« January 2009 · July 2009 · July 2010 »

March 2009
MonTueWedThuFriSatSun
      01
02030405060708
09101112131415
16171819202122
23242526272829
3031     
April 2009
MonTueWedThuFriSatSun
  0102030405
06070809101112
13141516171819
20212223242526
27282930   
May 2009
MonTueWedThuFriSatSun
    010203
04050607080910
11121314151617
18192021222324
25262728293031

Calendar:

  • No entries for May 2009.
  • 29.04.2009: Federal Reserve Spam/Malware Attack is After Your Data
  • 21.04.2009: See below.
  • 16.04.2009: Waledac - New Campaign, New Domains, GeoCities, and SpywareProtect2009
  • 01.04.2009: Waledac Joe Jobbing Blizzard Image Hosting?
  • 31.03.2009: Conficker Working Group
  • 02.03.2009: Waledac Coupon Campaign & Updated Domain List
Newest first Oldest first

Tuesday, 21 April 2009

Waledac Joe Jobbing Again?


Earlier this month we wrote about what appeared to be Waledac doing a joe job against a website called Blizzard Image Hosting. Here we are three weeks later and it appears they are back at it again. This time the joe job is occurring against two new websites that are adult foot fetish websites. It appears they have set their sites on barefootsies.com and ticklefootsies.com. Over the last few days thousands of identical e-mail messages related to these websites are being blasted out across the Internet. The Spam messages look like this: 

	Subject: Free foot fetish movies

	Amatuer, girl-girl feet tickling movies, and foot worship movies at
	http ://www.barefootsies.com/ 

	---

	Subject: Foot fetish pic

	Amatuer, girl-girl feet tickling movies, and foot worship movies at
	http ://www.ticklefootsies.com/

A little strange right? We thought so too. What could these guys have done to upset the Waledac authors? Let's take a little bit closer of a look at the sites (well not the sites themselves.. but the surrounding information). First item of interest is to see that they are both definitely related. Both sites are hosted on the IP address 216.17.107.72 and are registered to First Choice Studios in Portage, Michigan with the e-mail webmaster@marqueemediaonline.com. These guys are obviously one and the same. We could have guessed that anyway. However, what is even more interesting is if we look back to the first "joe job" that was done against Blizzard Image Hosting.

What IP address is used for blizzardimagehosting.com? You guessed it: 216.17.107.72. Turns out Blizzard Image Hosting is registered to Marque Media Networks at the same addresses as First Choice Studios and also with the e-mail webmaster@marqueemediaonline.com. It appears that Waledac is advertising/spamming/joe jobbing the same people again. Both of the "footsies" website above have links on them with messages similar to that displayed on the Blizzard Image Hosting website. The message reads in part: 

	UPDATE: 4-20-2009

	I am not spamming you!

	However, I know who it is behind this spam attack. They started on one of
	my other domains where I had posted his shady past, and now appears to be
	moving from one of my domains to the next domain. 

	I have reported them to the Federal Trade Commisson  (Ref# #2244739), the
	United States F.B.I.'s IC3 Internet Division (Ref# I0904201511278311) and the FCC.

	I have also filed complaints with Interpol Ukraine (where the originator of spam
	attack is based), as well as their main office, Interpol internet division. My
	webhost and registrar are in the loop as to who is behind it, and all their
	personal and contact information has been provided to them and their legal
	departments.

	Please feel free to send an e-mail to spam@uce.gov as well as Interpol with e-mail
	received, and your complete header information.

It would seem these guys have really ticked up the Waledac authors some how or this is an interesting way to advertise a site while making it look like an attack. We have no evidence of this but like we said before, we are just always suspicious. In the meantime Waledac has continued with its SMS campaign and continued spamming pharmaceuticals. Business as usual with the exception of the latest joe job.

=>Posted April 21, 2009, at 08:43 AM by Steven Adair