« April 2009 · October 2009 · September 2010 »

June 2009
MonTueWedThuFriSatSun
01020304050607
08091011121314
15161718192021
22232425262728
2930     
July 2009
MonTueWedThuFriSatSun
  0102030405
06070809101112
13141516171819
20212223242526
2728293031  
August 2009
MonTueWedThuFriSatSun
     0102
03040506070809
10111213141516
17181920212223
24252627282930
31      

Calendar:

  • 25.08.2009: Shadowserver is formally granted Federal 501(c)(3) non-profit status
  • 10.07.2009: Korean/U.S. DDoS Attacks - Perplexing, Disruptive, and Destructive
  • 04.07.2009: Independence Day - Waledac July 4th Update - New Domains Added
  • No entries for June 2009.
Newest first Oldest first

Tuesday, 21 April 2009

Waledac Joe Jobbing Again?


Earlier this month we wrote about what appeared to be Waledac doing a joe job against a website called Blizzard Image Hosting. Here we are three weeks later and it appears they are back at it again. This time the joe job is occurring against two new websites that are adult foot fetish websites. It appears they have set their sites on barefootsies.com and ticklefootsies.com. Over the last few days thousands of identical e-mail messages related to these websites are being blasted out across the Internet. The Spam messages look like this: 

	Subject: Free foot fetish movies

	Amatuer, girl-girl feet tickling movies, and foot worship movies at
	http ://www.barefootsies.com/ 

	---

	Subject: Foot fetish pic

	Amatuer, girl-girl feet tickling movies, and foot worship movies at
	http ://www.ticklefootsies.com/

A little strange right? We thought so too. What could these guys have done to upset the Waledac authors? Let's take a little bit closer of a look at the sites (well not the sites themselves.. but the surrounding information). First item of interest is to see that they are both definitely related. Both sites are hosted on the IP address 216.17.107.72 and are registered to First Choice Studios in Portage, Michigan with the e-mail webmaster@marqueemediaonline.com. These guys are obviously one and the same. We could have guessed that anyway. However, what is even more interesting is if we look back to the first "joe job" that was done against Blizzard Image Hosting.

What IP address is used for blizzardimagehosting.com? You guessed it: 216.17.107.72. Turns out Blizzard Image Hosting is registered to Marque Media Networks at the same addresses as First Choice Studios and also with the e-mail webmaster@marqueemediaonline.com. It appears that Waledac is advertising/spamming/joe jobbing the same people again. Both of the "footsies" website above have links on them with messages similar to that displayed on the Blizzard Image Hosting website. The message reads in part: 

	UPDATE: 4-20-2009

	I am not spamming you!

	However, I know who it is behind this spam attack. They started on one of
	my other domains where I had posted his shady past, and now appears to be
	moving from one of my domains to the next domain. 

	I have reported them to the Federal Trade Commisson  (Ref# #2244739), the
	United States F.B.I.'s IC3 Internet Division (Ref# I0904201511278311) and the FCC.

	I have also filed complaints with Interpol Ukraine (where the originator of spam
	attack is based), as well as their main office, Interpol internet division. My
	webhost and registrar are in the loop as to who is behind it, and all their
	personal and contact information has been provided to them and their legal
	departments.

	Please feel free to send an e-mail to spam@uce.gov as well as Interpol with e-mail
	received, and your complete header information.

It would seem these guys have really ticked up the Waledac authors some how or this is an interesting way to advertise a site while making it look like an attack. We have no evidence of this but like we said before, we are just always suspicious. In the meantime Waledac has continued with its SMS campaign and continued spamming pharmaceuticals. Business as usual with the exception of the latest joe job.

=>Posted April 21, 2009, at 08:43 AM by Steven Adair