site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Broadband Tech > Security > Scam and Phishbusters > [Scam] Bogus anti-spyware site

Search Topic:
 Uniqs:
3906		 Share Topic
Posting?
Post a:
Post a:
Links: ·Phish Tracker ·Anti-Phishing Work Group ·Avoid Phishing
AuthorAll Replies


justbits
More fiber than ATT can handle
Premium
join:2003-01-08
Chicago, IL
Reviews:
·AT&T Midwest
·AT&T Yahoo
1 edit

[Scam] Bogus anti-spyware site

hxxp://antispyware2008a.com/scanner.php?p=1&c=1&e=1&aff=1151&sc=0

I'm not sure this is the right place to report this, but I found it interesting. The page was linked to by Google for the search term: "all cell phone numbers are being released to telemarketing companies" by the original referring web site: hxxp://www.geocities.com/bkuaytccdo/ cell-phone-numbers-going-public.html

The web page opens a bogus javascript anti spyware scanner simulation.
It tries to trick you into keeping the page open as if it's actually scanning your machine. (It even reports a successful scan under Safari on Mac OS X.)
It tries to trick you into downloading and running a Setup.exe that automatically downloads when you click on anywhere on a subsequent "analysis" page.
to forum · permalink · 2008-07-09 15:10:18 ·


Oleg
Bellsouth Fastaccess
Premium
join:2003-12-08
Birmingham, AL
1 edit

Dam fake scan looks real

to forum · permalink · 2008-07-09 15:32:37 ·

MGD
Premium,MVM
join:2002-07-31
kudos:9
3 edits

reply to justbits
Another fresh batch of the RBN Zlob variants, No wonder you hit on it with that search criteria. That page has the following keyword tags embedded:

TITLE Cell Phone Numbers Going Public TITLE

META NAME="keywords" CONTENT="samsung cell phone, nokia cell phone accessories, british columbia phone book, reverse phone search free, reverse cell phone directory free, conference phone, activate new phone sprint, history of cell phone, sprint international phone cards, dayton ohio phone book, bellsouth residential phone numbers, water proof cell phone pouch, cell phone number reversal for canada, phone number for equifax credit, when was the cell phone invented, locating phone numbers, barb klapp cell mobile phone, fake phone service, mature phone sex, casio cell phone, video phone, business phone listing, lg chocolate phone, best cell phone companies, camera-less phone, cell phone pics, time warner cable phone internet, mini phone, comic animations on phone, free wireless phone internet speed evdo, reverse phone look, free trial phone chat, movie phone, cordless phone consumer report, reverse phone, cell phone backgrounds, cricket cell phone plan, united kingdom phone directory, motorola cordless phone, cellular phone locator, prepaid cell phone
While the page you hit on >http://www.geocities.com/bkuaytccdo/cell-phone-numbers-going-public.html pulls >http://antispyware2008a.com


»antispyware2008a.com
Snapped 2008-07-09 18:00:04


the previous directory >http://www.geocities.com/bkuaytccdo/ will send you to a Russian pharmacy drug peddler masquerading as a Canadian entity. Currently using the domain soonmaster.com


»soonmaster.com/
Snapped 2008-07-09 17:59:45


Though antispyware2008a.com appears to be partnered with antispyware-2008-download.org and both hosted on IP 78.157.143.251 by VdHost Ltd./ UltraNet, vdhost.biz in Latvia:


inetnum: 78.157.143.128 - 78.157.143.255
netname: VDHOST
descr: VdHost Ltd.
descr: abuse@vdhost.biz
country: LV
admin-c: AV2990-RIPE
tech-c: UNHM-RIPE
status: ASSIGNED PA
mnt-by: UN-MNT
source: RIPE # Filtered
.
role: UltraNet Hostmaster
address: UltraNet SIA
Aizkraukles 23
Riga, LV-1006
Latvia
phone: +371 67543003
fax-no: +371 67594435
e-mail: hostmaster@ultranet.lv
admin-c: AS28817-RIPE
admin-c: MS16883-RIPE
tech-c: AS28817-RIPE
nic-hdl: UNHM-RIPE
mnt-by: UN-MNT
source: RIPE # Filtered
.
person: Arturs Vavilovs
address: Riga
phone: +371 29653077
e-mail: admin@vdhost.biz
nic-hdl: AV2990-RIPE
mnt-by: UN-MNT
source: RIPE # Filtered
.
% Information related to '78.157.128.0/19AS35057'
.
route: 78.157.128.0/19
descr: SIA ULTRANET
origin: AS35057
mnt-by: UN-MNT
source: RIPE # Filtered

.
The real nuts and bolts of the operation are hosted right nextdoor on IP 78.157.143.250: »www.google.com/search?hl=en&q=78···e+Search


78.157.128.0-78.157.159.255 LV-ULTRANET-20070830 SIA ULTRANET
.

78.157.147.149 4637834.com
78.157.128.0/19 SIA ULTRANET
AS35057 UltraNet Ltd.
78.157.128.0-78.157.159.255 LV-ULTRANET-20070830 SIA ULTRANET
.
78.157.143.250
.
*.anti-spy-ware-2008.com
*.antispyware-2008-download.com
*.antispyware-2008.info
*.antispyware2008-download.com
*.antispyware2008.name
*.antispyware2008y.com
*.ns1.antispyware2008y.com
anti-spy-ware-2008.com
antispyware-2008-download.com
antispyware-2008.info
antispyware2008-download.com
antispyware2008.name
antispyware2008y.com
mail.anti-spy-ware-2008.com
mail.antispyware-2008-download.com
mail.antispyware-2008.info
mail.antispyware2008-download.com
mail.antispyware2008y.com
mail.ns1.antispyware2008y.com
ns1.anti-spy-ware-2008.com
ns1.antispyware-2008-download.com
ns1.antispyware-2008.info
ns1.antispyware2008-download.com
ns1.antispyware2008.name
ns1.antispyware2008y.com
ns2.anti-spy-ware-2008.com
ns2.antispyware-2008-download.com
ns2.antispyware-2008.info
ns2.antispyware2008-download.com
ns2.antispyware2008.name
ns2.antispyware2008y.com
www.anti-spy-ware-2008.com
www.antispyware-2008-download.com
www.antispyware-2008.info
www.antispyware2008-download.com
www.antispyware2008y.com


Not suprising that the antispyware2008a.com domain was registered with the notorious cyber criminal support services of EST Domains:


Results returned from whois.estdomains.com:
.
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: >http://www.estdomains.com

Domain Name: ANTISPYWARE2008A.COM
.
Registrant:
    OAO Dormash
    Nikolai Ilenko        (nikolai.dormash@google.com)
    Moscow city
    Moscow
    Moskovskaya oblast,163622
    RU
    Tel. +7.4952001288
    Fax. +7.4952001290
.
Creation Date: 05-Jul-2008
Expiration Date: 05-Jul-2009
.
Domain servers in listed order:
    ns2.antispyware2008a.com
    ns1.antispyware2008a.com

.
Administrative Contact:
    OAO Dormash
    Nikolai Ilenko        (nikolai.dormash@google.com)
    Moscow city
    Moscow
    Moskovskaya oblast,163622
    RU
    Tel. +7.4952001288
    Fax. +7.4952001290
.
Technical Contact:
    OAO Dormash
    Nikolai Ilenko        (nikolai.dormash@google.com)
    Moscow city
    Moscow
    Moskovskaya oblast,163622
    RU
    Tel. +7.4952001288
    Fax. +7.4952001290
.
Billing Contact:
    OAO Dormash
    Nikolai Ilenko        (nikolai.dormash@google.com)
    Moscow city
    Moscow
    Moskovskaya oblast,163622
    RU
    Tel. +7.4952001288
    Fax. +7.4952001290
.
Status:ACTIVE


A bogus domain registration containing information copied from an Ukrainian company Dormash OAO, dormash.com: »translate.google.com/translate?u···ru&tl=en

The file download "setup.exe"




when submitted to VirusTotal shows:





These are all part of the large group of hijack installs that try and force the victim to submit card data and pay to clean up a non existant infection, at least prior tot he download Other members of the group are "AntiSpyCheck", etc.

MGD
to forum · permalink · 2008-07-09 18:05:48 ·


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX

reply to justbits
It should go without saying for most people here, but
you should disable that link so that no one landing on
this page accidentally follows it and gets infected.

Just change the http portion of the URL to hxxp.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

to forum · permalink · 2008-07-10 15:49:45 ·
Forums > Broadband Tech > Security > Scam and Phishbusters

Thursday, 31-May 00:21:24 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics