Loews Miami

23 Nisan 2012 Pazartesi

Punta Negra Beach, Peru

To contact us Click HERE
Peru travel vacation

Punta Negra Beach is 42 km south of Lima, Peru. Punta Negra is well known for its outstanding reefs, bays and world class surfing beaches. One of the tourist spots in Peru is the Punta Negra that attracts thousands of foreign surfers from around the world. The waves has different sizes from small to big ones which good for beginner and advanced surfers. This beach also offers a good sun bating and other water sports. If your looking for a great Peru travel vacation, Lima, Punta Negra is a good place to be in especially when summer. You can also find cheap hotels, good restaurant and nightclubs near to the beach.

Beautiful Beaches in Acapulco Mexico

To contact us Click HERE

Caleta Beach

Caleta Beach is located in the center of Acapulco. This beach is not that beautiful but swimming here is safer and easier compare to other local beaches in Mexico because the waves in Caleta are usually calm. Many souvenirs shops and seafood restaurants nearby in Caleta Beach.

Condesa Beach

Condesa Beach is in the middle of Acapulco Bay. This beach is popular and convenient beach for local residents and tourists. You can have a cheap beach vacation here. There are restaurants, shops and hotels near in Condesa. You could go for parasailing and rent boats here.

Icacos Beach

Icacos Beach is in front of La Palapa Hotel. You can do all kinds of watersports here. You can also ride in the hot air ballon and Skycoaster. Icacos beach is a crowded beach.

Puerto Marques

This beach is the most favorite beach of many tourist. It is only one way ride to the airport. The beach is calm and its great beach for swimming. There are many cheap and delicious seafood restaurants near on this beach and its good to try their Ceviche and the Pulpo. On the hill above of Puerto Marques there is an affordable hotel, Camino Real Acapulco.

Pie de la Cuesta

A wonderful Acapulco beach were you can wtch the sunset. Waves here are huge so swimming is not a good idea. You can visit lagoon for waterskiing or go for seafood restaurants.

Rodeway Inn & Suites

To contact us Click HERE

The Rodeway Inn & Suites is located 2 miles from the beautiful Niagara Falls, Ontario Canada. This hotel is walking distance from Canada One Factory Outlets and 10 minute drive from Marineland. Rodeway Inn & Suites have indoor/outdoor pool, breakfasts and tea in the afternoon with cable television, Internet access and favorable local calls.

Hotel Policies

When your checking in, you must present a photo ID. By the time that you already booked, your credit card is automatically charged. The total charge include all fees for access and booking, as well the taxes. If theres an incidental charges like phone calls, parking and room service will be cover directly between you and the property.

Driving Direction

From Buffalo International Airport:
Go over Peace Bridge to QEW towards Niagara Falls.
Exit at Macleod Road, proceed to top of the ramp.
Turn left, go to second light (Montrose Road).
Turn right on Montrose Road, left on Lundy's Lane.
Rodeway Inn & Suites is on the left hand side.

Rate: $37.19 - 55.71 USD

Rodeway Inn & Suites

7720 Lundy's Lane
NIAGARA FALLS, ON, CA L2H1H1

cheap hotel beach vacations

Help stop the Osama bin Laden Videos on Facebook

To contact us Click HERE
If you have teenage friends, or friends with poor security practices, you will probably notice that your wall has recently filled up with invitations to watch a video of Osama bin Laden being killed.

The behavior of this particular scam is too cause a link to be posted BY YOU on all of your friends' walls. (There is another popular one going around -- "See Who Viewed Your Profile" -- that behaves in the same way. Facebook confirms that there is no app that can do that, and encourages us to use the "REPORT" feature when we see that.

If you click the link, many geeky "redirections" (described at end of article) happen before you end up on a page that looks like this:

The danger starts if you click "Watch Video". DON'T DO IT!

While it would be interesting to explore the Cross Site Scripting vulnerability that allows this to happen, the more important thing to share is "what should a FaceBook user who sees this activity do about this offending post on their wall?"

Whenever you see something objectionable on your wall, the thing to do is REPORT IT!

Hover your mouse over a message on your wall, and a grey "X" will appear at the top right of the message.

When you click the "X" by the top right corner of the wall post, you are presented with a drop down menu. We're going to choose the bottom item -- "Report As Abuse"

Since the post is not "about me", we go to the lower section and choose "Spam or scam"

When we click "OK" we get an option to block the user. Since this is an innocent mistake by our friend, we don't want to "block" the friend, so just check the bottom box that says "Report to Facebook." If our friend is the sort of helpless, clueless individual that clicks on everything they see, eventually we would want to block this friend.

We get a nice "Thank you" from our friends at Facebook Security! These really help the team! They get the messages and use them to prioritize what things need to be addressed. If many reports are received for the same link, or about the same user, those things get addressed more quickly. Different types of reports go to different sub-groups so just because they are busy helping fight something like today's report doesn't mean that they ignore cyber-bullying.

Facebook WANTS YOU to report things that bother you. That's how they keep a clean neighborhood.

Help them help you. REPORT SCAMS!

Then take a moment more and send your friend a friendly message letting them know what's going on. They might want to let the rest of their friends know.

Facebook security has several recommendations, including a couple that I honestly wouldn't have thought of. (I'll put those first)

Unlike the page which tricked you into showing fake video and report them immediately to Facebook. -- in addition to posting the message to your friends' walls, this tricky Facebook worm causes you to "Like" its page. The more "Likes" a page has, the more people are convinced it's real, so it is helpful to go "UNLIKE" the page. (if you've liked it, it will be a choice on the left side menu.)
If a friend is posting suspicious messages to your wall, they may have malicious software on their computer, or may have clicked something bad themselves. Facebook Help says the best thing to do is tell your friend to contact Facebook Help.
If YOU are the one posting the message, this Facebook Help post is for you: Wall posts were sent from my account, and I didn’t send them. It has helpful hints about anti-virus, not clicking on spam, and how to reset your password.
Have up-to-date anti-virus software
Keep an eye for messages that often feature misspellings, poor grammar and nonstandard English. If it doesn't look like a message your friend would type, REPORT IT! It may be related to malware or a malicious app that is using your friend's account!
Do not open spam mails, including clicking links contained within those messages.
Don’t copy and paste any scripts in your Facebook profile. Several scams have worked by encouraging you to paste something odd in your profile. Some of those scripts install apps, grant permissions, or make you do things you wouldn't want to do!
If you’re using Chrome, make sure you don’t paste any scripts in your browser bar, as the browser tries to preload anything you type in the ‘awesome’ bar.

Geek Alert!

Here's an example stream of what happens if you click one of these links ...
In this case, the link is going to pass through several rounds of redirection, which we can see by doing a "wget" of the destination URL. A "301" command makes your browser move on to another web address without really adding any new content.

In the top example, the destination URL is tinyurl.com/3b8uayr

wget http://tinyurl.com/3b8uayr
Resolving tinyurl.com... 64.62.243.89, 64.62.243.90
Connecting to tinyurl.com|64.62.243.89|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://zamakoko.mo.tl/ [following]
--19:51:27-- http://zamakoko.mo.tl/
=> `index.html'
Resolving zamakoko.mo.tl... 174.122.44.67
Connecting to zamakoko.mo.tl|174.122.44.67|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://on.fb.me/jM9tNF [following]
--19:51:47-- http://on.fb.me/jM9tNF
=> `jM9tNF'
Resolving on.fb.me... 168.143.174.97
Connecting to on.fb.me|168.143.174.97|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.facebook.com/pages/0sama-tape/121566207922629 [following]
--19:51:59-- http://www.facebook.com/pages/0sama-tape/121566207922629
=> `121566207922629'
Resolving www.facebook.com... 69.63.189.16
Connecting to www.facebook.com|69.63.189.16|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://www.facebook.com/common/browser.php [following]
--19:52:05-- http://www.facebook.com/common/browser.php
=> `browser.php'
Connecting to www.facebook.com|69.63.189.16|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

[ <=> ] 11,771 --.--K/s
19:52:24 (1.40 MB/s) - `browser.php' saved [11771]

Which leaves us sitting here:

ACH Spammer switches to Shortened URLs

To contact us Click HERE
For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domains in place for a campaign that we have been calling "NACHA Spam".

In this campaign, which we first wrote about in November 2009 (see: Newest Zeus: NACHA Electronic Payments, the criminals send emails suggesting that an Automated Clearing House (ACH) payment has failed. It is thought that this may be a method of screening recipients as only people who deal with money transfer on a regular basis would be familiar with NACHA as having authority over ACH payments.

In more recent versions of the campaign, including the one we wrote about in March 2011 (see: More ACH Spam from NACHA) we have seen dozens or even hundreds of newly created domain names used to host the malicious content.

Here's a sample of the email body:

The ACH transfer (ID: 1514969569958), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Rejected transaction
Transaction ID: 1514969569958
Reason for rejection See details in the report below
Transaction Report report_1514969569958.pdf.exe (self-extracting archive, Adobe PDF)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

2011 NACHA - The Electronic Payments Association

A New Car! (or Zeus spam Campaign)

To contact us Click HERE
If you believe my email today, everyone is getting a new car but me.

There are actually many different spam message subjects that make up this campaign. Those like the one above use a random person name in the subject line, like these:

Remember [name]?
It's [name]'s new car!
Saw new [name]'s car?
Do you remember [name]?

There were also quite a few "non-random" ones. Here's a sampling from yesterday's spam, when we received a total of more than 60,000 emails that are part of this malware distribution campaign:

count | subject
-------+------------------------------------
1398 | info
1389 | Hello
1357 | look
1344 | Hello!
1343 | Hi!
1341 | hello!
1333 | Look!
1328 | hello
1320 | hello.
1314 | Hello.
1305 | hey buddy!
1286 | hi buddy!
1282 | Hey!
590 | Is this your boyfriend?
580 | Do you remember me?
577 | Remember me?
549 | Is This Your Boyfriend?
539 | Is this your girlfriend bro?
538 | Is This Your Girl Bro?
533 | Is This Your Boy?
529 | Is this your boy?
507 | Is this your girl bro?
487 | Is This Your Girlfriend Bro?
482 | Is this your girlfriend buddy?
480 | Is This your Girlfriend?

Those numbers are the count of the email messages we received from that portion of the campaign that pretended to be related to LinkedIn. In the graphic above, you can see that the "From" address is on "live.com" and the "Reply-To" is on "linkedin.com". Actually neither one of those things were true.

Here are the actual mail headers (although I've redacted a couple things from this one):

In this image, the "fake" values are highlighted in green while the "real" values are highlighted in yellow. This email did NOT come from LinkedIn's IP 63.211.90.176. It really came from 173.200.78.57. (Many hundreds of IPs were used.)

We actually saw this same style of mail-header faking beginning last November, especially during a rampant USAA Phishing campaign where the destination websites were all on '.tk' domains. Although I didn't focus on that aspect in the story (instead we found the REAL sender IP addresses and wrote about those) it was partly because at the time I didn't understand how it was possible!

All of the spam messages listed above, whether they are the "New Car" version or the "Is that Your Boyfriend?" or even the "Hello!" versions have a common website location being advertised. They use random numbers in the hostname portion of the website address, but the all point to:

arcid_[RND#].oposumcruiser.com/arc/file/

That website looks like this:

UPDATE!!

I've received an update from my friend Steven Burn who runs the websites of Ur I.T. Mate Group. He pointed out to me that even if you don't download the .exe file from this page, you are still at risk just by visiting the site. There is an IFRAME hidden in the source code of the page that directs all visitors to load the Blackhole Exploit Kit from another location. As of this writing that other location is:

http://motorssmonito.com/forum.php?tp=778973f6b2977050

(Visit at your own risk - it WILL try to infect you! )

The excellent folks at UCSB's Wepawet project provide this decoding of the page:

Wepawet decode of the MotorSSMonito blackhole exploit kit

which shows all the little tricks it tries to use to infect you, including loading malicious .jar files, .pdf files, .avi files,

/End Update - Thank you, Mr. Burn!

One of the characteristics of the "Avalanche" botnet that we believed was associated with the USAA phish back in November was that the destination website is "Fast Flux" hosted -- meaning that the IP address is being constantly changed by modifying the nameserver to resolve the domain name to many different locations.

The first time I looked at this website, it was resolving to the IP address 112.71.69.76 in Japan. But when I asked the nameserver for its location, it gave back eight different IP addresses:

80.171.37.243
81.203.1.104
82.159.38.56
85.86.48.130
91.117.147.33
112.71.69.76
114.183.247.117
217.50.208.196

Only a few minutes later when I rechecked, I found the additional IP addresses:

83.213.31.242
90.168.201.126
95.125.232.109
212.225.173.8

all resolving the "oposumcruiser.com" random hostnames.

One of the many projects we have at the UAB Computer Forensics Research Lab is a Fast Flux tracker. Some of the other domains that are currently fluxing on this same space include perfectcheck2011.com, safeyourwork.net, personalsyscheck.com and safetylife2011.org which use the nameservers ns1.lonfd.net and ns1.cazonet.com. Most of those are autoforwarders for pharmaceutical websites such as sportsmedsrxpills.net which purports to be the "Canadian Health & Care Mall".

The fake website offers a download for you as an executable file "archive.exe"

According to the AV products on the VirusTotal website, this is either the Zbot trojan (commonly known as Zeus) or Kazy.

(Click the image to go to the VirusTotal Report for this malware

MD5: a653ef80a47f5ec646a2ce0fdbc1068d

Trojan-Spy.Win32.Zbot.buax, Gen:Variant.Kazy.28222, Win32/Spy.Zbot.YW, Trojan/Win32.Zbot

I put the malware in our Malware Analysis VM and watched to see what it would do.

The version of the malware that I self-infected with made DNS calls for
the following domains, many of which have not yet been registered.

lrnsxmztnqiomiq.com
rqnorekziuhmsxr.biz
rqnorekziuhmsxr.org
vlolhmcjlpqntm.net
vlolhmcjlpqntm.com
zqpyuykzovrsjw.info
zqpyuykzovrsjw.biz
wzmkrojrutomsg.net
wzmkrojrutomsg.org
nnpgpskekyrtyoq.info
nnpgpskekyrtyoq.com
stqbbjuqsoefcpcq.biz
stqbbjuqsoefcpcq.com
xljpkdlnzniocjpu.info

It also modified many registry keys, primary related to Outlook Express, which means there was probably going to be some spamming going on if I left the infection up.

The only one of these I can tell that WAS registered was here...using a
privacy service.

Domain Name: LRNSXMZTNQIOMIQ.COM

Administrative Contact:
Reinecker, Beverly ap9cm76v4sv@nameprivacy.com
ATTN:
P.O. Box 430 c/o NameSecure
Herndon, VA 20171-430
US
570-708-8782

When it was live, it was hosted on 72.249.171.121.

Also seen on that IP, according to bfk.de, are:

www.realgirlfights.org CNAME realgirlfights.org
lrnsxmztnqiomiq.com A 72.249.171.121
wqonlrwkuswjzmm.net A 72.249.171.121
lmnqnxypfulhgxo.biz A 72.249.171.121
kmxpiylvojgjcus.biz A 72.249.171.121

That IP is Colo4Dallas LP (AS36024) in Dallas, Texas.

Steven Burn provided the following list of related domains, as well as the path which hosts their respective badness. Again, please don't follow these links unless you are a malware researcher in a safe environment.

cgywgtcwpngrzgk.net/news/?s=195341
cpgfkybtkljjwvsk.org/news/?s=195341
futplqwsqqiopntn.com/news/?s=195341
ijqrqinymhjsvr.net/news/?s=195341
imwftfprsbxzgiy.info/news/?s=195341
iruwoekurjzrpko.biz/news/?s=195341
jptptmlpqnzdnpl.biz/news/?s=195341
jtpknvosaiwoxqs.info/news/?s=195341
jwqqrkosoqqglvpk.biz/news/?s=195341
jxatmxeojvhwhvd.com/news/?s=195341
ktznowypsmswqtjl.net/news/?s=195341
kxzjfqomtyjhhhzr.com/news/?s=195341
lhourmoptjoejd.info/news/?s=195341
lqwryghqqpiujsp.com/news/?s=195341
mjeqpkukusnkkhtm.info/news/?s=195341
mpwpxgmpjqkrpfzd.biz/news/?s=195341
mrjuqpqqzqikin.org/news/?s=195341
nfumumsidtqtynr.com/news/?s=195341
oopmeozgtsxerenn.com/news/?s=195341
orelrxnwtuiuplhn.biz/news/?s=195341
ounwukdlrpflento.com/news/?s=195341
pluufpyllzrqpnot.com/news/?s=195341
ppjjvmomiiwtkyn.com/news/?s=195341
prminhfvfmsckzjw.info/news/?s=195341
psiscguokswppvys.biz/news/?s=195341
pxcoprkgsoeyoiej.info/news/?s=195341
quujzvhhutfvtlq.info/news/?s=195341
rcjemwpzhygppmuo.net/news/?s=195341
rggfymzrkzpnpsjl.com/news/?s=195341
rheovalxkdmspe.net/news/?s=195341
rhtjdemtypbpow.com/news/?s=195341
rnosovkotqwbk.info/news/?s=195341
rpjrewwqsditwtky.org/news/?s=195341
rwfstvftrzwwtjxu.info/news/?s=195341
rxtrpjvcuikyipt.net/news/?s=195341
sklyzjonvkikpjt.org/news/?s=195341
soilvjyksytnfp.net/news/?s=195341
ssmkoqkrgimsnwe.com/news/?s=195341
tjtoehpzjmtnigs.net/news/?s=195341
ttzoxhbzvgpijlwk.biz/news/?s=195341
twsrnyyfnvrqhht.org/news/?s=195341
ydvkmqunnnnwqop.info/news/?s=195341
yjlmfeinqhupvtnh.info/news/?s=195341
yphxjkymmnqynogh.com/news/?s=195341

FBI + Romanian DIICOT = 117 Search warrants and 100+ arrests

To contact us Click HERE
In one of the largest international cybercrime enforcement actions in history, the FBI and the Romanian DIICOT (Directorate for Investigating Infractions of Organized Crime and Terrorism) have performed at least 117 searches and arrested 21 in America and more than 90 in Romania.

All across Romania, scenes such as this were being conducted:

The Romanian news source that provided the photos above shared this quote with Adrian Hood, Chief Prosecutor of DIICOT, Craiova Territorial Service:

"Specifically, defendants are charged for activities from 2009 to 2011 involving posting notices of sale of fictitious, non-existent goods such as cars, motorcycles, boats, and electronics on e-commerce platforms such as www.eBay.com and www.craigslist.org through advertisements made with false information."

(See the Original story for the Romanian original of that quote...

The FBI has issued a press release on the matter today, Organized Romanian Criminal Groups Targeted by DOJ and Romanian Law Enforcement.

The case centers on criminals in Romania who would post luxury items and vehicles for sale on Internet auction websites, such as eBay. They would then instruct the potential buyer that for safety of the transaction they would be using an escrow service and provide them instructions to wire the funds to the escrow service, rather than making their payment through the auction company. US-based co-conspirators would then go pick up the money from American bank accounts. These intermediaries are called "money mules" in the US, but in Romanian cybercrime parlance they are referred to as "arrows."

According to the FBI Press Release . . . "Since May 2010, the FBI and the U.S. Attorney’s Office for the Southern District of Florida have arrested and prosecuted numerous individuals from Romania, Moldova and the United States allegedly involved in this fraud scheme. Vadim Gherghelejiu, 29, of Moldova; Anatolie Bisericanu, 25, of Moldova; Jairo Osorno, 22, of Surfside, Fla.; Jason Eibinder, 22, of Sunny Isles Beach, Fla.; and Ciprian Jdera, 25, of Romania, have been convicted in the Southern District of Florida of conspiracy to commit wire fraud."

On February 22, 2010, a Miami court returned an indictment against "Pedro Pulido, 41, of Pembroke Pines, Fla.; Ivan Boris Barkovic, 19, of Sunny Isles Beach; Beand Dorsainville, 20, of North Miami Beach, Fla.; Sergiu Petrov, aka “Serogia,” 27, of Moldova; Oleg Virlan, 32, of Moldova; Marian Cristea, 22, of Romania; and Andrian Olarita, 26, of Moldova, with conspiracy to commit wire fraud and substantive counts of wire fraud. Pulido, Barkovic, Dorsainville and Olarita have pleaded guilty to conspiracy to commit wire fraud. Petrov, Virlan and Cristea remain at large and are considered fugitives."

Romanian news is buzzing today with news of many search warrants being issued all over Romania.

FBI Searches Romania - 20 million dollars stolen by hackers in eight countries

Photographers were present at many of today's Romanian arrests . . .

Here a dentist, Horace Balanescu, and his wife are being arrested in Bumbesti-Jiu Romania:

(photos from "adevarul.ro")

Romanian news says that there were more than 1,000 victims who collectively lost more than $20 million USD.

We'll have more details here in the near future . . .

Congratulations to all of the fine agents in Romania and the FBI who took part in this historical arrest, and to those at eBay and Craigslist and other companies who assisted with information.