Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Spam, Scam and Phishbusters » [Scam] Bogus anti-spyware site
Search Topic:
 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Phish Tracker ·Anti-Phishing Work Group ·Avoid Phishing
[Credit Card Fraud] fraud: www.prophotosland.com & www.photogey »
« Bogus Bank of America notice  
AuthorAll Replies

MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL

3 edits		reply to justbits
Re: [Scam] Bogus anti-spyware site

Another fresh batch of the RBN Zlob variants, No wonder you hit on it with that search criteria. That page has the following keyword tags embedded:

TITLE Cell Phone Numbers Going Public TITLE

META NAME="keywords" CONTENT="samsung cell phone, nokia cell phone accessories, british columbia phone book, reverse phone search free, reverse cell phone directory free, conference phone, activate new phone sprint, history of cell phone, sprint international phone cards, dayton ohio phone book, bellsouth residential phone numbers, water proof cell phone pouch, cell phone number reversal for canada, phone number for equifax credit, when was the cell phone invented, locating phone numbers, barb klapp cell mobile phone, fake phone service, mature phone sex, casio cell phone, video phone, business phone listing, lg chocolate phone, best cell phone companies, camera-less phone, cell phone pics, time warner cable phone internet, mini phone, comic animations on phone, free wireless phone internet speed evdo, reverse phone look, free trial phone chat, movie phone, cordless phone consumer report, reverse phone, cell phone backgrounds, cricket cell phone plan, united kingdom phone directory, motorola cordless phone, cellular phone locator, prepaid cell phone
While the page you hit on >http://www.geocities.com/bkuaytccdo/cell-phone-numbers-going-public.html pulls >http://antispyware2008a.com

Snapped 2008-07-09 18:00:04

»antispyware2008a.com


the previous directory >http://www.geocities.com/bkuaytccdo/ will send you to a Russian pharmacy drug peddler masquerading as a Canadian entity. Currently using the domain soonmaster.com

Snapped 2008-07-09 17:59:45

»soonmaster.com/


Though antispyware2008a.com appears to be partnered with antispyware-2008-download.org and both hosted on IP 78.157.143.251 by VdHost Ltd./ UltraNet, vdhost.biz in Latvia:


inetnum: 78.157.143.128 - 78.157.143.255
netname: VDHOST
descr: VdHost Ltd.
descr: abuse@vdhost.biz
country: LV
admin-c: AV2990-RIPE
tech-c: UNHM-RIPE
status: ASSIGNED PA
mnt-by: UN-MNT
source: RIPE # Filtered
.
role: UltraNet Hostmaster
address: UltraNet SIA
Aizkraukles 23
Riga, LV-1006
Latvia
phone: +371 67543003
fax-no: +371 67594435
e-mail: hostmaster@ultranet.lv
admin-c: AS28817-RIPE
admin-c: MS16883-RIPE
tech-c: AS28817-RIPE
nic-hdl: UNHM-RIPE
mnt-by: UN-MNT
source: RIPE # Filtered
.
person: Arturs Vavilovs
address: Riga
phone: +371 29653077
e-mail: admin@vdhost.biz
nic-hdl: AV2990-RIPE
mnt-by: UN-MNT
source: RIPE # Filtered
.
% Information related to '78.157.128.0/19AS35057'
.
route: 78.157.128.0/19
descr: SIA ULTRANET
origin: AS35057
mnt-by: UN-MNT
source: RIPE # Filtered

.
The real nuts and bolts of the operation are hosted right nextdoor on IP 78.157.143.250: »www.google.com/search?hl=en&q=78···e+Search


78.157.128.0-78.157.159.255 LV-ULTRANET-20070830 SIA ULTRANET
.

78.157.147.149 4637834.com
78.157.128.0/19 SIA ULTRANET
AS35057 UltraNet Ltd.
78.157.128.0-78.157.159.255 LV-ULTRANET-20070830 SIA ULTRANET
.
78.157.143.250
.
*.anti-spy-ware-2008.com
*.antispyware-2008-download.com
*.antispyware-2008.info
*.antispyware2008-download.com
*.antispyware2008.name
*.antispyware2008y.com
*.ns1.antispyware2008y.com
anti-spy-ware-2008.com
antispyware-2008-download.com
antispyware-2008.info
antispyware2008-download.com
antispyware2008.name
antispyware2008y.com
mail.anti-spy-ware-2008.com
mail.antispyware-2008-download.com
mail.antispyware-2008.info
mail.antispyware2008-download.com
mail.antispyware2008y.com
mail.ns1.antispyware2008y.com
ns1.anti-spy-ware-2008.com
ns1.antispyware-2008-download.com
ns1.antispyware-2008.info
ns1.antispyware2008-download.com
ns1.antispyware2008.name
ns1.antispyware2008y.com
ns2.anti-spy-ware-2008.com
ns2.antispyware-2008-download.com
ns2.antispyware-2008.info
ns2.antispyware2008-download.com
ns2.antispyware2008.name
ns2.antispyware2008y.com
www.anti-spy-ware-2008.com
www.antispyware-2008-download.com
www.antispyware-2008.info
www.antispyware2008-download.com
www.antispyware2008y.com


Not suprising that the antispyware2008a.com domain was registered with the notorious cyber criminal support services of EST Domains:


Results returned from whois.estdomains.com:
.
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: >http://www.estdomains.com

Domain Name: ANTISPYWARE2008A.COM
.
Registrant:
    OAO Dormash
    Nikolai Ilenko        (nikolai.dormash@google.com)
    Moscow city
    Moscow
    Moskovskaya oblast,163622
    RU
    Tel. +7.4952001288
    Fax. +7.4952001290
.
Creation Date: 05-Jul-2008
Expiration Date: 05-Jul-2009
.
Domain servers in listed order:
    ns2.antispyware2008a.com
    ns1.antispyware2008a.com

.
Administrative Contact:
    OAO Dormash
    Nikolai Ilenko        (nikolai.dormash@google.com)
    Moscow city
    Moscow
    Moskovskaya oblast,163622
    RU
    Tel. +7.4952001288
    Fax. +7.4952001290
.
Technical Contact:
    OAO Dormash
    Nikolai Ilenko        (nikolai.dormash@google.com)
    Moscow city
    Moscow
    Moskovskaya oblast,163622
    RU
    Tel. +7.4952001288
    Fax. +7.4952001290
.
Billing Contact:
    OAO Dormash
    Nikolai Ilenko        (nikolai.dormash@google.com)
    Moscow city
    Moscow
    Moskovskaya oblast,163622
    RU
    Tel. +7.4952001288
    Fax. +7.4952001290
.
Status:ACTIVE


A bogus domain registration containing information copied from an Ukrainian company Dormash OAO, dormash.com: »translate.google.com/translate?u···ru&tl=en

The file download "setup.exe"




when submitted to VirusTotal shows:





These are all part of the large group of hijack installs that try and force the victim to submit card data and pay to clean up a non existant infection, at least prior tot he download Other members of the group are "AntiSpyCheck", etc.

MGD
to forum · permalink · · 2008-07-09 18:05:48 · Reply to this
-
Forums » Up and Running » Security » Spam, Scam and Phishbusters[Credit Card Fraud] fraud: www.prophotosland.com & www.photogey »
« Bogus Bank of America notice  

Monday, 30-Nov 07:32:50 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [124] Time Warner Cable Fires Broadside At Broadcasters
· [112] New AT&T Ad Campaign Hits Back At Verizon
· [96] Apple Joins AT&T Verizon Snark Fest
· [87] New Bill Takes Aim At Higher Verizon ETFs
· [82] Weekend Open Thread
· [80] TiVo Sees Record Customer Losses
· [79] Verizon CEO: Hulu Will Be Dead Soon
· [69] In-Flight Internet Headed For Bumpy Landing?
· [63] Thanksgiving Open Thread
· [41] ICANN Slams DNS Redirection
Most people now reading
· Are GPS's better today? [General Questions]
· Considering Leaving Vonage, who should I Consider? [VOIP Tech Chat]
· Is Easynews down? [Filesharing Software]
· [Newsgroups] Newzleech down? [Filesharing Software]
· [ PVP] 3.2 DK PvP D/W Spec... [World of Warcraft]
· [How to] Install Asterisk on an Asus WL-520GU router [VOIP Tech Chat]
· Leveling to 85 [World of Warcraft]
· Is Gear Score now the new requirement to get pug invite? [World of Warcraft]
· Options if ACTA is ratified [TekSavvy]
· Windows 7 boot manager editing questions [Microsoft Help]