Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsJob BoardISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Spam, Scam and Phishbusters » [Scam] Bogus anti-spyware site
Search Topic:
 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Phish Tracker ·Anti-Phishing Work Group ·Avoid Phishing
[Credit Card Fraud] fraud: www.prophotosland.com & www.photogey »
« Bogus Bank of America notice  
AuthorAll Replies

MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL

edit:
July 9th, @06:12PM
reply to justbits
Re: [Scam] Bogus anti-spyware site

Another fresh batch of the RBN Zlob variants, No wonder you hit on it with that search criteria. That page has the following keyword tags embedded:

TITLE Cell Phone Numbers Going Public TITLE

META NAME="keywords" CONTENT="samsung cell phone, nokia cell phone accessories, british columbia phone book, reverse phone search free, reverse cell phone directory free, conference phone, activate new phone sprint, history of cell phone, sprint international phone cards, dayton ohio phone book, bellsouth residential phone numbers, water proof cell phone pouch, cell phone number reversal for canada, phone number for equifax credit, when was the cell phone invented, locating phone numbers, barb klapp cell mobile phone, fake phone service, mature phone sex, casio cell phone, video phone, business phone listing, lg chocolate phone, best cell phone companies, camera-less phone, cell phone pics, time warner cable phone internet, mini phone, comic animations on phone, free wireless phone internet speed evdo, reverse phone look, free trial phone chat, movie phone, cordless phone consumer report, reverse phone, cell phone backgrounds, cricket cell phone plan, united kingdom phone directory, motorola cordless phone, cellular phone locator, prepaid cell phone
While the page you hit on >http://www.geocities.com/bkuaytccdo/cell-phone-numbers-going-public.html pulls >http://antispyware2008a.com

Snapped 2008-07-09 18:00:04

»antispyware2008a.com


the previous directory >http://www.geocities.com/bkuaytccdo/ will send you to a Russian pharmacy drug peddler masquerading as a Canadian entity. Currently using the domain soonmaster.com

Snapped 2008-07-09 17:59:45

»soonmaster.com/


Though antispyware2008a.com appears to be partnered with antispyware-2008-download.org and both hosted on IP 78.157.143.251 by VdHost Ltd./ UltraNet, vdhost.biz in Latvia:


inetnum: 78.157.143.128 - 78.157.143.255
netname: VDHOST
descr: VdHost Ltd.
descr: abuse@vdhost.biz
country: LV
admin-c: AV2990-RIPE
tech-c: UNHM-RIPE
status: ASSIGNED PA
mnt-by: UN-MNT
source: RIPE # Filtered
.
role: UltraNet Hostmaster
address: UltraNet SIA
Aizkraukles 23
Riga, LV-1006
Latvia
phone: +371 67543003
fax-no: +371 67594435
e-mail: hostmaster@ultranet.lv
admin-c: AS28817-RIPE
admin-c: MS16883-RIPE
tech-c: AS28817-RIPE
nic-hdl: UNHM-RIPE
mnt-by: UN-MNT
source: RIPE # Filtered
.
person: Arturs Vavilovs
address: Riga
phone: +371 29653077
e-mail: admin@vdhost.biz
nic-hdl: AV2990-RIPE
mnt-by: UN-MNT
source: RIPE # Filtered
.
% Information related to '78.157.128.0/19AS35057'
.
route: 78.157.128.0/19
descr: SIA ULTRANET
origin: AS35057
mnt-by: UN-MNT
source: RIPE # Filtered

.
The real nuts and bolts of the operation are hosted right nextdoor on IP 78.157.143.250: »www.google.com/search?hl=en&q=78···e+Search


78.157.128.0-78.157.159.255 LV-ULTRANET-20070830 SIA ULTRANET
.

78.157.147.149 4637834.com
78.157.128.0/19 SIA ULTRANET
AS35057 UltraNet Ltd.
78.157.128.0-78.157.159.255 LV-ULTRANET-20070830 SIA ULTRANET
.
78.157.143.250
.
*.anti-spy-ware-2008.com
*.antispyware-2008-download.com
*.antispyware-2008.info
*.antispyware2008-download.com
*.antispyware2008.name
*.antispyware2008y.com
*.ns1.antispyware2008y.com
anti-spy-ware-2008.com
antispyware-2008-download.com
antispyware-2008.info
antispyware2008-download.com
antispyware2008.name
antispyware2008y.com
mail.anti-spy-ware-2008.com
mail.antispyware-2008-download.com
mail.antispyware-2008.info
mail.antispyware2008-download.com
mail.antispyware2008y.com
mail.ns1.antispyware2008y.com
ns1.anti-spy-ware-2008.com
ns1.antispyware-2008-download.com
ns1.antispyware-2008.info
ns1.antispyware2008-download.com
ns1.antispyware2008.name
ns1.antispyware2008y.com
ns2.anti-spy-ware-2008.com
ns2.antispyware-2008-download.com
ns2.antispyware-2008.info
ns2.antispyware2008-download.com
ns2.antispyware2008.name
ns2.antispyware2008y.com
www.anti-spy-ware-2008.com
www.antispyware-2008-download.com
www.antispyware-2008.info
www.antispyware2008-download.com
www.antispyware2008y.com


Not suprising that the antispyware2008a.com domain was registered with the notorious cyber criminal support services of EST Domains:


Results returned from whois.estdomains.com:
.
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: >http://www.estdomains.com

Domain Name: ANTISPYWARE2008A.COM
.
Registrant:
    OAO Dormash
    Nikolai Ilenko        (nikolai.dormash@google.com)
    Moscow city
    Moscow
    Moskovskaya oblast,163622
    RU
    Tel. +7.4952001288
    Fax. +7.4952001290
.
Creation Date: 05-Jul-2008
Expiration Date: 05-Jul-2009
.
Domain servers in listed order:
    ns2.antispyware2008a.com
    ns1.antispyware2008a.com

.
Administrative Contact:
    OAO Dormash
    Nikolai Ilenko        (nikolai.dormash@google.com)
    Moscow city
    Moscow
    Moskovskaya oblast,163622
    RU
    Tel. +7.4952001288
    Fax. +7.4952001290
.
Technical Contact:
    OAO Dormash
    Nikolai Ilenko        (nikolai.dormash@google.com)
    Moscow city
    Moscow
    Moskovskaya oblast,163622
    RU
    Tel. +7.4952001288
    Fax. +7.4952001290
.
Billing Contact:
    OAO Dormash
    Nikolai Ilenko        (nikolai.dormash@google.com)
    Moscow city
    Moscow
    Moskovskaya oblast,163622
    RU
    Tel. +7.4952001288
    Fax. +7.4952001290
.
Status:ACTIVE


A bogus domain registration containing information copied from an Ukrainian company Dormash OAO, dormash.com: »translate.google.com/translate?u···ru&tl=en

The file download "setup.exe"




when submitted to VirusTotal shows:





These are all part of the large group of hijack installs that try and force the victim to submit card data and pay to clean up a non existant infection, at least prior tot he download Other members of the group are "AntiSpyCheck", etc.

MGD
to forum · permalink · · 2008-07-09 18:05:48 · Reply to this
-
Forums » Up and Running » Security » Spam, Scam and Phishbusters[Credit Card Fraud] fraud: www.prophotosland.com & www.photogey »
« Bogus Bank of America notice  

Wednesday, 03-Dec 03:05:05 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 9 years online! © 1999-2008 dslreports.com.republican-creole
page compression OFF
Most commented news this week
· [114] AT&T Metered Billing Trial Hits Second Market
· [88] UDP BitTorrent Will Destroy The Interwebs!
· [77] EFF Challenges Telecom Immunity
· [61] Comcast Tries To Slow Verizon's Philly Entry
· [41] Comcast To Offer Bandwidth Use Tracker In January
· [40] Cablevision Bumps HD Count To 68
· [40] T-Mobile Invisible Caps Return
· [36] Verizon Tops Consumer Reports Wireless Satisfaction Ratings
· [28] Mega-ISPs, Consumer Advocates Demand Broadband Plan
· [27] Hawaii Telecom Files For Bankruptcy
Most people now reading
· Is this a good thing for the net? [news,99366]
· [Rant] Bestbuy receipt checker [Rants, Raves, & Praise]
· Coalition Government Possible? [TekSavvy]
· What's the best way to break off a wedding? [General Questions]
· [WotLK] Starting the Rep Grind [World of Warcraft]
· Extjs grid combo box. [Webmasters and Developers]
· It's official ... Macs need anti-virus software [Security]
· [ Professions] WotLK engineering [World of Warcraft]
· [WotLK] New Hunter Macros [World of Warcraft]
· Level 80 PVP gear info? [World of Warcraft]