News items for tag spam - Koos van den Hout

2017-04-25 Quest Management Inc (QSMG) pump-and-dump spam 3 years ago
It has been a while since I wrote about pump-and-dump spam (scam) but it's never been completely dead. It does seem there has been some action against it and spamfilters got better at recognizing it.

Today's winner I see is Q like in Quality, S like in Straight, M like Mary and G like Gold. The spammer is sure to never use QSMG directly to avoid spam filters.

The funny part is that a google search for QSMG directly brings me to Pump and dump spam: Quest Management Inc (QSMG) stock - Dynamoo's blog with a complete write-up of the multiple spamruns the last week trying to make some money from this type of fraud.

Tags: , ,
2016-11-18 Trying to scam the spammed 3 years ago
An interesting scam mail received in several of my inboxes:
To: abuse@...
Subject: you've been scammed

Your email abuse@... has been hacked and spam is sent to all your contacts!
If you don't have a lawyer, you may contact me at

Best Regards,
I guess 'Mark' bought the cheapest available list of spammable addresses and is now trying to profit from the people spammed.

The other variation is with
Subject: You are hacked!
But with everything else exactly the same.

Update: I am getting some responses to this post, other people are seeing this spam too. I guess I was just the first one to write a post about it, since I usually like to link to posts showing I am not the only one. Hello visitors puzzling about this spam!

Update II: It's not just me! Also noted at You are hacked or scammed -

Tags: , ,
2016-10-10 How to recognize a job advertisment for money mules 3 years ago
Don't fall for it..

I received spam which translates (to me) very clearly to 'be a money mule':
[..] is looking for a qualified representative, reliable, efficient and dedicated to help facilitate their business transactions in Australia. The work is based on administrative / customer service support improving productivity and above all performing basic banking transactions.

We are located in the London If you are satisfied with all the conditions and wish to register, please contact our Human Resources department at [.. generic webmail account ..]
Alerting items:
  • Unsollicited e-mail (spam) sent to a random address
  • Lots of buzzwords but the work seems to be "basic banking transactions"
  • Doing transactions in Australia but located in London
  • Using a generic webmail account

Tags: , ,
2016-10-03 Discovering new archiving methods... via malware 3 years ago
In the incoming spam this morning:
See attached Bill Of Laden.

[-- Attachment #2: Shipping_Documents.ace --]
I had never heard of .ace files, but I miss some developments. So I asked:
$ file Shipping_Documents.ace
Shipping_Documents.ace: ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid
So it is an archiving format, better described at ACE (compression file format) - Wikipedia. There is an unace for linux, and this gave me:
RFQ#0929919882.exe: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
c04e10a084657473828a03a97c82f0a9  RFQ#0929919882.exe
Which is obviously not shipping documents but an executable. Looking at the file showed some dangerous function names.

Tags: , ,
2016-09-29 Not very obfuscated malware code 3 years ago
In the incoming spam I noticed some unsollicited attachments, always a sign of danger. In this case with excel files (application/ so I checked those with olevba, part of the oletools package.

And indeed there was macro code to be run at startup, with multiple warnings about suspicious behaviour, such as usage of "command" which can run PowerShell commands.

Having a look at the code showed very clearly that the macro was up to no good! I am used to quite interesting attempts at obfuscating macro code, so it was funny to see this bit with olevba:
Call Shell("rund" & "ll32.exe " & firmaVENIKOVNETUUUKA & ",qwerty", vbHide)
The url where the malware is downloaded was also quite readable in the macro.

Tags: , ,
2016-08-23 I fell for a malware mail, thankfully aimed at Windows users 3 years ago
Today I saw an incoming e-mail about a voicemail message, while I was expecting a voicemail message. The format was quite similar to the format used by my telephone provider so I tried opening it in thunderbird under Linux. That saved me, it was aimed at opening in Windows, probably only working in Microsoft Outlook.

This is what it looked like in mutt:
Dear koos :
        There is a message for you from 01427157659, on 2016/08/23 15:52:17 .
You might want to check it when you get a chance.Thanks!

[-- Attachment #2: Voicemail sound attachment. --]
[-- Type: audio/x-wav, Encoding: base64, Size: 10K --]

[-- audio/x-wav is unsupported (use 'v' to view this part) --]
The attachment is but with mimetype audio/x-wav. The zip file contains:
  Length      Date    Time    Name
---------  ---------- -----   ----
    30764  2016-08-23 12:18   614007286106.wsf
---------                     -------
    30764                     1 file
With a lot of obfuscated scripting.

What saved me this time was opening it in a mailreader/environment which tries to play an audio/x-wav file with a mediaplayer which complained about something being invalid in it.

Tags: , ,
2016-06-22 Automatische vertalingen helpen niet altijd 3 years ago
Uit de spam mail:
In de link hieronder ontvangt u de factuur van KPN.
Voor uw veiligheid uw botbreuk is wachtwoord protected.Uw wachtwoord is 2hw3DXy .
Ik knipperde even, maar ik realiseerde me dat er vast iets met automatische vertaling is gedaan van factuur/fracture.

Tags: ,
2016-06-14 1dayfly spam 'via lead4cash' 3 years ago
Op een adres wat ik daar niet voor opgegeven heb (en niet voor zou gebruiken) kreeg ik spam van 1dayfly. Opvallend was in de tekst:
U krijgt deze nieuwsbrief omdat wij uit naam van Lead4Cash mailen en u daarmee heeft aangegeven onze nieuwsbrief te willen ontvangen!

We beloven u geen ongevraagde e-mails te sturen! verkoopt of verhuurt nooit haar gegevens aan derden.
1dayfly kan heel veel beweren maar met een naam als 'lead4cash' ga ik al uit van vervuilde marketing bestanden. Als je businessmodel 'lead4cash' oftewel 'geld voor gegevens van consumenten om te benaderen' is kost het alleen maar geld om te controleren of die 'leads' wel benadert willen worden. En dus is het niet opvallend dat er een adres tussen zit wat dat niet wil.

Zoals gebruikelijk: The Rules of Spam.

Update 2016-06-21: Uit een latere mail blijkt ook wel hoe mager de bestanden zijn:
Uw aanbiedingen van dinsdag 21 juni Wilt u een persoonlijke nieuwsbrief? Vul hier uw naam in:
Mijn conclusie is dan dat ze echt alleen maar een bak e-mail adressen ergens vandaan hebben. Dan vraag je ook om spamklachten.

Update 2016-07-26: De spam gaat rustig door, en ik heb toch eens voor de aardigheid de unsubscribe link geprobeerd. De unsubscribe link ziet er uit als:
Als u deze nieuwsbrief niet wilt ontvangen dan kunt u hier klikken:
om u af te melden.
En als ik die link volg heeft de site geen idee welk adres ik zou willen afmelden. Toch knap met naar schatting 88 tekens tracking in de url.

Daar het adres ingevuld en dan blijkt dat de aanmelding gedaan zou zijn vanaf IP op zondag 5 mei 2013 om 16:09. Dat IP is van Tele2:
inetnum: -
netname:        TELE2-CONSUMER-2
descr:          Pop Groningen, Ring Zwolle
country:        NL
admin-c:        RH3392-RIPE
tech-c:         RH3392-RIPE
tech-c:         WvdG7-RIPE
status:         ASSIGNED PA
mnt-by:         AS13127-MNT
created:        2005-06-20T09:14:32Z
last-modified:  2009-10-22T06:15:35Z
source:         RIPE # Filtered

Onder de pagina staat een link naar de dailymailz privacy policy (PDF, vreemd genoeg engelstalig) die er op neer komt dat ze alles mogen doen met de verzamelde gegevens wat ze leuk vinden. Die gegevens controleren ze alleen dus niet goed, dus die zijn aardig waardeloos.

Update 2016-07-28: En als ze beweren dat het meerdere dagen duurt om van alles af te komen dan menen ze dat ook, vandaag weer verse spam. Al heb ik altijd het idee dat 'het duurt meerdere dagen om alle lijsten bij te werken' vooral een excuus is om de zaken niet acuut te hoeven verwerken.

Update 2016-08-30: En de spam gaat gewoon stug door.

Update 2016-09-01: Nog maar eens afgemeld, en nu viel me op dat de afmeldlink op de 1dayfly site zelf uitkwam en niet bij lead4cashunsubscribe. Dus het eerdere afmelden bij lead4cash werd blijkbaar ergens geinterpreteerd als aanmelden bij 1dayfly.

Tags: , ,
2016-06-07 Obfuscated VBA macros in word files 3 years ago
I wanted to look at some suspicious word files to see whether the macros tried anything funny. Some searching showed me oletools which can do this and report. A sample:
Public Sub ZkBWG(ByVal uSHdvTl As String)
Dim RxXFgnMOu As Integer
VOyiBpZDIb.cFRHErvQ OdAkk.VWUUdYKG(553, JocsGn("PlJlXeAhESM.MtxpOizrMccS2W")), _
uSHdvTl, JocsGn("LcxeVxVE")
End Sub
Private Function xcOdDXhiP() As Integer
Dim NJuBRTz As String
Dim RemmeQk As Integer
xcOdDXhiP = 400
End Function
Private Function JocsGn(ByVal gAVndNSJ As String) As String
JocsGn = ZYkwp.kYxFEH(gAVndNSJ)
End Function

| Type       | Keyword        | Description                             |
| AutoExec   | Document_Open  | Runs when the Word document is opened   |
| Suspicious | CreateObject   | May create an OLE object                |
| Suspicious | CallByName     | May attempt to obfuscate malicious      |
|            |                | function calls                          |
| Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
|            |                | be used to obfuscate strings (option    |
|            |                | --decode to see all)                    |
| Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
|            |                | may be used to obfuscate strings        |
|            |                | (option --decode to see all)            |

Tags: , ,
2016-06-04 Phishing melden aan ICScards is nog lastig 3 years ago
Ik ben geen klant van ICScards maar toch wil ik soms interresante nieuwe phishing pogingen melden bij ze. Volgens Phishing: valse e-mails die in omloop zijn is de manier gewoon via e-mail naar het valse-email@ adres.

Maar helaas lukt het niet:
   ----- The following addresses had permanent fatal errors -----
    (reason: 550 Denied by policy)

   ----- Transcript of session follows -----
... while talking to
>>> DATA
<<< 550 Denied by policy
554 5.0.0 Service unavailable
het valse-email@ adres zit achter mailfilters die blijkbaar duidelijk herkenbare phishing mail blokkeren. Misschien moeten ze dat adres apart behandelen zodat ze dit soort meldingen wel binnenkrijgen...

Tags: , ,
2016-04-29 Virus mail overstressing the mime parser 4 years ago
This does not work as planned in mutt:
Subject: hi prnt
Content-Type: multipart/mixed; boundary=31BE31246BD934D65C63831D7238

Content-Type: multipart/alternative; boundary=31BE31246BD934D65C63831D7238

Content-Type: text/plain; charset=UTF-8

Content-Type: text/html; charset=UTF-8

<div dir="ltr"><br></div>

Content-Type: application/zip; name=""
Content-Disposition: attachment; filename=""
Content-Transfer-Encoding: base64
X-Attachment-Id: f_519392564

Shows as
  I     1                      [text/plain, 7bit, us-ascii, 0K]
  I     2                       [text/plain, 7bit, utf-8, 0.1K]
  I     3                        [text/html, 7bit, utf-8, 0.1K]

Tags: , , ,
2016-03-14 High numbers of e-mails trying to infect systems 4 years ago
The attempts to infect systems via malicous javascript in e-mail are quite high at the moment, all trying to fake some urgency to make me open it without checking. Some recent samples:
Your credit card has been billed for $187,11. For the details about this transac tion, please see the ID: 12824622-12824622 transaction report attached.

NOTE: This is the automatically generated message. Please, do not reply.
Archive:  /tmp/
  Length      Date    Time    Name
---------  ---------- -----   ----
     4055  2016-03-14 13:44   finance_LutQLF.js
---------                     -------
Read the rest of High numbers of e-mails trying to infect systems

Tags: , ,
2016-01-27 Virus mail on the rise 4 years ago
The last weeks the virus mail trying to make me open Word/Excel files with macro virusses is on a serious rise. Mostly attached (so mail virus scanners seem to be losing again) and sometimes trying to make me download the file from some website. Abusing names of well-established companies.

The most devious type I saw was trying to convince the receiver he/she had damaged a car and had to pay up soon or police would be involved, find the pictures (with .jpg.exe names) at this link.

Any document sent to you unsollicited is suspect.

And from the stupid e-mail disclaimer copied from the 'innocent' company:
E-mail may be susceptible to data corruption, interception, unauthorised amendment, viruses and unforeseen delays, and we do not accept liability for any such data corruption, interception, unauthorised amendment, viruses and delays or the consequences thereof. Accordingly, this e-mail and any attachments are opened at your own risk.
As if they had seen this coming! And they should learn about digital signatures.

Tags: , ,
2016-01-26 Weer spam voor een Belg 4 years ago
Deze keren spam voor een Belg van: Eerder, eerder, eerder.

Tags: ,
2015-12-16 Suspect 'invoice' mail showing an interesting error 4 years ago
The flood keeps coming, this time with an interesting error:
Dear Customer,

Our records show that your account has a debt of $295.{rand(10,99)}}. Previous a
ttempts of collecting this sum have failed.

Down below you can find an attached file with the information on your case.

[-- Attachment #2: --]
I guess the spammer had a bit of a problem with the spamming macro language!

The .zip file contains
  Length      Date    Time    Name
---------  ---------- -----   ----
    22333  2015-12-16 20:27   invoice_GeL0XY.js
---------                     -------
    22333                     1 file
Which is a really obfuscated javascript.

Tags: , ,
2015-12-16 Suspect 'invoice' mails keep coming 4 years ago
It is a whole flood of suspect mails this week, mostly trying to be an invoice or sometimes order confirmation. Containing .xls files, .doc files, or javascript or java applet.

I don't have the environment to research these completely but I expect them all to contain some form of malware aimed at the Windows operating system.

Tags: , ,
2015-12-14 Next suspect mail flood: "Invoice 14 12 15" from "Thunderbolds Limited" 4 years ago
And the next flood of suspect e-mail messages:

This message contains 2 pages in PDF format.

[-- Attachment #2: fax00163721.xls --]
[-- Type: application/, Encoding: base64, Size: 105K --]

[-- application/ is unsupported (use 'v' to view this part) --]
Probably more malware droppers. It seems some botnets are in great need for new systems to abuse.

Tags: , ,
2015-12-14 Suspect mails "FW: Scan from a Samsung MFP" 4 years ago
Multiple e-mail messages the last hour or so with:
-----Original Message-----

Please open the attached document. It was scanned and sent to you using a
Samsung MFP. For more information on Samsung products and solutions, please

This message has been scanned for malware by Websense.

[-- Attachment #2: Untitled_14102015_154510.doc --]
[-- Type: application/msword, Encoding: base64, Size: 123K --]

[-- application/msword is unsupported (use 'v' to view this part) --]
I don't have the means to research the .doc file completely but when I get unsollicited office files it can only be malware.

Update: I'm not the first to notice this: New Word malware: FW: Scan from a Samsung MFP - mxlab who researched the file and indeed found malware.

Tags: , ,
2015-12-02 Geluksrelatie spam 4 years ago
Ineens een opvallende stijger in de spam die me opvalt: die spam stuurt alsof je op een andere manier contact had gezocht met een vrijgezelle dame en het handig is als je verder contact zoekt via die site. De logica dat die dame dan wel de ontvanger kan benaderen maar toch via die site zou moeten werken ontgaat me een beetje. Voorbeeld:
Bedankt voor je reactie ik ben wel wat laat met reageren maar dat komt omdat ik het erg druk had de afgelopen tijd. Ik probeer je daarom nu nog even te bereiken via dit mailtje. Aangezien ik enorm veel reacties had gekregen op mijn oproep heb ik besloten om mezelf [1]hier in te schrijven. Buiten het feit om dat je met mij in contact kan komen zijn er nog [2]veel meer mensen die op zoek zijn naar een serieuze relatie want we willen toch allemaal gewoon gelukkig zijn? Ik kan wel een heel verhaal op gaan hangen maar als je echt serieus bent en je wil contact dan weet je hoe je mij kunt bereiken.
Opvallend is dat hier weinig klachten over terug te vinden zijn, eentje maar via trustpilot als negatieve review van

Tags: ,
2015-12-01 Malware linked to recent Brussels lockdown 4 years ago
It must take a special kind of evil to try to spread malware under the guise of information about the recent Brussels lockdown. From the e-mail message:
Federale Politie
Commissariat de Police
Directorate of the special units (DSU)
We kregen een terreuralarm met betrekking tot uw zakelijke omgeving.
Worden geadviseerd om de beschermende maatregelen (SECURITY TIPS) als gehecht aan jezelf, je bedrijf volgen en uw gezin beveiligd
Nous avons eu une alerte terroriste concernant votre secteur d'activité.
Être conseillé de suivre les mesures de protection (Conseils de sécurité) tels qu'ils sont joints pour vous garder, votre entreprise et votre famille fixée
Best regards,
Catherine De Bolle,
General Commissioner
Commissariat de Police
Rue du College 1,
1050 Brussel, Belgium
P: 032 2 515 71 86
E: commisioner(a)
With some shady files attached. Scanning them with virustotal gives that the .zip file contains the Java/Adwind malware.
Read the rest of Malware linked to recent Brussels lockdown

Tags: , ,
⇐ Newer news items for tag spam  Older news items for tag spam ⇒
, reachable as PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews