New pump and dump stock spam comes from Romania
Since June 22, 2011, I have written 6 articles highlighting Romania as a source of spam attacks and hosting of spamvertised domains. This is my 7th article in 6 weeks, exposing badness coming from Romania, targeting North Americans.
Tonight, while minding my own business, I received an email from an outfit called OTC Pundit (dot com). The subject was: "Food is the New Oil" and the body had little text, but did have a link to an image file.The link was instantly suspicious to me, because it was a numeric link, rather than a named domain. Knowing that this was spam, I exposed the source code in MailWasher Pro. The HTML content revealed that this spam was supposed to look like a news letter of sorts.
The Received From line showed that the email came from the IP address: 89.238.231.135. It contained a link to a file and that link also contained the same IP address. I traced the link with my diagnostic tools and it turns out that 89.238.231.135 belongs to a Romanian web host: EUROWEB Romania, whose entire CIDR is 89.238.192.0/18. That CIDR is already on my Russian Blocklist. I then went back to the source code of the spam message and copied the link, which was to a .jpg image file. I looked over the source code of that link, using WannaBrowser and found that no exploits were attached to it. So, I dropped the URL into my Firefox browser, using the NoScript Add-on for safety.
The image turned out to be a whole page ad for an upcoming pump and dump stock scam. It uses the words Food Is The Next Oil and speaks about food shortages and how investors can profit from other people's misfortune and famines. This is truely a slimeball spam campaign!
The IP address I listed is the IP of a website registered in Romania: otcpundit dot com. It uses rohost.com name servers, as well as those of a marketing company that is on the same Romanian server. The domain was registered with on Feb 2, 2011.
I have taken the following steps to protect my friends from falling for any scams coming from that company: The domain OTC Pundit has been added to the Known Spam Domains filters for MailWasher Pro and the CIDR 89.238.192.0/18 can be added to your email server firewall, if you have root access to administer Linux firewall rules. If you are on shared web hosting you can see if you are able to create a rule to re-route email containing "otcpundit.com" in the entire header, to NULL. If you are not receiving email via your own domain, but through a third party email system, via your browser, you are at their mercy to filter email for you. If you get your email via a POP3 desktop program, like Windows Live Mail, you can use MailWasher Pro, with my custom filters, to filter out spam before it gets downloaded to your email client.
Bottom line: Delete all email messages coming from any variation of OCT Pundit, or Emp-Marketing, or anything with words similar to Food is the Next Oil in the subject or body text. These are pump and dump penny stock scams in the making. Also, 99.99999999% of email that contains a numeric IP address, rather than a domain name and extension, is a link to fraud, or malware. An example of such a URL is: http://123.456.789.0/otherwords-or-characters. Delete all numeric IP link emails on sight. I have a filter for MailWasher Pro that detects numeric IPs in links.
In this case, of image spam, the link ended with .jpg; an image type. However, one cannot assume that the server at the other end will actually deliver an image. It could have been configured to serve an executable exploit instead of an image. Learn how to walk safely through mine fields before you play in them. Browse using Firefox, with the NoScript Add-on enabled. Use WannaBrowser or another text only browser to look at the source code of web pages, before attempting to load those pages, or image files. WannaBrowser will reveal the IP address of any website it can display in the Source field. You can copy that IP address and paste it into the IP Whois field in Domain Tools, or one of my favorites, CQCounter, or any other Whois Look-up site. This reveals where it it hosted, when it was registered, and who is the official domain Registrar.
In the 15th Century, the Romanians gave us the legend of Count Dracula, a.k.a: Vlad Dracula. He sucked the life blood out of his unfortunate victims. Modern day Draculas suck the life savings out of their online victims, by means of spam and scams for useless products and offerings, scripted browser exploits and money laundering schemes.
Stay thirsty my friend! But, avoid the modern day Count Draculas; the money sucking vampires.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.