Spyware Sucks

Ok, this is funny: Avast blocking Avast?

All credit to http://thedailywtf.com/Articles/Element-of-Violence.aspx

Problems at metacafe.com?

Cite: http://www.google.com/safebrowsing/diagnostic?site=metacafe.com

“Of the 15199 pages we tested on the site over the past 90 days, 5944 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-05-18, and the last time suspicious content was found on this site was on 2012-05-17.”

openx-master.info
ICANN Registrar: DomainContext Inc
Created 17 May 2012

*****

metaafe.info (t’s worrying that a malicious incident on metacafe.com involved a domain so similarly named – metaafe.info – that points to human managed attack, not just random scanning for and automated use of vulnerable OpenX installs)

ICANN Registrar: DomainContext Inc
Created 17 May 2012

*****

openxmasters.info
ICANN Registrar: DomainContext Inc
Created 17 May 2012

Some other recently reported bad domains have been:

ptsector.com
ICANN Registrar: Register.com, Inc
Created 8 May 2012

Registrant: Jacob Hayes, hiltonparis390@yahoo.com

*****

MULTIPLEXTENT.COM (http://www.google.com/safebrowsing/diagnostic?site=multiplextent.com)
ICANN Registrar: Register.com, Inc
Created 15 May 2012

Registrant: Jacob Hayes, hiltonparis390@yahoo.com

*****

WEBEXPERTEST.COM (http://www.google.com/safebrowsing/diagnostic?site=WEBEXPERTEST.COM)
ICANN Registrar: Register.com, Inc
Created 15 May 2012

Registrant: Jacob Hayes, hiltonparis390@yahoo.com

adultfriendfinder.com spam

Subject: “FWD: ALERT: You have an E-Card from your Secret Admirer.

Clicking on the URL leads you here – just so we’re all clear, nobody actually has a crush on you (sorry):

Click on “My Profile and Pics” and you end up at adultfriendfinders.com:

The Privacy Policy hyperlink and Terms of Use hyperlink are both adultfriendfinder.com URLs:

Alert: OX X Lion update exposes encryption passwords

This, I would have to say, is a pretty basic, and bad, screwup.

“a quality assurance mistake can cause OS X users' FileVault encryption passwords to be exposed”

Cite: http://nakedsecurity.sophos.com/2012/05/06/apple-update-to-os-x-lion-exposes-encryption-passwords/?utm_source=facebook&utm_medium=status+message&utm_campaign=naked+security

“It appears that a debug option was accidentally left enabled in FileVault, resulting in the user's password being saved in plain text in a log file accessible outside of the encrypted area.

Anyone with access to the disk can read the file containing the password and use it to log into the encrypted area of the disk, rendering the encryption pointless and permitting access to potentially sensitive documents. This could occur through theft, physical access, or a piece of malware that knows where to look.”

Domains implicated in malvertizing incidents

checkingserve.com
ICANN Registrar: Register.com Inc
Created 24 April 2012

IP: 216.21.239.197

Registrant: Tom Baker (medows_time@yahoo.com)

*****

trackingserviced.com
ICANN Registrar: Register.com Inc
Created 26 April 2012

IP: 216.21.239.197

Registrant: Tom Baker (medows_time@yahoo.com)

*****

directionmedian.com
ICANN Registrar: Register.com Inc
Created 20 April 2012

IP: 216.21.239.197

Registrant: Hidden behind Domain Discreet Privacy Service

*****

adalphatrack.com
ICANN Registrar: Todaynic.com, Inc
Created 20 April 2012

IP: 89.144.12.203

Registrant: Jeff M Vail (jeffmvailt@gmail.com)

Sharing IP with 24cpmtrack.com

*****

24cpmtrack.com
ICANN Registrar: Todaynic.com, Inc
Created 20 April 2012

Registrant: Phillip S Perez (phillipsperez@yahoo.com)

*****

24cpm.com
ICANN Registrar: Todaynic.com, Inc
Created 20 April 2012

IP: 89.144.12.203

Registrant: Joseph S Combs (josephscombsinc@gmail.com)

*****

In IP range that should be treated with extreme caution:

castonete.com.    89.144.12.201
e-tracked.com.    89.144.12.201
elinkclick.com.   89.144.12.201
adbetatrack.com.  89.144.12.201
trackingone.com.  89.144.12.202
247track.net.     89.144.12.202
365cpm.net.       89.144.12.204

Users of OpenX versions 2.8.0 - 2.8.8–please read!!

http://blog.openx.org/05/security-update-for-openx-28-users/

“A recent security issue with OpenX versions 2.8.0 - 2.8.8 means users of these versions of the platform should take the following steps:

1. Secure their servers by removing the files being exploited:

• www/admin/account-settings-debug.php
• www/admin/plugin-index.php
• www/admin/plugin-settings.php
• www/admin/admin-user.php

2. Removing these scripts will impact some of the user/plugin management systems, but will not affect existing users/plugins, and will not affect ad serving.

3. Replace the www/admin/dashboard.php file with the one in this archive so as to not break the login process.

Users can tell if they have been affected by this by checking for a rogue admin user named “openx-manager” in their UI at http://<your_admin_domain>/www/admin/admin-access.php

If the above user is found, it should be removed, and a full security audit should be performed.

We strongly encourage users to lock down their config file. Additionally, users should notify security@openx.com if they ever become aware of a security matter.”

Fake USPS postage labels invoice

Again, it’s not real – and again, hovering over a hyperlink in the email is a dead giveaway…

Fake Facebook emails

The pictured emails are not real Facebook emails – look at the URLs that are exposed when you hover your mouse cursor over the “sign in” and “reactivate” links.

English as a second language….

<sigh>

This is not an email from Careerbuilder

See the URL that appears when you hover over the words “Senior Team Lead”?

I received about half a dozen versions of this spam mail overnight.

This is not a real LinkedIn notification

Note the URL exposed when you mouse over a hyperlink.

Reported bad domains

CLKTURN.NET
ICANN Registrar: Todaynic.com
Created 9 March 2012

IP: 85.93.18.203

Registrant: Marcos P Robledo, marcosprobledoint@gmail.com

Shares IP with advirginmobile.com and impsserv.com (that first domain is a bit of a giveaway, yes?)

****

ADVIRGINMOBILE.COM
ICANN Registrar: Bizcn.com
Created 27 March 2012

Registrant: Bosting, Michael Brown, michaelbrown@teleworm.com

*****

IMPSSERV.COM
ICANN Registrar: Bizcn.com
Created 15 March 2012

Registrant: Can’t tell you because of this…

****

Domains in the same netblock – some pretty obvious attempts at impersonation there…

adsrunctr.com
adsvirginmobileusa.com
advirginmobileusa.com
advirginmobileusainc.com
best-serving.com
contrackcrt.com
convertro.net
creatihost.com
d1openx.com
dlopenx.com
daviselenserver.com
daviselenserver.com
frasint.com
gonirt.com
hostcreati.com
impsserv.com
jjoor.com
metsotr.com
pars-dl.com
patternsrv.com
pedone-ads.com
rofep.com
rondif.com
roptend.com
runimps.com
rutnom.com
servingfit.com
servtrackpix.com
setint.com
udssorulari.net
vbir.net

ICANN Oops…

http://www.icann.org/en/news/announcements/announcement-14apr12-en.htm

Actually, can anybody find a web site privacy policy for icann.org? Maybe I’m blind, but I can’t find it…

“14 April 2012

Statement by Akram Atallah, COO

As we have reported, ICANN has learned of a technical issue with the TLD application system software, or TAS, that allowed a limited number of users to view some other users' file names and user names in certain scenarios. We temporarily shut the system down on 12 April 2012 to protect applicant data, and to look into the technical issue and fix it.

As part of that process, we are sifting through the thousands of customer service inquiries received since the opening of the application submission period. This preliminary review has identified a user report on 19 March that appears to be the first report related to this technical issue.

Although we believed the issues identified in the initial and subsequent reports had been addressed, on 12 April we confirmed that there was a continuing unresolved issue and we shut down the system.

We are still aggressively looking into the issue, and we will publish additional information as soon as it can be confirmed.

We recognize the importance of reopening the application system as soon as possible. We will announce no later than 23:59 GMT/UTC on Monday, 16 April, whether we will be able to reopen on Tuesday, 17 April 2012.

Thank you for your patience as we work to resolve this issue.”

Updates here:
http://www.icann.org/en/news/announcements/announcement-15apr12-en.htm
http://www.icann.org/en/news/announcements/announcement-16apr12-en.htm <—ok, now it’s a “glitch”, not a “technical issue”
http://www.icann.org/en/news/announcements/announcement-17apr12-en.htm

Dear HP… that really isn’t a very helpful dialogue box…

Just saying…

The only way to get rid of the darned thing is to fire up Task Manager and shut down the HPWUCli.exe process (sigh)

Bigpond phish

This email is NOT from Bigpond.

Interestingly it seems to have been sent to the @bigpond.com email recipient using a compromised @bigpond.com user account.

The source IP address, 180.215.155.152, is in India.

If you reply to the email, your email actually goes to webaccountdept@w.cn:

w.cn is registered to Xiamen Yi Network Technology Co., Ltd.

The email that I received is dated 22 February 2012; as at 4 March 2012 they were still being seen.

The same reply to address is also being used for a Lottery Scam email.

Lots of bad domains…

Thank you to the source – you know who you are

adpointroll.com - 85.93.18.197

adsturn.com - 85.93.18.198

adsvirginmobileusa.com - 85.93.18.200

advirginmobileusa.com - 85.93.18.200

advirginmobileusainc.com - 85.93.18.200

best-serving.com - 85.93.18.202

convertro.net - 85.93.18.201

cpmtrack.net

ctrtrack-15.com - 85.93.18.198

daviselenserver.com - 85.93.18.194, 85.93.18.201

d1openx.com - 85.93.18.208

dlopenx.com - 85.93.18.201

hostcreati.com - 85.93.18.204

interclickctr.com - 85.93.18.198

impsserv.com - 85.93.18.203

letfen.com - 85.93.18.197

novastr.com - 85.93.18.198

pedone-ads.com - 85.93.18.209

runimps.com - 85.93.18.204

statimps.com - 85.93.18.196

stats-tr.com - 85.93.18.197

track-t10.com - 85.93.18.197

t5track.com - 85.93.18.199

wellserving.com - 85.93.18.198

Impersonator domain - RepEquityinc.com

RepEquityinc.com – reported as impersonating the legitimate domain RepEquity.com and claiming to represent RealtyTrac

ICANN Registrar: BIZCN.COM
Created 2 March 2012
IP: 64.120.234.197

Registrant: Fern Tindell (admin@repequityinc.com)

Sharing IP address with 9 other domains: 1285.ru, blackseoworld.com, canstansa.com, earthclassmail-corporate.com, legalsklad.com, mansuetocorp.com, virtualpostmail.net. vvsmail.com, wbshop.biz

Provided the following impersonator domains as references:

sinclairgroup.us

ICANN Registrar: TODAYNIC.COM
Created 5 March 2012
IP: 64.120.234.196

Registrant: Sinclair Broadcast Group, Inc (web@sinclairgroup.us)

lnnetwork.com

ICANN Registrar: TODAYNIC.COM
Created 5 March 2012
IP: 64.120.234.195

Registrant: Live Nation Worldwide (dns@livenation.com)

zyngaincorporated.com

ICANN Registrar: BIZCN.COM
Created 7 March 2012
IP: loopback (127.0.0.2)

Registrant: Idea Engineering Inc (admin@dnstination.com)

BIZCN.COM has a headache…

Reported as being used for malvertizing - metsotr.com

metsotr.com

ICANN Registrar: BIZCN.COM
Created 19 March 2012
IP: 85.93.18.205

Registrant: Alfred Steele (1@contrackcrt.com)

Shares IP with contrackcrt.com

ICANN Registrar: BIZCN.COM

Created 19 March 2012

Registrant: Alfred Steele 1@contrackcrt.com

Reported as being used for malvertizing - adsturn.com

adsturn.com Note: do not confuse with the legitimate domain ads.turn.com

ICANN Registrar: TODAYNIC.COM
IP: 85.93.18.198
Created 9 March 2012

Registrant: Michael V Simpson (michaelvsimpson@gmail.com)

Some digging brings up interclickctr.com sharing IP address

ICANN Registrar: BIZCN.COM
Created 9 March 2012

Registrant: INST Ads (cpmtrack@cpmtrack.net)

cpmtrack.net

ICANN Registrar: BIZCN.COM
Created 9 March 2012

Registrant: INST Ads (cpmtrack@cpmtrack.net)