Saturday, 4 July 2009

Piradius.net / Yohost.org - black hat hosting?

Piradius.net is a web host in Malaysia that has cropped up a few times as hosts for this long-running scam.

It seems that this isn't an isolated case. Looking just one server at gives us a number of other fraudulent domains:

  • bestcrisisprices.com - fake ecommerce site registered to Michell.Gregory2009@yahoo.com that has been used for this fraud, this fraud and many others.
  • blizzard-battle.net - fake "World of Warcraft" login page, presumably designed to harvest usernames and passwords.
  • europemedicalnet.com - claims to be a German medical company, in reality it isn't. Purpose unclear, probably run by Manuel Fichter.
  • everyhit.info - front-end for the registry-cleaner-comparisons.com fraudware site.
  • evilcheats.org - registered to kingstonsmith@hushmail.com who is connected with many fraudulent and/or suspect sites.
  • excelcapitals.com - smart looking but suspect "get rich quick" site, apparently based in Panama.
  • flyappraisals.com - fake domain appraisals.
  • flyrating.com - fake domain appraisals.
  • germanymedicalnet.com - currently displaying text from the Pozde.com domain scam.
  • gooogled.com - appears to sell knock-off designer goods.
  • hellas-warez.com - "Warez" as in illegal software downloads.
  • hygetropin-hgh.com - Claims to export prescription drugs from China.
  • indigo-net.org - another "Kingston Smith" domain.
  • jessicassoftware.com - suspiciously cheap software.
  • maximizedlivingscam.com - another "Kingston Smith" domain.
  • nameorange.com - fake domain appraisals.
  • nextdayrelief.com - unconvincing "pharmacy" that claims to be in the US, but hosts in Malaysia
  • pedma.com - fake domain appraisals.
  • podzz.com - fake domain appraisals.
  • poker-bonus-codes.de - Kingston Smith again.
  • pozde.com - fake domain appraisals.
  • r4ishop.com - with prices in pounds sterling, it appears to be passing itself off as a UK-based electronics retailer. In reality, everything is anonymised and it could be based anywhere.
  • rc-chem.net - claims to be a Canadian supplier of steroids, a Google search on the domain is enlightening.
  • replica-prestigious-watches.com - fake designer watches.
  • tropicalnames.com - fake domain appraisals.
  • yohost.org - anonymous hosting.
In fact, it's the last domain "yohost.org" which gives a clue as to what is really going on. Yohost.org looks like a reseller of Piradius.net's hosting and it advertises itself as "100% anonymous hosting and anonymous DNS and domain name services" which is "beyond the reach of virtually any government or law enforcement agency."

If you Google for "anonymous hosting" then Yohost.org comes up as #4. So you can see where their customers are coming from.

Yohost.org also rents other servers from Piradius.net, and they show a mix of sites that appear to be very dodgy indeed, through to sites that appear legitimate.

They appear to run the following IPs and probably others too:

124.217.231.173
124.217.231.209
124.217.250.102
124.217.250.106

Hosting rubbish like this does not enhanced Piradius.net's reputation, they would really be better off booting Yohost.org in order to clean up their IP range.

Labels: , ,

posted by Conrad Longmore at 08:25

9 Comments:

Blogger joewein said...

Here is a sample email from info@europemedicalnet.com:

====
but everything is nothing without health (Arthur Schopenhauer - german philosopher)

Dear (FIRSTNAME LASTNAME),

as one of Europe´s leading healthcare providers we are proud to be able to offer you and every member of your family an exclusive membership with EUROPE MEDICAL NET - GERMANY.

We specialize in exclusive medical tourism to Germany and would like to offer you

- the best medical, surgical and dental services worldwide

and combine it with a

- pleasant trip to Germany.

We would be honoured to be able to serve and further assist you,

Sincerely yours,

EUROPE MEDICAL NET - GERMANY

http://europemedicalnet.com/

info@europemedicalnet.com
====

It would seem odd that "one of Europe´s leading healthcare providers" did not even own a website two months ago, as europemedicalnet.com was only registered on 25-may-2009. Also, they use a WHOIS proxy in Malaysia to obscure the registrant.

Their signup button takes you a PayPal subscription with a button ID of 6442622.

6 July 2009 00:10

 
Blogger AnonymousSpeech said...

Seems to me that this IP range traces to Malaysia.

I personally using www.AnonymousSpeech.com for any anonymous communication on the net.

6 July 2009 20:00

 
Blogger muhammad said...

Choose the best web hosting service from good companies providing quality web hosting service.



http://www.hostingseeq.com/

13 July 2009 14:50

 
Blogger shsaad said...

Please check this scam site as well www.investimates.com
As soon as the deposit hit 1M this site is closed.

24 August 2009 10:02

 
Blogger shsaad said...

Please check on this scam site as well www.investimates.com which is hosted by piradius.

24 August 2009 10:04

 
Blogger Paul Flask said...

thanks for the publicity, idiots

31 August 2009 03:01

 
Blogger gasteroid94 said...

wtf lol i host with them lOL and they host scam websites etc?

4 November 2009 05:17

 
Blogger KnowsBetter said...

RC-CHEM.NET is a straight up scam site

20 November 2009 03:59

 
Blogger Sundae said...

its seem that yohost.org had moved to others network. none of these IPs are working
124.217.231.173
124.217.231.209
124.217.250.102
124.217.250.106

check this out, the scammers are in UK now...
Pinging Yohost.org [194.8.75.116]
194.8.75.116 server location:
United Kingdom
194.8.75.116 ISP:
Dragonara Alliance Ltd

25 November 2009 16:44

 

Post a Comment

Subscribe to Post Comments [Atom]

<< Home