[Scam] Bogus anti-spyware site in Spam, Scam and Phishbusters http://www.dslreports.com/forum/r20765013 en Wed, 03 Dec 2008 03:02:51 EDT Wed, 03 Dec 2008 03:02:51 EDT Re: [Scam] Bogus anti-spyware site http://www.dslreports.com/forum/remark,20770825 Doctor Four : It should go without saying for most people here, but
you should disable that link so that no one landing on
this page accidentally follows it and gets infected.

Just change the http portion of the URL to hxxp.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
]]> http://www.dslreports.com/forum/remark,20770825 Thu, 10 Jul 2008 15:49:45 EDT Re: [Scam] Bogus anti-spyware site http://www.dslreports.com/forum/remark,20766028 MGD : Another fresh batch of the RBN Zlob variants, No wonder you hit on it with that search criteria. That page has the following keyword tags embedded:

TITLE Cell Phone Numbers Going Public TITLE

META NAME="keywords" CONTENT="samsung cell phone, nokia cell phone accessories, british columbia phone book, reverse phone search free, reverse cell phone directory free, conference phone, activate new phone sprint, history of cell phone, sprint international phone cards, dayton ohio phone book, bellsouth residential phone numbers, water proof cell phone pouch, cell phone number reversal for canada, phone number for equifax credit, when was the cell phone invented, locating phone numbers, barb klapp cell mobile phone, fake phone service, mature phone sex, casio cell phone, video phone, business phone listing, lg chocolate phone, best cell phone companies, camera-less phone, cell phone pics, time warner cable phone internet, mini phone, comic animations on phone, free wireless phone internet speed evdo, reverse phone look, free trial phone chat, movie phone, cordless phone consumer report, reverse phone, cell phone backgrounds, cricket cell phone plan, united kingdom phone directory, motorola cordless phone, cellular phone locator, prepaid cell phone
While the page you hit on >http://www.geocities.com/bkuaytccdo/cell-phone-numbers-going-public.html pulls >http://antispyware2008a.com

Snapped 2008-07-09 18:00:04

»antispyware2008a.com


the previous directory >http://www.geocities.com/bkuaytccdo/ will send you to a Russian pharmacy drug peddler masquerading as a Canadian entity. Currently using the domain soonmaster.com

Snapped 2008-07-09 17:59:45

»soonmaster.com/


Though antispyware2008a.com appears to be partnered with antispyware-2008-download.org and both hosted on IP 78.157.143.251 by VdHost Ltd./ UltraNet, vdhost.biz in Latvia:


inetnum: 78.157.143.128 - 78.157.143.255
netname: VDHOST
descr: VdHost Ltd.
descr: abuse@vdhost.biz
country: LV
admin-c: AV2990-RIPE
tech-c: UNHM-RIPE
status: ASSIGNED PA
mnt-by: UN-MNT
source: RIPE # Filtered
.
role: UltraNet Hostmaster
address: UltraNet SIA
Aizkraukles 23
Riga, LV-1006
Latvia
phone: +371 67543003
fax-no: +371 67594435
e-mail: hostmaster@ultranet.lv
admin-c: AS28817-RIPE
admin-c: MS16883-RIPE
tech-c: AS28817-RIPE
nic-hdl: UNHM-RIPE
mnt-by: UN-MNT
source: RIPE # Filtered
.
person: Arturs Vavilovs
address: Riga
phone: +371 29653077
e-mail: admin@vdhost.biz
nic-hdl: AV2990-RIPE
mnt-by: UN-MNT
source: RIPE # Filtered
.
% Information related to '78.157.128.0/19AS35057'
.
route: 78.157.128.0/19
descr: SIA ULTRANET
origin: AS35057
mnt-by: UN-MNT
source: RIPE # Filtered

.
The real nuts and bolts of the operation are hosted right nextdoor on IP 78.157.143.250: »www.google.com/search?hl=en&q=78···e+Search


78.157.128.0-78.157.159.255 LV-ULTRANET-20070830 SIA ULTRANET
. 
 
78.157.147.149 4637834.com
78.157.128.0/19 SIA ULTRANET
AS35057 UltraNet Ltd. 
78.157.128.0-78.157.159.255 LV-ULTRANET-20070830 SIA ULTRANET
.  
78.157.143.250 
.
*.anti-spy-ware-2008.com    
*.antispyware-2008-download.com    
*.antispyware-2008.info     
*.antispyware2008-download.com     
*.antispyware2008.name     
*.antispyware2008y.com     
*.ns1.antispyware2008y.com     
anti-spy-ware-2008.com    
antispyware-2008-download.com    
antispyware-2008.info    
antispyware2008-download.com    
antispyware2008.name     
antispyware2008y.com     
mail.anti-spy-ware-2008.com     
mail.antispyware-2008-download.com     
mail.antispyware-2008.info     
mail.antispyware2008-download.com    
mail.antispyware2008y.com    
mail.ns1.antispyware2008y.com    
ns1.anti-spy-ware-2008.com    
ns1.antispyware-2008-download.com   
ns1.antispyware-2008.info    
ns1.antispyware2008-download.com   
ns1.antispyware2008.name   
ns1.antispyware2008y.com   
ns2.anti-spy-ware-2008.com  
ns2.antispyware-2008-download.com    
ns2.antispyware-2008.info    
ns2.antispyware2008-download.com   
ns2.antispyware2008.name    
ns2.antispyware2008y.com    
www.anti-spy-ware-2008.com  
www.antispyware-2008-download.com   
www.antispyware-2008.info
www.antispyware2008-download.com  
www.antispyware2008y.com


Not suprising that the antispyware2008a.com domain was registered with the notorious cyber criminal support services of EST Domains:


Results returned from whois.estdomains.com:
.
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: >http://www.estdomains.com
 
Domain Name: ANTISPYWARE2008A.COM 
.
Registrant:
    OAO Dormash
    Nikolai Ilenko        (nikolai.dormash@google.com)
    Moscow city
    Moscow
    Moskovskaya oblast,163622
    RU
    Tel. +7.4952001288
    Fax. +7.4952001290
.
Creation Date: 05-Jul-2008  
Expiration Date: 05-Jul-2009
.
Domain servers in listed order:
    ns2.antispyware2008a.com
    ns1.antispyware2008a.com
 
.
Administrative Contact:
    OAO Dormash
    Nikolai Ilenko        (nikolai.dormash@google.com)
    Moscow city
    Moscow
    Moskovskaya oblast,163622
    RU
    Tel. +7.4952001288
    Fax. +7.4952001290
.
Technical Contact:
    OAO Dormash
    Nikolai Ilenko        (nikolai.dormash@google.com)
    Moscow city
    Moscow
    Moskovskaya oblast,163622
    RU
    Tel. +7.4952001288
    Fax. +7.4952001290
.
Billing Contact:
    OAO Dormash
    Nikolai Ilenko        (nikolai.dormash@google.com)
    Moscow city
    Moscow
    Moskovskaya oblast,163622
    RU
    Tel. +7.4952001288
    Fax. +7.4952001290
.
Status:ACTIVE


A bogus domain registration containing information copied from an Ukrainian company Dormash OAO, dormash.com: »translate.google.com/translate?u···ru&tl=en

The file download "setup.exe"

[att=1]

when submitted to VirusTotal shows:

[att=2][att=3]

These are all part of the large group of hijack installs that try and force the victim to submit card data and pay to clean up a non existant infection, at least prior tot he download Other members of the group are "AntiSpyCheck", etc.

MGD
Click for full size
]]> http://www.dslreports.com/forum/remark,20766028 Wed, 09 Jul 2008 18:05:48 EDT Re: [Scam] Bogus anti-spyware site http://www.dslreports.com/forum/remark,20765143 Oleg : Dam fake scan looks real :p]]> http://www.dslreports.com/forum/remark,20765143 Wed, 09 Jul 2008 15:32:37 EDT [Scam] Bogus anti-spyware site http://www.dslreports.com/forum/remark,20765013 justbits : hxxp://antispyware2008a.com/scanner.php?p=1&c=1&e=1&aff=1151&sc=0

I'm not sure this is the right place to report this, but I found it interesting. The page was linked to by Google for the search term: "all cell phone numbers are being released to telemarketing companies" by the original referring web site: hxxp://www.geocities.com/bkuaytccdo/ cell-phone-numbers-going-public.html

The web page opens a bogus javascript anti spyware scanner simulation.
It tries to trick you into keeping the page open as if it's actually scanning your machine. (It even reports a successful scan under Safari on Mac OS X.)
It tries to trick you into downloading and running a Setup.exe that automatically downloads when you click on anywhere on a subsequent "analysis" page.]]> http://www.dslreports.com/forum/remark,20765013 Wed, 09 Jul 2008 15:10:18 EDT