonsheepfair.co.uk/wp-content/uploads/2012/06/2103USp.qta |
2014-03-27 | Banque Populaire | url::myeapp.com/wp-content/uploads/2014/03/TARG1.git |
2014-03-27 | Banque Populaire | url::ramirezcr.com/images/TARG1.git |
2014-03-27 | HSBC | url::knockoutsecrets.com/wp-content/uploads/2014/03/2703UKc.git |
2014-03-27 | HSBC | url::vequi.com/images/2703UKc.git |
2014-03-28 | Sky | url::hardmoneylenderslosangeles.com/abc/2803UKd.wer |
2014-03-28 | Sky | url::igsoa.net/Book/2803UKd.wer |
2014-03-28 | Sage | url::hardmoneylenderslosangeles.com/abc/2803UKd.wer |
2014-03-28 | Sage | url::igsoa.net/Book/2803UKd.wer |
2014-03-31 | Voicemail Message | url::albergolarese.com/css/3103UKm.rih |
2014-03-31 | Voicemail Message | url::direttauto.com/scripts/3103UKm.rih |
2014-03-31 | Lloyds Bank | url::bormanns-wetter.de/scripts/3103UKd.rih |
2014-03-31 | Lloyds Bank | url::brucewhite.org/images/3103UKd.rih |
2014-04-01 | RingCentral | url::atlantafloorinstallation.com/wp-content/plugins/akismet/index.zpi |
2014-04-01 | RingCentral | url::ayat.onlinewebshop.net/img/index.zpi |
2014-04-01 | Royal Bank of Scotland | url::miss-loly.com/Scripts/0104UKd.bis |
2014-04-01 | Royal Bank of Scotland | url::photovolt.ro/script/0104UKd.bis |
2014-04-01 | eFax | url::apacsolutions.com/test/Targ-0104USr.bis |
2014-04-01 | eFax | url::cfklc.com/downloads/Targ-0104USr.bis |
2014-04-01 | Wells Fargo | url::all-products.biz/css/Targ-0104USd.bis |
2014-04-01 | Wells Fargo | url::smokeylegend.com/css/Targ-0104USd.bis |
2014-04-01 | Xerox | url::atifmalikmd.org/css/Targ-0104USm.bis |
2014-04-01 | Xerox | url::contactdbinc.com/css/Targ-0104USm.bis |
2014-04-07 | New Fax | url::abwidiyantoro.com/images/0804UKm.jpi |
2014-04-07 | New Fax | url::kworldgroup.com/css/0804UKc.jpi |
2014-04-07 | New Fax | url::rainda.com/css/0804UKc.jpi |
2014-04-07 | New Fax | url::robertcairns.co.uk/wp-content/uploads/2014/04/0804UKm.jpi |
2014-04-07 | NY Dept of Taxation and Finance | url::gisticinc.com/wp-content/uploads/2014/04/0804UKr.jpi |
2014-04-07 | NY Dept of Taxation and Finance | url::vtiger.gisticinc.com/test/logo/0804UKr.jpi |
2014-04-08 | Swiftpage, Inc | url::isapport.com/Images/n0804UKm.dim |
2014-04-08 | Swiftpage, Inc | url::metek-mkt.com/images/scripts/n0804UKm.dim |
2014-04-09 | HSBC | url::musicbanda.com/css/0904UKd.rar |
2014-04-09 | HSBC | url::sunsing.com.sg/images/0904UKd.rar |
2014-04-09 | New Fax | url::renaissancepmc.com/scripts/0904US.rar |
2014-04-09 | New Fax | url::thegrandbasant.com/img/icons/0904US.rar |
2014-04-10 | Xerox | url::ebazari.com/uploads/brands/Targ-1004USr.enc |
2014-04-10 | Xerox | url::rollonskips.com/images/banners/Targ-1004USr.enc |
2014-04-14 | Santander | url::vv-international.eu/food/1404UKd.rar |
2014-04-17 | PayPal | url::artncraftemporio.com/media/css/1704UKd.rar |
2014-04-17 | PayPal | url::hrprovider.com/img/img/1704UKd.rar |
2014-04-17 | PayPal | url::artncraftemporio.com/media/css/1704UKd.rar |
2014-04-17 | PayPal | url::hrprovider.com/img/img/1704UKd.rar |
2014-04-17 | IRS | url::fergieandco.org/wp-content/uploads/2014/03/Targ-1704USd.rar |
2014-04-17 | IRS | url::newsilike.in/wp-content/lbp-css/black/Targ-1704USd.rar |
2014-04-23 | Royal Bank of Scotland | url::aoneteleshop.com/images/payments/s2304UKd.rar |
2014-04-23 | Royal Bank of Scotland | url::czargroup.net/wp-content/uploads/2014/04/s2304UKd.rar |
2014-04-23 | Companies House | url::aoneteleshop.com/images/payments/s2304UKd.rar |
2014-04-23 | Companies House | url::www.czargroup.net/wp-content/uploads/2014/04/s2304UKd.rar |
2014-04-24 | Generic Voicemail | url::dotspiders.sg/test/clocks/2404UKs.tar |
2014-04-24 | Generic Voicemail | url::mc-saferentals.com/images/2404UKs.tar |
2014-04-25 | Unity Messaging System | url::altpowerpro.com/images/stories/highslide/Targ-2404USm.tar |
2014-04-25 | Unity Messaging System | url::tmupi.com/media/images/icons/team/Targ-2404USm.tar |
2014-04-29 | Citi | url::capsnregalia.com/download/2904UKpm.zip |
2014-04-29 | Citi | url::perfumeriaamalia.com/images/stories/2904UKpm.zip |
2014-04-30 | UK Gov't Gateway | url::factoryrush.com/boxbeat/uploads/3004UKdp.tar |
2014-04-30 | UK Gov't Gateway | url::vestury.com/js/fckeditor/editor/js/3004UKdp.tar |
2014-04-30 | Sky | url::factoryrush.com/boxbeat/uploads/3004UKdp.tar |
2014-04-30 | Sky | url::vestury.com/js/fckeditor/editor/js/3004UKdp.tar |
2014-04-30 | IRS | url::capsnregalia.com/download/scripts/Targ-3004USmp.tar |
2014-04-30 | IRS | url::worldbuy.biz/scripts/Targ-3004USmw.tar |
2014-05-05 | Microsoft | url::iknowstudio.com/scripts/0505USdw.dat |
2014-05-05 | Microsoft | url::luxesydiseno.com/images/stories/brands/0505USdw.dat |
2014-05-06 | BT.com | url::BIZ-VENTURES.NET/scripts/0605UKdp.rar |
2014-05-06 | BT.com | url::realtech-international.com/css/0605UKdp.rar |
2014-05-06 | HMRC | url::BIZ-VENTURES.NET/scripts/0605UKdp.rar |
2014-05-06 | HMRC | url::realtech-international.com/css/0605UKdp.rar |
2014-05-06 | Generic Voicemail | url::oligroupbd.com/images/Targ-0605USmw.enc |
2014-05-06 | Generic Voicemail | url::touchegolf.com/css/Targ-0605USmw.enc |
2014-05-06 | US Postal Service | url::eirtel.ci/images/0605USdw.enc |
2014-05-06 | US Postal Service | url::smartsolutions.ly/css/0605USdw.enc |
2014-05-07 | Bank of America | url::addcomputers.com/downloads/Targ-0705USmw.enc |
2014-05-07 | Bank of America | url::mindinstitute.ro/images/Targ-0705USmw.enc |
2014-05-07 | NYC Govt | url::addcomputers.com/downloads/Targ-0705USmw.enc |
2014-05-07 | NYC Govt | url::mindinstitute.ro/images/Targ-0705USmw.enc |
2014-05-07 | BT.com | url::k-m-a.org.uk/images/jquerytree/0705USmp.enc |
2014-05-07 | BT.com | url::tuckerspride.com/wp-content/uploads/2014/05/0705USmp.enc |
2014-05-07 | NatWest | url::bumisaing.com/wpimages/wpThumbnails/0705UKmp.zip |
2014-05-07 | NatWest | url::generation.com.pk/flash/0705UKmp.zip |
2014-05-07 | Swiftpage | url::bumisaing.com/wpimages/wpThumbnails/0705UKmp.zip |
2014-05-07 | Swiftpage | url::generation.com.pk/flash/0705UKmp.zip |
2014-05-07 | Swiftpage | url::bumisaing.com/wpimages/wpThumbnails/0705UKmp.zip |
2014-05-07 | Swiftpage | url::generation.com.pk/flash/0705UKmp.zip |
2014-05-07 | QuickBooks | url::k-m-a.org.uk/images/jquerytree/0705USmp.enc |
2014-05-07 | QuickBooks | url::tuckerspride.com/wp-content/uploads/2014/05/0705USmp.enc |
2014-05-08 | Companies House | url::accessdi.com/wp-content/uploads/2014/05/0805UKdp.dat |
2014-05-08 | Companies House | url::mpharmhb.com/images/banners/0805UKdp.dat |
2014-05-08 | Paychex | url::localalarmbids.com/wp-content/uploads/2012/12/0805USmp.rar |
2014-05-08 | Paychex | url::pharmaholic.com/images/banners/0805USmp.rar |
2014-05-12 | NatWest | url::plvan.com/css/1205UKdm.tar |
2014-05-12 | NatWest | url::srhhealthfoods.com/test/1205UKdm.tar |
2014-05-12 | ADP | url::datanethosting.com/css/Targ-1205USmp.enc |
2014-05-12 | ADP | url::distrioficinas.com/fonts/Targ-1205USmp.enc |
2014-05-12 | Royal Bank of Scotland | url::plvan.com/css/1205UKdm.tar |
2014-05-12 | Royal Bank of Scotland | url::srhhealthfoods.com/test/1205UKdm.tar |
2014-05-13 | IRS | url::consumerfed.net/css/1305UKmw.zip |
2014-05-13 | IRS | url::irishtroutflies.ie/images/1305UKmw.zip |
2014-05-13 | NYC Govt | url::loquay.com/css/1305UKdp.zip |
2014-05-13 | NYC Govt | url::moraza.com.my/images/1305UKdp.zip |
2014-05-13 | Xerox | url::loquay.com/css/1305UKdp.zip |
2014-05-13 | Xerox | url::moraza.com.my/images/1305UKdp.zip |
2014-05-13 | NatWest | url::luxesydiseno.com/images/powerslide/Concha/1305UKdw.zip |
2014-05-13 | NatWest | url::paulaggg.com/css/1305UKdw.zip |
2014-05-14 | Microsoft | url::djdawson.com/css/1405UKdw.enc |
2014-05-14 | Microsoft | url::elpenterprisesinc.com/wp-content/uploads/2014/05/1405UKdw.enc |
2014-05-14 | Sage | url::ballroom-intergalactica.com/wp-content/themes/twentythirteen/css/1405UKdp.enc |
2014-05-14 | Sage | url::indoorea.com/webfiles/css/1405UKdp.enc |
2014-05-14 | Intuit | url::martabrixton.com/css/Targ-rhc1405.dat |
2014-05-14 | Intuit | url::mindinstitute.ro/Web3/Upload/Targ-rhc1405.dat |
2014-05-14 | NatWest | url::jessicahann.co.uk/wp-content/uploads/2013/13/1405UKmp.enc |
2014-05-14 | NatWest | url::mortgagebidders.ca/fonts/1405UKmp.enc |
2014-05-14 | ADP | url::martabrixton.com/css/Targ-rhc1405.dat |
2014-05-14 | ADP | url::mindinstitute.ro/Web3/Upload/Targ-rhc1405.dat |
2014-05-15 | eFax | url::factoryrush.com/test/1505UKmp.zip |
2014-05-15 | eFax | url::techwin.com.pk/css/1505UKmp.zip |
2014-05-15 | UK Ministry of Justice | url::floworldonline.com/wp-content/uploads/2014/04/1505UKdp.zip |
2014-05-15 | UK Ministry of Justice | url::sugarlandrx.com/media/css/1505UKdp.zip |
2014-05-15 | eFax | url::dubaimovers.info/scripts/Targ-1505USdp.tar |
2014-05-15 | eFax | url::entrepreneurindia.com/css/Targ-1505USdp.tar |
2014-05-15 | eFax | url::www.entrepreneurindia.com/css/Targ-1505USdp.tar |
2014-05-15 | Fidelity | url::dubaimovers.info/scripts/Targ-1505USdp.tar |
2014-05-15 | Fidelity | url::entrepreneurindia.com/css/Targ-1505USdp.tar |
2014-05-15 | Fidelity | url::www.entrepreneurindia.com/css/Targ-1505USdp.tar |
2014-05-15 | Dun & Bradstreet | url::dubaimovers.info/scripts/Targ-1505USdp.tar |
2014-05-15 | Dun & Bradstreet | url::entrepreneurindia.com/css/Targ-1505USdp.tar |
2014-05-15 | Dun & Bradstreet | url::www.entrepreneurindia.com/css/Targ-1505USdp.tar |
2014-05-16 | Bank of America | url::gmdf.net/js/Targ-1605USdw.tar |
2014-05-16 | Bank of America | url::gmdf.net/js/Targ-1605USdw.tar |
2014-05-16 | Bank of America | url::kuukaarr01.com/wp-content/uploads/2014/05/Targ-1605USdp.tar |
2014-05-16 | Bank of America | url::kuukaarr02.com/wp-content/uploads/2014/05/Targ-1605USdw.tar |
2014-05-16 | Bank of America | url::kuukaarr02.com/wp-content/uploads/2014/05/Targ-1605USdw.tar |
2014-05-16 | Bank of America | url::malkanat.com/images/Targ-1605USdp.tar |
2014-05-16 | Bank of America | https://dl.dropboxusercontent.com/s/vfoim5op006sjdv/SecureMessage.zip |
2014-05-16 | Bank of America | https://dl.dropboxusercontent.com/s/xn26h1fppik5np6/BankofAmerica.scr |
2014-05-19 | Santander | url::aanchalgroup.com/wp-content/uploads/2013/09/1905UKdp.zip |
2014-05-19 | Santander | url::albus-capital.com/css/1905UKdp.zip |
2014-05-19 | Santander | url::paperonotel.com/Scripts/heap170id2.exe |
2014-05-19 | Wells Fargo | url::mersinprefabrik.com/Css/1905USmw.dct |
2014-05-19 | Wells Fargo | url::paperonotel.com/Scripts/heap170id2.exe |
2014-05-19 | Wells Fargo | url::seminarserver.com/css/1905USmw.dct |
2014-05-20 | HSBC | url::lospomos.org/images/button/2005UKmw.zip |
2014-05-20 | HSBC | url::task-team.com/css/2005UKmw.zip |
2014-05-20 | NYC Govt | url::lospomos.org/images/button/2005USmw.zip |
2014-05-20 | NYC Govt | url::task-team.com/css/2005USmw.zip |
2014-05-20 | UPS | url::auracinematics.com/christine/Christine/2005USdp.zip |
2014-05-20 | UPS | url::protecca.com/fonts/2005USdp.zip |
2014-05-20 | UPS | url::alamx.com/images/RCH2005.zip |
2014-05-20 | UPS | url::evedbonline.com/images/RCH2005.zip |
2014-05-20 | Royal Bank of Scotland | url::lospomos.org/images/button/2005UKmw.zip |
2014-05-20 | Royal Bank of Scotland | url::task-team.com/css/2005UKmw.zip |
2014-05-20 | LexisNexis | url::alamx.com/images/RCH2005.zip |
2014-05-20 | LexisNexis | url::evedbonline.com/images/RCH2005.zip |
2014-05-21 | Credit Agricole | url::eleanormcm.com/css/2105UKdp.rar |
2014-05-21 | Credit Agricole | url::frizou.org/06-images/2105UKdp.rar |
2014-05-21 | Credit Agricole | url::paperonotel.com/Scripts/heap170id2.exe |
2014-05-21 | HSBC | url::cedargrill.sg/css/2105UKdw.rar |
2014-05-21 | HSBC | url::chezalexye.com/css/2105UKdw.rar |
2014-05-21 | JP Morgan | url::footballmerch.com/media/css/Targ-2105USmw.tar |
2014-05-21 | JP Morgan | url::myacoub.com/wp-content/uploads/2014/05/Targ-2105USmw.tar |
2014-05-27 | Hewlett-Packard | url::flutterhost.com/demo/2705UKdp.rar |
2014-05-27 | Hewlett-Packard | url::lotwatch.net/images/2705UKdp.rar |
2014-05-27 | Xerox | url::auracinematics.com/acc/b02.exe |
2014-05-27 | Xerox | url::feelhomely.com/beta/eshopbox/2705USmp.opt |
2014-05-27 | Xerox | url::the-dunn.com/css/2705USmp.opt |
2014-05-27 | Xerox | url::auracinematics.com/acc/b02.exe |
2014-05-27 | Xerox | url::feelhomely.com/beta/eshopbox/2705USmp.opt |
2014-05-27 | Xerox | url::the-dunn.com/css/2705USmp.opt |
2014-05-29 | Visa | url::homerenov.org/wp-content/uploads/2014/05/Targ-2905USmp.tar |
2014-05-29 | Visa | url::qadindunyasi.az/images/Targ-2905USmp.tar |
2014-05-30 | Sky | url::3dparsian.com/images/banners/3005UKdp.rar |
2014-05-30 | Sky | url::kuukaarr01.com/wp-content/themes/twentytwelve/css/3005UKdp.rar |
2014-05-30 | Sky | url::utraconindia.com/images/social/heapid2.exe |
2014-05-30 | HSBC | url::bag-t.com/css/3005UKmw.rar |
2014-05-30 | HSBC | url::seminarserver.com/html/3005UKmw.rar |
No comments:
Post a Comment
Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.