China changes registration rules - will spam changes follow?

Big news from China with regards to their domain name registration policies.

Readers of the blog know that I have regularly complained about criminals from around the world abusing the services of Chinese domain name registration companies. We have also commented on the practice of "bullet-proof hosting", for instance in our story Spam Crisis in China.

I am happy to report that the fine people at the China Internet Network Information Center (CNNIC) have taken action to address this situation!

Thanks to Robert McMillan from IDG for giving me the Twitter tip-off on this story!

Many Chinese news sources are reporting the story:

Individuals banned from .cn application is the report from the Shanghai Daily

China barred individuals from applying for Chinese domain names, ending with .cn, from yesterday as part of a national campaign against pornographic content spread online, the industry regulator said.

Applicants for domain name registration are required to hand in written application forms, with a business license and the applicant's identity card, according to the China Internet Network Information Center (CNNIC).

The new application system will help the CNNIC better regulate the Internet environment in the country and crack down on improper content online, experts said.

CNNIC decided to screen applicants' qualifications strictly to stop individuals obtaining domain names using fake information, said Liu Zhijiang, vice director of the regulator.

"The applications in written form can help us do our work more accurately," media reported quoting Liu.

Reading the recent announcements from China Internet Network Information Center we can see that changes began to be introduced on November 30.

In the article, With Regard to Complaints from the Public Domain Name Registration Services two new requirements are given to all Domain Name Registration Services:

1) they must prominently display a link to the Ministry of Industry and Information Technolgoy along with their MIIT approval number to do business in this area.

2) they must prominently display information on how to make a domain name registration complaint to the CNNIC, including their email, telephone, and fax number for CNNIC.

In their own version of security through journalism (the term we use in the US is called "Krebsing"), CNNIC revealed in their letter of December 10th that further changes would be coming as a result of a television documentary on the CCTV program "Focus" and other media reports that indicated that criminals using false information were registering websites to carry out illegal activities. They announced in their open letter, On the strengthening of domain name registration service management, that changes would be coming to crack down on "pornographic websites", stating that "CNNIC has a duty to the country as the domain name registration authroity to take responsibility to stop this illegal activity."

As part of this letter, they announce that "in the face of rampant phishing, they have joined the internet community to establish an "anti-phishing website union" more than a year ago, and in the previous year have shut down more than 8,000 phishing websites to protect the public interest."

As part of their plans, the CNNIC has pledged to shutdown companies performing registrations for illegal activities, and to enhance their manpower and resources to address complaints more rapidly. They have also provided a 24 hour Customer Service Telephone number and an email that can be used to report illegal domain activity:

7 x 24 hour Customer Service Tel: 010-58813000
E-mail: supervise@cnnic.cn
Fax: 010-5881266

An announcement followed also on December 10th, With regard to domain name registration: Information to carry out notification of special treatment. In this announcement the rule was made that any domain name must contain "true, accurate and complete domain name registration information" and that any domain name registration that was untrue, inaccurate, or incomplete would result in the domain name being terminated. This new ruling specifically extends to previously registered domains as well - any previously registered domain reported to have false registration information is to be cancelled within five days. Any agents acting on behalf of the registration company (the phrase is "lower-level agents" - I believe this specifically refers to resellers) are also to be held to these requirements.

In a second announcement on December 11th, Domain name registration information on further strengthening the audit notice CNNIC also announced that effective at 9 o'clock on December 14th, all domain name registrations would need to be submitted ONLINE AND IN WRITING and include:

- a copy of the registration application stamped with the official seal of the applicant
- a copy of the enterprise business license
- optionally, an organization certificate (for non-businesses)
- a photocopy of the applicant's identity paperwork

The announcement state that the Domain Name Registration Service must then carefully examine the written materials and send a copy to CNNIC.

The online registration is allowed to proceed in realtime, but if the written materials are not received within five days, the domain name must be canceled.

---

We will anxiously await measurement of the results of this new policy. There are several news stories referring to particular registration companies being banned from future .cn registration until they come into compliance. According to John Leyden's article Chinese domain crackdown targets smut sites these include:

unndc.com
namerich.cn
xinnet.com

(John was quoting Global Times of China)

Read More

Ongoing VISA scam drop Zeus Zbot

I guess the UAB Spam Data Mine is having a bad day! Our VISA card is being used in Kuwait!

Dear VISA card holder,

A recent review of your transaction history determined that your card was used at an ATM located in Kuwait, but for security reasons the requested transaction was refused.Please carefully review electronic report for your VISA card

Its also being used at an ATM located in:

Albania, Angola, Argentina, Australia, Bahamas, Cambodia, Central African Republic, China, Cuba, Cyprus, Egypt, Ethiopia, France, Greenland, Guam, Honduras, Italy, Jamaica, Japan, Jordan, Korea, Liberia, Lithuania, Luxembourg, Mauritania, Monaco, Mozambique, Nepal, New Zealand, Niger, Oman, Palau, Panama, Paraguay, Peru, Philippines, Romania, Russian Federation, Rwanda, Seychelles, Somalia, Sri Lanka, Switzerland, Taiwan, Tajikistan, Thailand, Turkmenistan, United Arab Emirates, United Kingdom, Uruguay, Zambia, and probably others.



We know that its real, because for security purposes they X'ed out part of our number, as you can see on this destination website below.



Of course, EVERY VISA card starts with a "4", so that isn't actually a very useful hint.

The subject lines in our emails were:

possible fraudulent transaction
possible fraudulent transaction and/or collusion
possible fraudulent transaction and/or collusion with your VISA card
possible fraudulent transaction has been executed
possible fraudulent transaction has been executed with your VISA card
possible fraudulent transaction is identified
possible fraudulent transaction is identified with your VISA card
possible fraudulent transaction occurred
possible fraudulent transaction occurred with your VISA card
possible fraudulent transaction with your VISA card


The "STATEMENT" link on the website is for an executable named "cardstatement.exe".

The copy we sent to VirusTotal was detected by 16 of 41 AV products according to this VirusTotal Report.

Its a big file. File size: 131072 bytes
MD5 : 1560a00d7e83a085ac76b5d514761baa

Several majors are already detecting it as "zbot".

We've seen the malware spammed on 118 different domain names since the start of the campaign, with more than 17,000 copies of the spam received in the UAB Spam Data Mine. In front of the domain name are several possible prefixes:

alerts.visa.com.(domain)
reports.visa.com.(domain)
statements.visa.com.(domain)
transactions.visa.com.(domain)
sessionid_(random).visa.com.(domain)
sessionid(random).visa.com.(domain)
sessionid-(random).visa.com.(domain)

Here are the 118 domain names we've seen so far:

lotet0.co.uk
lotet1.co.uk
lotet2.co.uk
loteti0.co.uk
luuuuud.co.uk
luuuuuk.co.uk
luuuuul.co.uk
luuuuuo.co.uk
miinu001.co.uk
miinui01.co.uk
miinuo01.co.uk
miinuoo1.co.uk
minutu11.co.uk
minutul1.co.uk
minuty11.co.uk
minutyi1.co.uk
mrreggh.co.uk
mrreggi.co.uk
mrreggj.co.uk
mrreggk.co.uk
nteeeera1.co.uk
ntueeepi1.co.uk
ntueeera1.co.uk
ntueeeri1.co.uk
thhfyb.co.uk
thhfym.co.uk
thhfys.co.uk
thhfyv.co.uk
umr1eep1.co.uk
umr1iep0.co.uk
umr1iep1.co.uk
umrteep1.co.uk
lotet0.me.uk
lotet1.me.uk
lotet2.me.uk
loteti0.me.uk
luuuuud.me.uk
luuuuuk.me.uk
luuuuul.me.uk
luuuuuo.me.uk
miinu001.me.uk
miinui01.me.uk
miinuo01.me.uk
miinuoo1.me.uk
minutu11.me.uk
minutul1.me.uk
minuty11.me.uk
minutyi1.me.uk
mrreggh.me.uk
mrreggi.me.uk
mrreggj.me.uk
mrreggk.me.uk
nteeeera1.me.uk
ntueeepi1.me.uk
ntueeera1.me.uk
ntueeeri1.me.uk
thhfyb.me.uk
thhfym.me.uk
thhfys.me.uk
thhfyv.me.uk
umr1eep1.me.uk
umr1iep0.me.uk
umr1iep1.me.uk
umrteep1.me.uk
lotet0.org.uk
lotet1.org.uk
lotet2.org.uk
loteti0.org.uk
luuuuud.org.uk
luuuuuk.org.uk
luuuuul.org.uk
luuuuuo.org.uk
miinu001.org.uk
miinui01.org.uk
miinuo01.org.uk
miinuoo1.org.uk
minutu11.org.uk
minutul1.org.uk
minuty11.org.uk
minutyi1.org.uk
mrreggh.org.uk
mrreggi.org.uk
mrreggj.org.uk
mrreggk.org.uk
nteeeera1.org.uk
ntueeepi1.org.uk
ntueeera1.org.uk
ntueeeri1.org.uk
thhfyb.org.uk
thhfym.org.uk
thhfys.org.uk
thhfyv.org.uk
umr1eep1.org.uk
umr1iep0.org.uk
umr1iep1.org.uk
umrteep1.org.uk
teh10ll1.be
teh11ll1.be
tehh1ll1.be
tehhtll1.be
tehhtpl1.be
tehhttl1.be
tih11ll1.be
luuuuuk.eu
luuuuul.eu
luuuuuo.eu
mrreggh.eu
mrreggi.eu
mrreggj.eu
nteeeera1.eu
ntueeera1.eu
ntueeeri1.eu
thhfyb.eu
thhfym.eu
thhfyv.eu
umr1eep1.eu
umr1iep1.eu
umrteep1.eu

Only a small handful of these are live. We're seeing mostly the ".be" domains right now, such as:

sessionidP2Q8MFCEG7EU5.visa.com.teh10ll1.be
sessionidLWIV86A.visa.com.teh11ll1.be
reports.visa.com.tehh1ll1.be
reports.visa.com.tehhtll1.be
sessionidOI26B5OXFSCBTV.visa.com.tehhtpl1.be
alerts.visa.com.tehhttl1.be
sessionid_5HR4GA8G3.visa.com.tih11ll1.be

but, those are the URLs seen in the freshest spam. The criminal seems pretty reliable about shifting to new domains when the old ones go offline.

Be very careful about visiting these pages . . . the new Zbot distribution websites also contain driveby infectors. The current one is being dropped via an IFRAME which points here:

"bersdf.com/grsfx/in.php"

That drops a malicious PDF called "pdf.pdf" and a malicious flash file called "swf.swf". It also looks like it calls a file called "sNode.php".

Here is a VirusTotal report for pdf.pdf (12 of 41 detects)

File size: 21784 bytes
MD5 : 254f1479f6546ad62651ae572a16b4e8

and a VirusTotal report for swf.swf (0 of 41 detects)

File size: 10735 bytes
MD5...: 48a36eaf2ca13802f539c9bf065781af

Seems rather strange that they would be pushing a "safe" Flash file. Could it really be a totally undetectable .SWF file exploit? Professional researchers, please help yourselves. Opinions wanted.

The additional droppers are currently fetching two files:

1file.exe (Virus report here - is a Zbot infector with 17 of 41 detects.
File size: 131072 bytes
MD5 : 1560a00d7e83a085ac76b5d514761baa

file.exe (Virus Report here) - is also a Zbot infector with 14 of 41 detects.
File size: 130048 bytes
MD5 : ded54d739fa2e4c66d4a488d3b855861

I guess the nice thing about that directory is that its an open browsable directory, complete with "ReadMe_!!!.txt" file.

Here's the source code for a nice little file called "install.sql". Perhaps we can learn a bit about how the Avalanche spammer works from this file.



======================================================
http://bersdf.com/grsfx/install.sql
======================================================

-- phpMyAdmin SQL Dump
-- version 2.6.1
-- http://www.phpmyadmin.net
--
-- Хост: localhost
-- Время создания: Июл 17 2009 г., 22:57
-- Версия сервера: 5.0.45
-- Версия PHP: 5.2.4
--
-- БД: `123321`
--

-- --------------------------------------------------------

--
-- Структура таблицы `browsers`
--

CREATE TABLE IF NOT EXISTS `browsers` (
`id` tinyint(4) NOT NULL auto_increment,
`name` varchar(16) default NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=12 DEFAULT CHARSET=cp1251 AUTO_INCREMENT=12 ;

--
-- Дамп данных таблицы `browsers`
--

INSERT INTO `browsers` VALUES (1, 'Opera');
INSERT INTO `browsers` VALUES (2, 'Konqueror');
INSERT INTO `browsers` VALUES (3, 'Lynx');
INSERT INTO `browsers` VALUES (4, 'Links');
INSERT INTO `browsers` VALUES (5, 'MSIE etc');
INSERT INTO `browsers` VALUES (6, 'Netscape');
INSERT INTO `browsers` VALUES (7, 'Mozilla');
INSERT INTO `browsers` VALUES (8, 'Firefox');
INSERT INTO `browsers` VALUES (9, 'Unknown');
INSERT INTO `browsers` VALUES (10, 'MSIE 7');
INSERT INTO `browsers` VALUES (11, 'MSIE 8');

-- --------------------------------------------------------

--
-- Структура таблицы `countries`
--

CREATE TABLE IF NOT EXISTS `countries` (
`abrev` char(2) NOT NULL default '',
`name` varchar(44) character set cp1251 collate cp1251_general_cs default NULL,
KEY `abrev` (`abrev`)
) ENGINE=MyISAM DEFAULT CHARSET=cp1251;

--
-- Дамп данных таблицы `countries`
--

INSERT INTO `countries` VALUES ('AP', 'Asia/Pacific Region');
INSERT INTO `countries` VALUES ('EU', 'Europe');
INSERT INTO `countries` VALUES ('AD', 'Andorra');
INSERT INTO `countries` VALUES ('AE', 'United Arab Emirates');
INSERT INTO `countries` VALUES ('AF', 'Afghanistan');
INSERT INTO `countries` VALUES ('AG', 'Antigua and Barbuda');

(Gar-Note: Skipping Big Long Country List here)
--
-- Дамп данных таблицы `hit2plug`
--


-- --------------------------------------------------------

--
-- Структура таблицы `loads`
--

CREATE TABLE IF NOT EXISTS `loads` (
`id` int(11) NOT NULL auto_increment,
`sploit_id` int(11) NOT NULL default '0',
`time` varchar(16) NOT NULL default '',
`hash` varchar(32) NOT NULL default '',
PRIMARY KEY (`id`),
KEY `hash` (`hash`)
) ENGINE=MyISAM AUTO_INCREMENT=4231 DEFAULT CHARSET=latin1 AUTO_INCREMENT=4231 ;

--
-- Дамп данных таблицы `loads`
--


-- --------------------------------------------------------

--
-- Структура таблицы `os`
--

CREATE TABLE IF NOT EXISTS `os` (
`id` tinyint(4) NOT NULL auto_increment,
`name` varchar(32) NOT NULL default '',
PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=16 DEFAULT CHARSET=cp1251 AUTO_INCREMENT=16 ;

--
-- Дамп данных таблицы `os`
--

INSERT INTO `os` VALUES (1, 'Linux');
INSERT INTO `os` VALUES (2, 'Windows 95');
INSERT INTO `os` VALUES (3, 'Windows 98');
INSERT INTO `os` VALUES (4, 'Windows XP SP2');
INSERT INTO `os` VALUES (5, 'Windows 2000');
INSERT INTO `os` VALUES (6, 'Windows XP');
INSERT INTO `os` VALUES (7, 'Windows 2003');
INSERT INTO `os` VALUES (8, 'Windows Vista');
INSERT INTO `os` VALUES (9, 'Windows Mobile');
INSERT INTO `os` VALUES (10, 'Macintosh');
INSERT INTO `os` VALUES (11, 'FreeBSD');
INSERT INTO `os` VALUES (12, 'Unknown');

-- --------------------------------------------------------

-- --------------------------------------------------------

--
-- Структура таблицы `sploits`
--

CREATE TABLE IF NOT EXISTS `sploits` (
`id` int(11) NOT NULL auto_increment,
`name` varchar(32) NOT NULL default '',
`loads` int(11) NOT NULL default '0',
PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=667 DEFAULT CHARSET=latin1 AUTO_INCREMENT=667 ;

--
-- Дамп данных таблицы `sploits`
--

INSERT INTO `sploits` VALUES (1, 'RDS.DataSpace', 0);
INSERT INTO `sploits` VALUES (2, 'PDF.Collab', 0);
INSERT INTO `sploits` VALUES (3, 'PDF.Printf', 0);
INSERT INTO `sploits` VALUES (4, 'PDF.Icon', 0);
INSERT INTO `sploits` VALUES (5, 'Other', 0);

-- --------------------------------------------------------
============================
The guys at MaxMind will be excited to know that these criminals are customers of theirs for Geocoding the locations of their infected bots.

The creators of the "FSPACK" malware engine will also be proud to count these guys as customers.

It looks like we've got four exploits that are going to try to run when we visit, if you can trust the loader. RDS.DataSpace is OLD, like MS06-014. A note on SecurityFocus in 2007 says that the MPack Hacker Tool uses it. Apparently the FSPack hacker tool does too!

Read More

Minipost: Google v. Pacific WebWorks

I blogged recently about the "Google Jobs" scammers who were abusing Twitter, Blogspot, Google Reader, and spaces.live.com by creating new accounts in all those places and then spamming those URLs. They then second-phase scammed by claiming that you were entering a "$1.95 trial", which actually could cost more than $200 and had no way to exit, since no one ever answers the phone number you have to call to "cancel your trial". (see Google Jobs Scam: Read the Fine Print

Several sources are reporting that Google has now filed suit against the parent company of this scam, Pacific WebWorks. I first heard about it from Graham Cluley's Sophos Blog, but went on to find Google's report.

Here's Google's actual report on it:

GoogleBlog: Fighting Fraud Online Taking Google Money Scammers to Court

And the Lawsuit filing (26 page PDF)

The case is very similar to the Google Money Tree lawsuit brought by the FTC against Infusion Media and West Coast Internet Media:

FTC v. Infusion Media and West Coast Media (17 page PDF)

Go Google! Take these Spammers and Scammers off the Internet!

Read More

Yet Another Facebook spam - New Zeus / Zbot threat

As Solomon said, "What has been will be again, what has been done will be done again; there is nothing new under the sun." (Ecclesiastes 1:9) Today we have another round of the "Facebook Update Tool" which we actually blogged about on October 28th (See Facebook Phish: Users Beware! and on November 28th (See Beware Weekend Facebook Scam.

The path has changed since the last go-round, with two different URL patterns being used:

/globaldirectory/LoginFacebook.php
and
/global_directory/MyAccount.php

Email subjects are fairly limited to these choices:

Subject: Facebook Account Update
Subject: Facebook account update
Subject: Facebook Update Tool

Here's our actual message count for top Facebook subjects so far this morning:

784 | Facebook Password Reset Confirmation. Customer Message.
779 | Facebook Password Reset Confirmation. Support Message.
757 | Facebook Password Reset Confirmation. Customer Support.
755 | Facebook Password Reset Confirmation. Your Support.
753 | Facebook Password Reset Confirmation. Important Message
602 | Facebook account update
569 | Facebook Update Tool
550 | Facebook Account Update

All of the "Facebook Password Reset Confirmation" are emails with a '.zip' attachment intended to infect with Bredolab. These were covered in Yesterday's blog entry: Ongoing Badness: AmEx, Facebook and .CN. The Zeus / Zbot infector is in the campaign represented by the bottom three subjects on the list. With 189,301 messages received so far this early morning, that puts the Facebook Zeus at .9% of our email volume for this morning, and the Facebook Bredolab at 2% of our email volume for this morning. Let's be generous and say that 3% of all of our spam this morning is using a Facebook scam to try to infect us with malware.

For comparison, here are the top Facebook spam subjects for yesterday:

Z 2309 | Facebook Account Update
B 2292 | Facebook Password Reset Confirmation. Support Message.
Z 2261 | Facebook Update Tool
B 2256 | Facebook Password Reset Confirmation. Your Support.
B 2249 | Facebook Password Reset Confirmation. Customer Message.
B 2244 | Facebook Password Reset Confirmation. Important Message
B 2225 | Facebook Password Reset Confirmation. Customer Support.
Z 2185 | Facebook account update

Z = Zeus / Zbot; B = Bredolab

By the 24 hour clock, yesterday we received 917,872 spam email messages, so 1.2% of yesterday's entire spam volume was Bredolab infectors, and .7% of yesterday's entire spam volume was Facebook Zeus / Zbot, or roughly 2% of all spam for the day, although that's not really fair since Facebook Zeus started so late in the day.

Here's an example of the email body:

Dear Facebook user,

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security.
Before you are able to use the new login system, you will be required to update your account.

Please click on the link below to update your account online now:

http://www.facebook.com.okolls.org.uk/globaldirectory/LoginFacebook.php?ref=124125189363830136816363239612373&email=weewoo@yourmail.com

If you have any questions, reference our New User Guide.

Thanks,
The Facebook Team

There are fifty new domain names used in this attack, with 36 of the domains resolving as live at this writing (5:15 AM December 9, 2009).

www.facebook.com.gertfra.co.uk
www.facebook.com.gertfra.me.uk
www.facebook.com.gertfra.org.uk
www.facebook.com.gertfrb.co.uk
www.facebook.com.gertfrb.me.uk
www.facebook.com.gertfrb.org.uk
www.facebook.com.gertfrp.co.uk
www.facebook.com.gertfrp.me.uk
www.facebook.com.gertfrp.org.uk
www.facebook.com.gertfrr.co.uk
www.facebook.com.gertfrr.me.uk
www.facebook.com.gertfrr.org.uk
www.facebook.com.gertfrt.co.uk
www.facebook.com.gertfrt.me.uk
www.facebook.com.gertfrt.org.uk
www.facebook.com.ihyeerg.co.uk
www.facebook.com.ihyeerg.me.uk
www.facebook.com.ihyeerg.org.uk
www.facebook.com.ihyeerj.co.uk
www.facebook.com.ihyeerj.me.uk
www.facebook.com.ihyeerj.org.uk
www.facebook.com.ihyeerk.co.uk
www.facebook.com.ihyeerk.me.uk
www.facebook.com.ihyeerk.org.uk
www.facebook.com.ihyeers.co.uk
www.facebook.com.ihyeers.me.uk
www.facebook.com.ihyeers.org.uk
www.facebook.com.ihyeeru.co.uk
www.facebook.com.ihyeeru.me.uk
www.facebook.com.ihyeeru.org.uk
www.facebook.com.jjjioi.co.uk
www.facebook.com.jjjioi.me.uk
www.facebook.com.jjjioi.org.uk
www.facebook.com.jjjiok.co.uk
www.facebook.com.jjjiok.me.uk
www.facebook.com.jjjiok.org.uk
www.facebook.com.jjjiop.co.uk
www.facebook.com.jjjiop.me.uk
www.facebook.com.jjjioy.co.uk
www.facebook.com.jjjioy.me.uk
www.facebook.com.jjjioy.org.uk
www.facebook.com.okolli.co.uk
www.facebook.com.okolli.me.uk
www.facebook.com.okolli.org.uk
www.facebook.com.okolln.co.uk
www.facebook.com.okollo.co.uk
www.facebook.com.okollo.me.uk
www.facebook.com.okollo.org.uk
www.facebook.com.okolls.co.uk
www.facebook.com.okolls.me.uk
www.facebook.com.okolls.org.uk

Despite the wide popularity of this on-going scam, it also calls into question the validity of traditional anti-virus solutions. Any signature-based malware solution is going to be challenged by rapidly changing malware such as these Zbot infectors. This morning's version of the malware is currently detected by only 9 of 41 anti-virus solutions as reported by this VirusTotal report.

updatetool.exe
File size: 131584 bytes
MD5 : 959efa29b4979bcc1d664d7e0726aa74

Security suites which include website blocking fare much better, protecting their customers not by knowing this virus, but by recognizing that the website is offensive. For instance, I am using the McAfee Site Advisor plug-in for Firefox, which recognized this site as offensive. The Google SafeBrowsing list used by Firefox also knows these are offensive sites, and TrendMicro's "Smart Protection Network" performs a similar function for their customers. When selecting an anti-virus solution, make sure that they are also proactively blocking websites known to distribute malware. Even when the criminal shifts to a new virus definition, the fact that these websites are known to be bad will prevent the malware from being downloaded.

Read More

Webmasters Targeted by CPANEL phish

Webmasters from at least 90 online hosting providers are specifically targeted in the newest round of Avalanche phish.

The spam emails that are going out look like these:

Due to the system maintenance, we kindly ask you to take a few minutes to confirm your FTP details.
Please confirm your FTP details by using the link below:

Subject lines use the name of the targeted hosting company in the email subject, such as:

(targeted hosting company) webhosting update
(targeted hosting company) web hosting update
(targeted hosting company) webhosting user
(targeted hosting company) web hosting update
for (targeted hosting company) webhosting user
for (targeted hosting company) web hosting user

Given all the variations, we've seen more than 900 unique subject lines.

When the link is followed, the websites are of course the criminal's phishing page instead of the web hosting company's CPanel page. (CPanel is a popular website
administration tool.)

The goal seems to really be capturing the FTP userids and passwords of webmasters. You can imagine what sorts of badness this campaign may lead to!

The website looks like this:



Here are some websites currently live . . .

cpanel.netbenefit.co.uk.tygkhggi.co.uk
cpanel.123-reg.co.uk.tygkrggi.co.uk
cpanel.1and1.co.uk.tygsrggi.co.uk
cpanel.locaweb.com.br.tygkhggi.me.uk
cpanel.1and1.co.uk.tygkrggi.org.uk
cpanel.locaweb.com.br.tygrhggi.org.uk
cpanel.1and1.co.uk.tygrtggi.org.uk
cpanel.fasthosts.co.uk.tygsrggi.org.uk
cpanel.4shared.com.tygrhggi.co.uk
cpanel.4shared.com.tygkrggi.me.uk
cpanel.4shared.com.tygsrggi.me.uk

The pattern of the URL is:

cpanel.(targeted hosting company).topleveldomain

where (targeted hosting company) can be:
locaweb.com.br
now.cn
4shared.com
50webs.com
bluehost.com
earthlink.com
github.com
godaddy.com
homestead.com
hostalia.com
hostgator.com
hostmonster.com
ixwebhosting.com
jeeran.com
lunarpages.com
mediafire.com
mozy.com
namecheap.com
netfirms.com
networksolutions.com
pair.com
powweb.com
qwest.com
register.com
resellerclub.com
siteground.com
sitesell.com
softlayer.com
squarespace.com
startlogic.com
t35.com
theplanet.com
ucoz.com
vendio.com
volusion.com
web.com
webhost4life.com
webhostingpad.com
west263.com
x10hosting.com
yahoo.com
35.com
bravehost.com
dreamhost.com
enom.com
fatcow.com
krypt.com
midphase.com
one.com
xlhost.com
000webhost.com
all-inkl.com
angelfire.com
bravenet.com
freeservers.com
freewebs.com
ipower.com
justhost.com
leaseweb.com
pingdom.com
rackspace.com
zerolag.com
arabstart.com
awardspace.com
fortunecity.com
freehostia.com
dynadot.com
pueblo.cz
arcor.de
funpic.de
hosteurope.de
ohost.de
1und1.de
server4you.de
strato.de
usenext.de
aruba.it
isimtescil.net
masterweb.net
ovh.net
speakeasy.net
aplus.net
mediatemple.net
home.pl
nazwa.pl
masterhost.ru
123-reg.co.uk
1and1.co.uk
oneandone.co.uk
fasthosts.co.uk
netbenefit.co.uk
website.ws

The URL contains your email address and the provider link. When you visit the page, this information is stored as part of the URL for "command_003.php". You can see what I mean in the layout below:

(html)(head)
(title)WebHost Manager(/title)
(meta http-equiv="Content-Type" content="text/html; charset=UTF-8")
(link rel="shortcut icon" href="http://whm.demo.cpanel.net/favicon.ico" type="image/x-icon">)
(/head)
(frameset cols="217,566*" frameborder="NO" border="0" framespacing="0" rows="*")
(frame src="command.htm" name="commander" frameborder="no" id="commander" scrolling="yes")
(frameset rows="70,*" cols="*" framespacing="0" frameborder="no" border="0")
(frame src="command_002.htm" name="topFrame" frameborder="no" noresize="noresize" id="topFrame" scrolling="no")
(frame src="command_003.php?email=phishthis@phishme.com&service=mediafire.com" name="mainFrame" id="mainFrame" frameborder="no")(/frameset)
(/frameset)
(/html)

After providing the userid and password, your information is saved, and then you are forwarded to whatever hosting provider was specified in the "service=" tag. If you clicked on a web.com version of the email, you go to web.com. If you clicked on a yahoo.com version of the email, you go to yahoo.

If you are a webmaster and have received one of these emails, please be sure to contact your hosting provider to reset your passwords immediately, and review your pages to see what changes may have been made. If you learn what the bad guys are doing with your site, please drop me a note about it as well. (gar at uab dot edu)

Thanks!

Read More

Minipost: CDC Version of Zeus?

Emails like this:

You have received this e-mail because of the launching of State Vaccination H1N1 Program.

You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people.
Create your Personal H1N1 Vaccination Profile using the link:

create personal profile

using subjects like these:

Create your personal Vaccination Profile
Creation of personal Vaccination Profile
Creation of your personal Vaccination Profile
Governmental registration program on the H1N1 vaccination
Instructions on creation of your personal Vaccination Profile
State Vaccination H1N1 Program
State Vaccination Program
Your personal Vaccination Profile

Pointing to websites like this:

online.cdc.gov.lykasf.be
online.cdc.gov.lykasm.be
online.cdc.gov.lykasv.be
online.cdc.gov.lykasz.be
online.cdc.gov.nyugewc.be
online.cdc.gov.nyugewd.be
online.cdc.gov.nyugewm.be
online.cdc.gov.nyugewn.be
online.cdc.gov.nyugewq.be
online.cdc.gov.nyugewt.be
online.cdc.gov.nyugeww.be
online.cdc.gov.nyugewy.be
online.cdc.gov.nyugewz.be
online.cdc.gov.yhnbad.co.im
online.cdc.gov.yhnbad.com.im
online.cdc.gov.yhnbad.im
online.cdc.gov.yhnbad.net.im
online.cdc.gov.yhnbad.org.im
online.cdc.gov.yhnbak.co.im
online.cdc.gov.yhnbak.com.im
online.cdc.gov.yhnbak.im
online.cdc.gov.yhnbak.net.im
online.cdc.gov.yhnbak.org.im
online.cdc.gov.yhnbam.co.im
online.cdc.gov.yhnbam.com.im
online.cdc.gov.yhnbam.im
online.cdc.gov.yhnbam.net.im
online.cdc.gov.yhnbam.org.im
online.cdc.gov.yttt4l.co.im
online.cdc.gov.yttt4l.com.im
online.cdc.gov.yttt4l.im
online.cdc.gov.yttt4l.net.im
online.cdc.gov.yttt4l.org.im
online.cdc.gov.yttt4r.co.im
online.cdc.gov.yttt4r.com.im
online.cdc.gov.yttt4r.im
online.cdc.gov.yttt4r.net.im
online.cdc.gov.yttt4r.org.im




Dropping malware like this:

vacc_profile.exe
File size: 130048 bytes
MD5 : 5767b2c6d84d87a47d12da03f4f376ad

VirusTotal report showing 6 of 41 detects

(Tip o' the hat to Andrew F, who beat me to the punch with this one...)

Read More

Google Jobs Scam: Read the Fine Print

UPDATE 09DEC2009 - Google files suit against these guys - see @gcluley story for more.


One of the most interesting spam campaigns in the past week has been the "Google Jobs" scam. Its interesting from a number of angles, including how they make their money, but first let's talk about how the spammers are abusing Google, Twitter, and Microsoft to avoid being detected as spammers.

The spam messages have subjects which have a random number letter combination at the start and the end of each subject:



X1 Become a Google Employee
F8 Earn cash with Google! 0Q
C1 Finally be able to have time for yourself and still make money! Google is hiring online workers! Start today! 0X
Q1 Google Bizop 2O
X6 Google can help you to a new sucessful career right now! 0E
E4 Google can help you! 2F
Q3 Google has millions of new job positions available right now! 4Z
E4 Google is looking to hire you! 1G
T1 Google is not only a fun way to search, but a fun way to work! 1E
Z0 Google is now hiring 0F
P6 Google is now looking for people willing to work from the compfort of your own home! 0Y
W0 Google is paying my bills! 0O
B4 Google needs your help today! Join the team! 9N
G5 Google needs your help! New job openings today! 8O
U1 Google needs YOUR help! Now hiring workers willing to work from home! 0S
9V5 Google now looking for stay at home workers right away!
S2 Google now offers job opportunities that pay big! 4P
C0 Google now offers the biggest job opportunities out there! 7X
D1 Google now pays you money to work for them! 1G
K9 Google offers the best amount of money for a job 2K
F4 Google pays you to work home 2S
W2 Google saved millions who were jobless! 5S
A7 Google search engine wants your help today! Click for more info 3S
B6 Having a hard time finding a job? Google is seeking workers like yourself online! Start today 1M
E9 Money making scams online making you mad? Google is trust worthy and free! Try now! 1N
G4 Most successful online job, Google pays you top dollar for your online work! 1M
Y1 Need a job worth working for? Google is here for you 1B
D8 No more getting screwed over by scamming online jobs! Google is safe and reliable! 0U
V8 Now hiring! Google needs online workers to help them out! Get started with them today! 1C
M9 Profit with Google! 1J
Y1 Ready to start earning real money online? Google will get you started right now
K8 Start making money with Google! 1K
F3 The economy stinks right now but your job shouldn't! Google is now hiring YOU! 2E
Z7 Tired of the same lame online scams? Ready to make REAL money? Google is the number 1 trusted name! Click to start today! 0O
R9 Want to work for Google? 0F
X6 Work for Google! 0G
F3 Work from home for Google! 0F
L8 Work with the best company around, Google! 0I

Twitter Abused

Each of the Twitter status messages received in our spam this morning links to a page that looks something like this.



In each case the link points to: http://newsnet6.com/monies

/a6561102/status/5817363391
/aaldrete/status/5818444236
/aalex_2009/status/5819820937
/abosa78/status/5818406975
/AdrianagomezM/status/5817587081
/adrielesl/status/5818093026
/agoesth/status/5818882905
/aie_bermejo/status/5817756511
/aiwa/status/5819426048
/ale2999/status/5818656578
/alimanti/status/5819905239
/alonghud/status/5820966152
/amelia_rumero/status/5820449899
/Ameliabraddell/status/5821100231
/amezing77/status/5818938105
/andrecebolinha/status/5818863563
/aNiLuApSs/status/5820464509
/AniPanch/status/5820884536
/ankakoz/status/5817234962
/anna_den/status/5819796053
/anniekidult/status/5821181103
/Annienme/status/5817156804
/ansilva/status/5819822629
/atanersaid/status/5818954024
/Aureablumen/status/5818746905
/avogelzangs/status/5820686081
/Bassy309/status/5818700570
/baxenn/status/5818228963
/Bazzyto/status/5817635541
/belshalat/status/5817500661
/berginroy/status/5821202365
/boongboong99/status/5821037464
/Bornbored/status/5817608287
/Braveheartless/status/5820741050
/breakofdawning/status/5818371061
/BrownSuga911/status/5818314226
/brummie_sarah/status/5821206995
/Chahida/status/5819921457
/CLHaney62/status/5818486553
/CNL1984/status/5820042785
/Comodon_Johnson/status/5818351991
/Corpsman21/status/5818932354
/craigwillmurray/status/5820817353
/crossedcrafts/status/5818175618
/czyrie/status/5821126199
/Devilbecks/status/5817942285
/diaboempanico/status/5818832572
/dngrbrn/status/5820857927
/drikacoqueiro/status/5821006462
/DrMuffin/status/5820089229
/Ely_0122/status/5819972691
/enghamada/status/5820192570
/espenvatn/status/5820729762
/estalicious/status/5818010185
/euslbria/status/5818620966
/faboodesign/status/5820885437
/faye_1986/status/5820273861
/felipemessias/status/5818441759
/FeloCassette/status/5820712859
/fernandabeck/status/5817819577
/flamesroyal/status/5817574871
/Flatini78/status/5817893040
/FOLKESY/status/5817769679
/fosterkr/status/5818742065
/FunkyBastard328/status/5820851640
/GeeJeeh/status/5820776083
/gillybeanfogo/status/5818259055
/giota_k/status/5818911850
/gpierce/status/5819659876
/guakangler/status/5819928456
/GuilloGomez/status/5817145012
/gzp0s3rbs/status/5818628264
/hazman_13/status/5817980167
/hborrat/status/5818688984
/hirian/status/5820887714
/hogsmeade_89/status/5820310749
/igamba/status/5820988297
/iml3g3nd/status/5820513483
/IronGhost24/status/5821003575
/IrvingHolmes/status/5819374006
/isalat/status/5817715237
/israel4life/status/5818223509
/j_fosk/status/5821022063
/jack1967/status/5820336011
/jackeem1234/status/5817809863
/jainvi2/status/5819017254
/Jairhomicide187/status/5819875487
/Jairock07/status/5817783305
/janpang/status/5820318836
/javiernt/status/5818197267
/JemPollyX/status/5820459416
/jennieechau/status/5817831172
/Jim222001/status/5818058689
/JoaquinBarajas/status/5820836792
/Joe_W_Herzog/status/5818871379
/JoLuvsTim/status/5818778380
/juanime/status/5819523635
/julia1984/status/5819970535
/kackyfo/status/5820523521
/kaizume/status/5818948711
/kas16uk/status/5817563870
/kayz2009/status/5821177632
/kdmgame88/status/5817548491
/khreatuur/status/5818379312
/kimienr_6/status/5819712032
/kinrpg/status/5818202645
/laurrajohnson/status/5820174472
/Leos2006/status/5817255624
/Les555/status/5818309931
/leslyok/status/5818551532
/lfcmarc/status/5819019624
/lilianarodrig/status/5818413856
/lionelbrown/status/5817750816
/lonelypoppy/status/5819191152
/louiszygadlo/status/5820912558
/lyly2184/status/5818755937
/mabaker1nz/status/5818790953
/mackodhy/status/5819592739
/Mariela28lopez/status/5817716930
/marli74/status/5817725548
/Maudelpin/status/5820831355
/mcalderero/status/5821074938
/meganlee89/status/5820105731
/mfjuninho/status/5819028766
/millerbolao/status/5818853406
/MIRADAFED/status/5821199632
/mishaelah/status/5818821474
/mjmeach/status/5818453525
/mohamedhisham/status/5820591669
/mojmadani/status/5820542138
/MsTrishKelly/status/5818320789
/munstir/status/5821093428
/murillo1983/status/5820343219
/murilofts/status/5817087583
/nainavyapish/status/5818969121
/Najla87/status/5820166739
/NatieMaus/status/5820799903
/ng_gina/status/5818787668
/nRath/status/5820908600
/OHar88/status/5819933845
/oliverioalmeida/status/5817230728
/Olusanmi/status/5819166588
/otroladillado/status/5818281431
/pammi4art/status/5817167182
/patch_panel/status/5818786418
/Paulusks/status/5817953617
/peckerwood_1488/status/5818931160
/piese1975/status/5817347525
/Puca88/status/5818865819
/ReGGaE_Arm/status/5817265254
/resquillo/status/5816806231
/Ricardo8484/status/5820789953
/ritamassela/status/5821170275
/RJNOTJR/status/5818154306
/rockernurse/status/5818203744
/rs_andrade/status/5820131665
/rstorm98/status/5819543035
/Rudjy/status/5818674760
/SaAghhhhh/status/5817702976
/saby6910/status/5819824366
/sangeethakr/status/5820129636
/Schnauzibaerli/status/5820319485
/shahpoto/status/5816795601
/shawrigh/status/5817143707
/SherryCline/status/5819629502
/Sherrylee60/status/5821117086
/sicochrane/status/5820322599
/silverado6/status/5818286557
/SirRosswell/status/5820191644
/SonguiD/status/5820786520
/SpaceAlbertros/status/5820925887
/SpankyTJ/status/5820379911
/Spartan239/status/5818899539
/speedboatchase/status/5819825169
/sridharsa/status/5819221617
/srivika/status/5818496254
/srv820711/status/5820999606
/StRidd/status/5819977882
/Struthicle/status/5818731042
/SupplyDemand/status/5820661993
/suzuma12/status/5817561318
/tatebaillie/status/5819779088
/tazluko/status/5820384526
/thanosg/status/5818040423
/thiagospc/status/5819925524
/tibun/status/5820914416
/Tijms/status/5819744615
/Tim08nz/status/5817507492
/timothymarsh/status/5818266399
/Torque20/status/5821029006
/toxicks/status/5817915472
/vanessaparker3/status/5817343713
/vdespoux/status/5816812730
/virginie41/status/5818777406
/Well_Costa/status/5821179988
/willim0/status/5818408247
/wonviku/status/5818171749
/WUBIH/status/5819577498
/www6rbtopcom/status/5818654237
/xiomarasierra/status/5818643906
/xleigg/status/5817588202
/xueyingwong/status/5819366648
/XX_Alicia_XX/status/5817547062
/XxCONNIE28xX/status/5817526259
/xxdrummerperuxx/status/5817738841
/yamz25/status/5817916620
/yeachyiyu/status/5820346336
/Yhoana/status/5818554271
/Yuri_C/status/5820881858
/zapheusk/status/5821116394
/ZeroAlx/status/5818032778

All of those Twitter accounts listed above were seen in spam between midnight and 5 AM on December 1, 2009. Each was created by criminals who are furthering this scam. If you know more details about the tool they are using to perform this automatic account creation, please let me know!

Spaces.live.com abused

Each of the Spaces.live.com messages received in our spam this morning links to a page that looks something like this.



In each case the link points to: http://newsnet6.com/monies

Spaces.live.com:

cid-00175ee6f7039261.spaces.live.com
cid-01da47be945fb859.spaces.live.com
cid-0843122cfd2f0f2c.spaces.live.com
cid-0c369a3bdc181912.spaces.live.com
cid-12b68f5cfde198ae.spaces.live.com
cid-1b14af4e6b13a00e.spaces.live.com
cid-1bcbd3f88fd825dc.spaces.live.com
cid-1ec9b10063ed6071.spaces.live.com
cid-1ee827d7ef55919a.spaces.live.com
cid-212718be48c03c4e.spaces.live.com
cid-234f321364a7f0ef.spaces.live.com
cid-237e0bd5f3cb94a4.spaces.live.com
cid-25ae5b0309b98cb4.spaces.live.com
cid-29ac336ef2843098.spaces.live.com
cid-2c221801e480d27c.spaces.live.com
cid-2f2ba7813a47f35f.spaces.live.com
cid-3474f1551e1fb7bd.spaces.live.com
cid-3dbd6e59b5b20c58.spaces.live.com
cid-3e6c595561987424.spaces.live.com
cid-413195ae822c46e1.spaces.live.com
cid-45cc813db3b17c11.spaces.live.com
cid-4a03ae180a0a8796.spaces.live.com
cid-51ef19eab2a23c61.spaces.live.com
cid-544804ba4619d6cf.spaces.live.com
cid-564b9387d24e0bd1.spaces.live.com
cid-591abde3032dd4a2.spaces.live.com
cid-5b6a14764c03b65a.spaces.live.com
cid-5f691397074c4c69.spaces.live.com
cid-6210dd0a7efff9c0.spaces.live.com
cid-6becc2f81380876b.spaces.live.com
cid-6c51c375edf1f658.spaces.live.com
cid-6e10526d1942d42e.spaces.live.com
cid-72321187e6f1ec7f.spaces.live.com
cid-73378003c8b9c9ad.spaces.live.com
cid-77db0792b0a09f4d.spaces.live.com
cid-787c972d11c514e6.spaces.live.com
cid-7d556d49eb6b35e3.spaces.live.com
cid-7eec343d1c65e260.spaces.live.com
cid-7fa8c5eab21eb1a9.spaces.live.com
cid-8193f4d1a986b3ef.spaces.live.com
cid-83251dda2b7fea1c.spaces.live.com
cid-838a50c9f8d752b1.spaces.live.com
cid-8bfde2abf1064f3c.spaces.live.com
cid-8e35dd30add2bb8c.spaces.live.com
cid-91522feb250b98bd.spaces.live.com
cid-91c5ca5fa735fc78.spaces.live.com
cid-988fd6f38d5b21bc.spaces.live.com
cid-9e415f17dd11698a.spaces.live.com
cid-9e54fe97100af77f.spaces.live.com
cid-a09500527f8617fb.spaces.live.com
cid-aa9427ad0b347855.spaces.live.com
cid-ad288eb9e7eadf09.spaces.live.com
cid-ad936bb767dc8658.spaces.live.com
cid-ae7742355651c65b.spaces.live.com
cid-b13cd58dd7674cdb.spaces.live.com
cid-b31cd1a5f9c37d53.spaces.live.com
cid-b3b7605e9c586197.spaces.live.com
cid-b66a51e94ac4583c.spaces.live.com
cid-b7ba83dc77d40bee.spaces.live.com
cid-bbdec1324ea3261c.spaces.live.com
cid-c2621008c2da26a0.spaces.live.com
cid-c27a3f80110bd984.spaces.live.com
cid-c44695791fafc195.spaces.live.com
cid-c52c7ddec733a81e.spaces.live.com
cid-d0c4535691e84f34.spaces.live.com
cid-d16a56015f714f5c.spaces.live.com
cid-d7339893dafeafcf.spaces.live.com
cid-d968763b7eb03029.spaces.live.com
cid-e18d333540a5b261.spaces.live.com
cid-e9236701c484c221.spaces.live.com
cid-ebb7f35c34ee4838.spaces.live.com
cid-ec89f3d9c6561c83.spaces.live.com
cid-ede0248f3c9b8c2b.spaces.live.com
cid-f4ada2d5cbabde56.spaces.live.com
cid-f7d6db42a4d2d799.spaces.live.com
cid-ff1267d1196482f3.spaces.live.com

All of those spaces.live.com accounts listed above were seen in spam between midnight and 5 AM on December 1, 2009. Each was created by criminals who are furthering this scam. If you know more details about the tool they are using to perform this automatic account creation, please let me know!

BlogSpot Abused

Here's the content of a typical Blogspot page in this campaign:

Hi, welcome to my page!
(font color='white')DsisSjelxTLg3Et2dac61AjXKeCJzPg3(/font)(b)
(a href='http://newsnet6.com/monies/8HnSqJ7gcIFXOzRsStqJ')
If page does not refresh..Tick Here(/a)
(/b)
(meta content='0;url=http://newsnet6.com/monies/?wQi7vnGl3pg4yLOiWNF1XNOmFfXXREiEV' http-equiv='refresh'/)

The font color = white prevents the next line of text from being visible on the white background, but introduces randomness to the page to make it hard for Google to say "find all the pages that contain exactly this". The same is true of the garbage in the URL, which is intended to make each URL unique so they can't even say "find all the pages with THIS URL".

The Meta Content = 0 line makes the page forward "in zero seconds" to "newsnet6.com/monies".


Blogspot pages:

Addiefdtw.blogspot.com
Alishagnzn.blogspot.com
Alishamfqe.blogspot.com
Allysongodj.blogspot.com
Avisegnr.blogspot.com
Bernadetteemhl.blogspot.com
Brianarqrh.blogspot.com
Carmelaaiun.blogspot.com
Carolbwyr.blogspot.com
Chandralzfb.blogspot.com
Charityiysn.blogspot.com
Cheriehnfx.blogspot.com
Christiamfz.blogspot.com
Christianflmw.blogspot.com
Clarafdwj.blogspot.com
Clarapbwr.blogspot.com
Consuelophgw.blogspot.com
Cynthiaigpt.blogspot.com
Cynthiapyhy.blogspot.com
Daisyrrph.blogspot.com
Diannefwwi.blogspot.com
Dorothydusl.blogspot.com
Ebonyipby.blogspot.com
Ednatxfw.blogspot.com
Ernestinewwfh.blogspot.com
Evangelinanyru.blogspot.com
Evaohov.blogspot.com
Fayvrnx.blogspot.com
Francescazcru.blogspot.com
Imeldanafa.blogspot.com
Jeaninecrsv.blogspot.com
Jeanteuw.blogspot.com
Jilldtvp.blogspot.com
Jillianbdle.blogspot.com
Jolenelefv.blogspot.com
Josefarbjn.blogspot.com
Karifjka.blogspot.com
Karyndwef.blogspot.com
Kathrynnpsm.blogspot.com
Kerryajpb.blogspot.com
Kerryesgc.blogspot.com
Lakeishacuib.blogspot.com
Lanamuty.blogspot.com
Latishathpg.blogspot.com
Laurenscln.blogspot.com
Leighkfaq.blogspot.com
Leliathws.blogspot.com
Leonorpxbb.blogspot.com
Lethajmnp.blogspot.com
Lucilleliqf.blogspot.com
Lucindavohe.blogspot.com
Madeleineesgu.blogspot.com
Madelineyceu.blogspot.com
Marcellagzdi.blogspot.com
Marissaenen.blogspot.com
Maxinerxyb.blogspot.com
Melvazoik.blogspot.com
Mercedesqvvz.blogspot.com
Natashavrjg.blogspot.com
Neldacejo.blogspot.com
Noemijcrm.blogspot.com
Nolafile.blogspot.com
Odessaiixd.blogspot.com
Pamelapvut.blogspot.com
Patricaaqfv.blogspot.com
Patriceywfl.blogspot.com
Robbiecwgq.blogspot.com
Robbieohjk.blogspot.com
Rosalindjctc.blogspot.com
Sandraeogn.blogspot.com
Saraarap.blogspot.com
Sonyabtre.blogspot.com
Staceygsyu.blogspot.com
Taniadsau.blogspot.com
Thelmasbzr.blogspot.com
Toniapvla.blogspot.com
Valarieuhca.blogspot.com
Vernaalhk.blogspot.com
Veronicalujd.blogspot.com
Vickieiivz.blogspot.com
Wildajpqy.blogspot.com
Willielovm.blogspot.com
Elvanzcr.blogspot.com
Lisavghh.blogspot.com
Stefaniesezt.blogspot.com
Valariersmg.blogspot.com

All of those blogspot accounts listed above were seen in spam between midnight and 5 AM on December 1, 2009. Each was created by criminals who are furthering this scam. If you know more details about the tool they are using to perform this automatic account creation, please let me know!

Whichever of the scam pages you start at, the Twitter, Live.com, or Blogspot page will lead you to the same webpages, which look like this:



further down on that page, they give you the simple steps to follow:



Step 1: Go to this link, fill out a basic online form, and hit submit at EZ Money System. Pay the $1.95 trial

Step 2: Follow the directions at EZ Money System

Step 3: You will start earning your first money in about 24 hours. Your first checks will be about $500 to $1,500 a week. Then it goes up from there.

So, how does it really work?

Here's a screen shot of Step one:



So far, so good!



See the link we're choosing - $1.95 Activation!

Wait! Is that Fine Print at the top of the webpage???

Your Membership is the perfect tool to start making money on the Internet. We've helped thousands of people achieve their goals. By submitting this form you are ordering Creative Search Training and the trial membership for $1.95 Instant Access. If you do not cancel within the 3-day trial period, you will be charged a one-time amount of $129.95. In addition, you will be provided access to an online Learning Center which will bill at $39.98, unless you cancel, 30-days from the date of enrollment and you will be re-billed every 30 days at $39.98 per month until cancelled. To cancel call 888-753-4203 M-F, 7am-5pm, MST within 3 days of the date you ordered. As special bonus gifts, you will also receive a Risk Free 14-day Trial membership to HomeSource. You may cancel anytime during the trial period by calling 1-800-537-0984 M-F, 8am-5pm, MDT. If membership is continued you will automatically be charged $29.95 a month.

So, after 3 days, we need to call the number 888-753-4203 to cancel our trial and 800-537-0984 to cancel our HomeSource or else we get charged:

$129.95 one-time
39.98 per month for Learning Center
29.95 per month for Homesource

or basically $200 for the first month and $70 per month thereafter.

For the record, we tried repeatedly all day yesterday to "cancel". The phone rings repeatedly without being answered at both numbers. Its not actually possible to "cancel".

Read More