Search:  

 
theme to white backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Spam, Scam and Phishbusters » [Scam] Bogus anti-spyware site
Uniqs:
2225		 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Phish Tracker ·Anti-Phishing Work Group ·Avoid Phishing
[Credit Card Fraud] fraud: www.prophotosland.com & www.photogey »
« Bogus Bank of America notice  

justbits
More fiber than ATT can handle
Premium
join:2003-01-08
Chicago, IL
·AT&T Midwest

1 edit

[Scam] Bogus anti-spyware site

hxxp://antispyware2008a.com/scanner.php?p=1&c=1&e=1&aff=1151&sc=0

I'm not sure this is the right place to report this, but I found it interesting. The page was linked to by Google for the search term: "all cell phone numbers are being released to telemarketing companies" by the original referring web site: hxxp://www.geocities.com/bkuaytccdo/ cell-phone-numbers-going-public.html

The web page opens a bogus javascript anti spyware scanner simulation.
It tries to trick you into keeping the page open as if it's actually scanning your machine. (It even reports a successful scan under Safari on Mac OS X.)
It tries to trick you into downloading and running a Setup.exe that automatically downloads when you click on anywhere on a subsequent "analysis" page.
permalink · 2008-07-09 15:10:18 · Print · Reply to this

Oleg
Bellsouth Fastaccess
Premium
join:2003-12-08
Birmingham, AL
1 edit

Re: [Scam] Bogus anti-spyware site

Dam fake scan looks real
permalink · 2008-07-09 15:32:37 · Reply to this
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL

3 edits		Another fresh batch of the RBN Zlob variants, No wonder you hit on it with that search criteria. That page has the following keyword tags embedded:

TITLE Cell Phone Numbers Going Public TITLE

META NAME="keywords" CONTENT="samsung cell phone, nokia cell phone accessories, british columbia phone book, reverse phone search free, reverse cell phone directory free, conference phone, activate new phone sprint, history of cell phone, sprint international phone cards, dayton ohio phone book, bellsouth residential phone numbers, water proof cell phone pouch, cell phone number reversal for canada, phone number for equifax credit, when was the cell phone invented, locating phone numbers, barb klapp cell mobile phone, fake phone service, mature phone sex, casio cell phone, video phone, business phone listing, lg chocolate phone, best cell phone companies, camera-less phone, cell phone pics, time warner cable phone internet, mini phone, comic animations on phone, free wireless phone internet speed evdo, reverse phone look, free trial phone chat, movie phone, cordless phone consumer report, reverse phone, cell phone backgrounds, cricket cell phone plan, united kingdom phone directory, motorola cordless phone, cellular phone locator, prepaid cell phone
While the page you hit on >http://www.geocities.com/bkuaytccdo/cell-phone-numbers-going-public.html pulls >http://antispyware2008a.com

Snapped 2008-07-09 18:00:04

»antispyware2008a.com


the previous directory >http://www.geocities.com/bkuaytccdo/ will send you to a Russian pharmacy drug peddler masquerading as a Canadian entity. Currently using the domain soonmaster.com

Snapped 2008-07-09 17:59:45

»soonmaster.com/


Though antispyware2008a.com appears to be partnered with antispyware-2008-download.org and both hosted on IP 78.157.143.251 by VdHost Ltd./ UltraNet, vdhost.biz in Latvia:


inetnum: 78.157.143.128 - 78.157.143.255
netname: VDHOST
descr: VdHost Ltd.
descr: abuse@vdhost.biz
country: LV
admin-c: AV2990-RIPE
tech-c: UNHM-RIPE
status: ASSIGNED PA
mnt-by: UN-MNT
source: RIPE # Filtered
.
role: UltraNet Hostmaster
address: UltraNet SIA
Aizkraukles 23
Riga, LV-1006
Latvia
phone: +371 67543003
fax-no: +371 67594435
e-mail: hostmaster@ultranet.lv
admin-c: AS28817-RIPE
admin-c: MS16883-RIPE
tech-c: AS28817-RIPE
nic-hdl: UNHM-RIPE
mnt-by: UN-MNT
source: RIPE # Filtered
.
person: Arturs Vavilovs
address: Riga
phone: +371 29653077
e-mail: admin@vdhost.biz
nic-hdl: AV2990-RIPE
mnt-by: UN-MNT
source: RIPE # Filtered
.
% Information related to '78.157.128.0/19AS35057'
.
route: 78.157.128.0/19
descr: SIA ULTRANET
origin: AS35057
mnt-by: UN-MNT
source: RIPE # Filtered

.
The real nuts and bolts of the operation are hosted right nextdoor on IP 78.157.143.250: »www.google.com/search?hl=en&q=78···e+Search


78.157.128.0-78.157.159.255 LV-ULTRANET-20070830 SIA ULTRANET
.

78.157.147.149 4637834.com
78.157.128.0/19 SIA ULTRANET
AS35057 UltraNet Ltd.
78.157.128.0-78.157.159.255 LV-ULTRANET-20070830 SIA ULTRANET
.
78.157.143.250
.
*.anti-spy-ware-2008.com
*.antispyware-2008-download.com
*.antispyware-2008.info
*.antispyware2008-download.com
*.antispyware2008.name
*.antispyware2008y.com
*.ns1.antispyware2008y.com
anti-spy-ware-2008.com
antispyware-2008-download.com
antispyware-2008.info
antispyware2008-download.com
antispyware2008.name
antispyware2008y.com
mail.anti-spy-ware-2008.com
mail.antispyware-2008-download.com
mail.antispyware-2008.info
mail.antispyware2008-download.com
mail.antispyware2008y.com
mail.ns1.antispyware2008y.com
ns1.anti-spy-ware-2008.com
ns1.antispyware-2008-download.com
ns1.antispyware-2008.info
ns1.antispyware2008-download.com
ns1.antispyware2008.name
ns1.antispyware2008y.com
ns2.anti-spy-ware-2008.com
ns2.antispyware-2008-download.com
ns2.antispyware-2008.info
ns2.antispyware2008-download.com
ns2.antispyware2008.name
ns2.antispyware2008y.com
www.anti-spy-ware-2008.com
www.antispyware-2008-download.com
www.antispyware-2008.info
www.antispyware2008-download.com
www.antispyware2008y.com


Not suprising that the antispyware2008a.com domain was registered with the notorious cyber criminal support services of EST Domains:


Results returned from whois.estdomains.com:
.
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: >http://www.estdomains.com

Domain Name: ANTISPYWARE2008A.COM
.
Registrant:
    OAO Dormash
    Nikolai Ilenko        (nikolai.dormash@google.com)
    Moscow city
    Moscow
    Moskovskaya oblast,163622
    RU
    Tel. +7.4952001288
    Fax. +7.4952001290
.
Creation Date: 05-Jul-2008
Expiration Date: 05-Jul-2009
.
Domain servers in listed order:
    ns2.antispyware2008a.com
    ns1.antispyware2008a.com

.
Administrative Contact:
    OAO Dormash
    Nikolai Ilenko        (nikolai.dormash@google.com)
    Moscow city
    Moscow
    Moskovskaya oblast,163622
    RU
    Tel. +7.4952001288
    Fax. +7.4952001290
.
Technical Contact:
    OAO Dormash
    Nikolai Ilenko        (nikolai.dormash@google.com)
    Moscow city
    Moscow
    Moskovskaya oblast,163622
    RU
    Tel. +7.4952001288
    Fax. +7.4952001290
.
Billing Contact:
    OAO Dormash
    Nikolai Ilenko        (nikolai.dormash@google.com)
    Moscow city
    Moscow
    Moskovskaya oblast,163622
    RU
    Tel. +7.4952001288
    Fax. +7.4952001290
.
Status:ACTIVE


A bogus domain registration containing information copied from an Ukrainian company Dormash OAO, dormash.com: »translate.google.com/translate?u···ru&tl=en

The file download "setup.exe"




when submitted to VirusTotal shows:





These are all part of the large group of hijack installs that try and force the victim to submit card data and pay to clean up a non existant infection, at least prior tot he download Other members of the group are "AntiSpyCheck", etc.

MGD
permalink · 2008-07-09 18:05:48 · Print · Reply to this

Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
·AT&T U-Verse

 It should go without saying for most people here, but
you should disable that link so that no one landing on
this page accidentally follows it and gets infected.

Just change the http portion of the URL to hxxp.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
permalink · 2008-07-10 15:49:45 · Reply to this
Forums » Up and Running » Security » Spam, Scam and Phishbusters[Credit Card Fraud] fraud: www.prophotosland.com & www.photogey »
« Bogus Bank of America notice  

Tuesday, 01-Dec 01:53:12 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [56] Baltimore To Ban Lazy Cable Installs
· [47] Broadband Killed The Game Console
· [33] Rural Carriers Quickly Embracing Fiber
· [28] AT&T Top Lobbyist Cicconi Has His Feelings Hurt
· [24] Charter Exits Chapter 11
· [21] Midcontinent Socked With Easement Lawsuit
· [3] Monday Morning Links
· [2] Monday Evening Links
Most people now reading
· Heating - my dad gave me this advice... [Home Repair & Improvement]
· Windows 7 boot manager editing questions [Microsoft Help]
· Connecting to Google Voice Via SIP [VOIP Tech Chat]
· Is Microsoft Technet ok to use for my family PC's? [Microsoft Help]
· Considering Leaving Vonage, who should I Consider? [VOIP Tech Chat]
· persistent connection to qw-in-f113.1e100.net on boot [Security]
· ToC 4th boss - Preliminary Strategy for Twin Valkyr [World of Warcraft]
· Are GPS's better today? [General Questions]
· Fun screwing with PuG raids. [World of Warcraft]