Silent noise - about spam, trojans and other nasty stuff

Fresh spam in today, subject: "BlueMountain e-Card : Someone thought about you".

Yeah, someone is thinking about infecting your computer.

Obfuscating the link:
h||p://0x55.0xee.000000051.0000221/i/BlueMountain&2009&05.card=LoveScreen. php
0x55.0xee.000000051.0000221 decodes to 85.238.41.145 and the IP is listed in the SBL for reasons similar to this spamrun.
The setup is almost identical.
service.net.ge is behind 85.238.41.145.

Some of them, others do of course exist too.

I stumbled across two new ones registered today, 15infinput.com and binnet11.net.
One of the IPs that shows up in connection with those is 69.66.237.74.

Here is an example using bfk.de from 69.66.237.74 (all of those are not active):

Only a few words this time.

007aff.com has been replaced by 007-aff.com. Same guys.
The replacement for bulker.biz? (Pure speculation).

Latest domain taking orders: ksdjhfnkejrnkfjekrjnfkejrnkj.com

One branch of the setup can be traced back to JustThinkMedia.
aka edirectsoftware, earncashfastwithgoogle.com, creditreportamerica.com, wu-yisource.com etc.

First a screenshot from the phish site at
h||p://ww4.visa.com.82siddefault.com/creditcards/security/confirm
(Click on it for a bigger one)

And here is a screenshot of the location bar from the screenshot above:

Or: We will not sell, rent [insert whatever] your e-mail address.
On second thought, we may do it.
So you better come back here and read our privacy policy every fucking day, because we will announce it here.

That's my blunt way of saying what I actually read too often.

Other variations are the ones that you actually have to opt-out from after you actually have bought something.
Amazon is my latest example.
I bought my first book a couple of months ago. And suddenly Amazon kindly started spamming me with nice books I could maybe, possibly be interested in.

The botnet hosted domains used in the Acai Berry setup is today redirecting to rewuierksakgmnzxbhas.com (difficult that one, like the previous one).
Aside from that, the setup is identical with the info in the previous posting.
Except that myherbalcheckout.com now is at 119.42.149.202 and fjfnfnfnaaswwospotyacai.com seems to be gone.

rewuierksakgmnzxbhas.com was registered today and the host is apparently at 119.42.149.201. InfoMove Limited in HongKong, has been seen earlier.

acaiberrycheckout.com seems to have trouble right now.