Tuesday, 28 July 2009

MS09-034 is coming..

Just a reminder that Microsoft are announcing an out-of-band patch today to fix a critical IE / Visual Studio flaw. If you manually authorise updates to client PCs via WSUS, then you will need to break the usual schedule and deploy this as soon as you can.

More info here and here.

Friday, 24 July 2009

"Best Crisis Prices": dotbestshop.com / bestcrisisprices.com fake shops

I mentioned bestcrisesprices.com a few weeks ago, and it seems that they have a new domain called dotbestshop.com which is also a fake ecommerce site.


Both sites are hosted on an an anonymous hosting account at 124.217.231.121 in Malaysia, the domain contact details are either anonymous or fake. The contact details on the website are also fake, and have been stolen from legitimate businesses.

It claims to be a member of the BBB, but it isn't as the BBB reports that it is mis-using their logo.

This is part of a large organized crime ring, nominally connected with China. Although it claims to be based in Louisiana, there is no evidence at all that this is a US operation. Avoid dealing with them at all costs.

Thursday, 23 July 2009

Even the bad guys need a back office

Last November, I posted a warning about Ran-De-Vou which was recruiting for translators.. the problem being that the company was part of an organised crime ring and the translations themselves were aided phishing and the like.

Well, "Juice" gave them a go and the result is this interesting insight into the bad guys' back office functions.. enjoy!

"Real Host Ltd" is a real sewer

"Real Host Ltd" occupies 256 IP addresses in the 213.182.197.* range, hosted in Latvia in an address space apparently leased from Junik Ltd.

The netblock registration details claim to belong to an address in Kazakhstan:

person: Alex Spiridonov
address: Kazakhstan, Almaty , Abay street 2a
abuse-mailbox: abusemailhost@gmail.com
phone: + 87771697576
nic-hdl: SA5926-RIPE
source: RIPE # Filtered

This block is of interest because out of hundreds of web sites hosted, there appear to be none at all which are legitimate. And out of all of these, Hit-senders.cn is one of the most interesting because it is currently being used for a zero day Flash/PDF exploit. Many domains are registered to Michell.Gregory2009@yahoo.com who has featured on this blog many times before.

Some other interesting domains are Cashspyware.com, Botnet.su and Iframepartners.com which are pretty much openly operating as black hat sites.

All of these sites are either fraudulent, dangerous to visit or both - so if you receive an email or link pointing to them, leave well alone!

213.182.197.10
Vkontalcte.ru, Private Person, admin@0neway.ru

213.182.197.11
Index683.com, Registration suspended
Presentsdelivery.com, Private Person, abuseemaildhcp@gmail.com

213.182.197.12
Barmatuxa.info, Brad Higginbotham, EmersonDuffyZP@gmail.com
Bombim.cn, KuserElizabeth, eakuser@yahoo.com
Decine.cn, realmaria teresa, popeskusin@yahoo.com

213.182.197.13
0neway.ru, Private Person, onewayru@ya.ru
2todays.com, PrivacyProtect.org
2trades.com, alan pakerson, apakerson@googlemail.com
Adulttopvids.info, Lorraine Hoguseir / LueMettterTeam, lorrainefactr@gmail.com
Caffemax.com, Private Person, abuseemaildhcp@gmail.com
Clicksvideo.com, PrivacyProtect.org
Cutietubeee.com, Mark Cristy, evilinside99@gmail.com
Dasper.ru, Sergey V Levitskiy, levitcky@gmail.com
Dataartsoft.com, John A Backham , igusow@gmail.com
Dslcaffe.com, Private Person, abuseemaildhcp@gmail.com
Freegirla.com, PrivacyProtect.org
Fucksexadult.com, PrivacyProtect.org
Gauleyriverraftinginfo.com, Gordon Freeman, evilinside20@gmail.com
Googep.com, PrivacyProtect.org
Homemadez.com, PrivacyProtect.org
Informatoion.com, Tamara Polishuk, kenylotus@yahoo.com
Insky.biz, PrivacyProtect.org
Koka-tube.info, Budulay Romale, budulay_romale@inbox.ru
Linktovideo.com, PrivacyProtect.org
Mac-videos.com, PrivacyProtect.org
Major-don.com, Carl Lee, levitraviagrashop@rambler.ru
Masstrade.us, Yuri, sypiboryrecinih15976@gmail.com
Myspnace.com, PrivacyProtect.org
Odnoklassniki-and-you.ru, Private Person, newlive09@yandex.ru
Online-defence.cn, GuferDerek, asyonurubu@gmail.com
Onlylo.com, PrivacyProtect.org
Photovideox.com, PrivacyProtect.org
Playtstation.com, PrivacyProtect.org
Pornsamateur.com, PrivacyProtect.org
Serialtxt.com, Breitenbach Margery, breitenbach621@yahoo.com
Sexlevitra.com, Carl Lee, levitraviagrashop@rambler.ru
Sexmamba.com, Igor Bogdanov, Igor
Singleslady.com, Registration suspended
Soundrugs.ru, Private Person, workalliance@mail.ru
Tdssim.com, Djon Digan, major.leva@yahoo.com
Thehat.net, Carl Padilla, thehatnkm@gmail.com
Tube84.com, PrivacyProtect.org
Tubeee.com, Whois Privacy Protection Service
Viagrabe.com, PrivacyProtect.org
Video-tube-online.info, Budulay Romale, budulay_romale@inbox.ru
Videomoviex.com, PrivacyProtect.org
Videos-movie.com, PrivacyProtect.org
Vipbabes.com.ua, Андрей Дехтяренко / Andrei Dehtyareno, may-vit@bk.ru
Virgin-x.com, PrivacyProtect.org
Wikjipedia.com, Tamara Polishuk, kenylotus@yahoo.com
Worldtube.su, Private Person, novikov_ds@bk.ru
Xtubex.org, konstantin ololo, scaryscream@gmail.com
Yesey.net, Bob AKKAWA, akkawa@gmail.com
Yhxoo.com, PrivacyProtect.org
Yourko.com, PrivacyProtect.org
Youtube19.com, PrivacyProtect.org
Youviewx.com, Dedinan Galena, galendediweb78@yahoo.com

213.182.197.14
Cashspyware.com, N/A, faloimitator@list.ru
Casinousa.cn, LucasSteven / Cehhost, steven_lucas_2000@yahoo.com
Hostnsload.cn, LucasSteven, steven_lucas_2000@yahoo.com
Iframepartners.com, Chen Poon, chen.poon1732646@yahoo.com
Megavipsite.cn, LucasSteven, steven_lucas_2000@yahoo.com
Sitewebsupport.com, Michell, Michell.Gregory2009@yahoo.com

213.182.197.20
Best-casinox.com, MyPrivateRegistration.com
Best-prices-pharma.com, Igor Durov, larsontomas@gmail.com
Best-prices-pharmacy.net, Oleg Demin, premiumwebart@gmail.com
Causas-de-impotencia.com, Private Person, premiumwebart@gmail.com
Causas-de-impotencia.net, Private Person, premiumwebart@gmail.com
Css-csript.cn, IveevPlansky / SerjCOm, ru@rupoisk.in
Dns-lv9720.com, Michell, Michell.Gregory2009@yahoo.com
Druggs.net, MyPrivateRegistration.com
Druggsonline.com, MyPrivateRegistration.com
Drugsbrokerpharma.com, Oleg Demin, premiumwebart@gmail.com
Edproductos-en-espana.com, Grigory Panin, gragorybland@gmail.com
Erosuka.ru, Private Person, callpartners@gmail.com
Farmacia-venta-on-line.com, Private Person, premiumwebart@gmail.com
Fly-pro.net, MyPrivateRegistration.com
Herbal-impotencecure.com, Oleg Demin, premiumwebart@gmail.com
Hzone66.cn, MichellGregory, Michell.Gregory2009@yahoo.com
Impotence-natural-cure.com, Oleg Demin, premiumwebart@gmail.com
Kamagra-tratamiento-impotencia.com, Mark Nefidov, markglan1@gmail.com
Lkll.net, Damir Stolbische, damirmuh@gmail.com
Marcusmed.com, Steven Lucas, steven_lucas_2000@yahoo.com
Medicamentosgenericosonline.com, Grigory Panin, gragorybland@gmail.com
Microsoftprogram.cn, IveevPlansky / SerjCOm, ru@rupoisk.in
Onlinemedicamentosgenericos.com, Grigory Panin, gragorybland@gmail.com
Pharmacy-drugs-broker.com, Oleg Demin, premiumwebart@gmail.com
Pharmacy-drugsbroker.com, Oleg Demin, premiumwebart@gmail.com
Pharmacy-pills-rx.com, Igor Durov, larsontomas@gmail.com
Pharmacy-pillsrx.com, Igor Durov, larsontomas@gmail.com
Rx-onlinestore.com, Igor Durov, larsontomas@gmail.com
Rxtrustedtabs.net, Igor Durov, larsontomas@gmail.com
Smsgogo.cn, IveevPlansky / SerjCOm, ru@rupoisk.in
Superflyaccess.com, MyPrivateRegistration.com
Traffcount.cn, LucasSteven / steven_lucas_2000@yahoo.com
Treatment-online.com, Aprichev Igor, info@betting-profits.com
Trust-ed-tablets.com, Igor Durov, larsontomas@gmail.com
Tutuuuu.cn, IveevPlansky / SerjCOm, ru@rupoisk.in
Usa-pills-rx.com, Igor Durov, larsontomas@gmail.com
Vitofarmatratamientoimpotencia.com, Private Person, markglan1@gmail.com
Vkpleer.ru, Private Person, callpartners@gmail.com
Vybory2007.ru, Private Person, callpartners@gmail.com
Xxzonexx.com. Chen Poon, chen.poon1732646@yahoo.com
Yandex2.cn, IveevPlansky / SerjCOm, ru@rupoisk.in

213.182.197.227
Corbsc.com, Chen Poon, chen.poon1732646@yahoo.com
Co5v.cn, TiankaiCui, cuitiankai@googlemail.com

213.182.197.228
Chlenopopik.com, Denis Pupkin, pisssun2006@mail.ru

213.182.197.229
3ballslottery.com, Klan Jored, support@hosting-offshore.biz
44mm.ru, Private Person, mik58109117@ya.ru
Admins-mail.ru, Private Person, ivttyeivrdyl@yandex.ru
Andors.ru, Private Person, 10000002@mail.ru
Antighost.cn, null, dasidoruk@mail.ru
Avpro-labs.com, PrivacyProtect.org via Erdomain.com
Avtoresa.ru, Private Person, 10000002@mail.ru
Businessconsulting312.com, Nikolay Viktorovich Stepashin, businessconsulting312.com@hvosting.ua
Businesscoorptru.cn, Real Host, abuseemaildhcp@gmail.com
Comforttrade.biz, Klan Jored, support@hosting-offshore.biz
Dfds-seaways.biz, Klan Jored, support@hosting-offshore.biz [note, domain has been seized by the trademark holder]
Digitdbofmusic.org, Petr Karlov, dunkanmac3@mail.ru
Elita-online.ru, Private Person, votub@nm.ru
Fedion.ru, Private Person, 10000002@mail.ru
Firex-labz.com, SharedHSD, roomart2008@yandex.ru
Firsttimesite.us, Olah Istvan, olah.istvan.ny@gmail.com
Gbd-carrers.com, Aleksej Bagrov, deretx@rambler.ru
Gerdok.ru, Private Person, 10000002@mail.ru
Gnk-msk2.com, Alexey MIRKINO, 324635647@mail.ru
Isell.cc, Jhon Balsmen, ukmcuk@googlemail.com
Isellcc.com, Jhon Balsmen, ukmcuk@googlemail.com
Kalopes.ru, Private Person, 10000002@mail.ru
Kobash.ru, Private Person, 10000002@mail.ru
Kovero.ru, Private Person, 10000002@mail.ru
Leadingdelivery.com, WhoisPrivacyProtect.com
Leapdelivery.net, WhoisPrivacyProtect.com
Megatt.cn, LucasSteven, steven_lucas_2000@yahoo.com
Midlway.com, Real Host LTD, real2030@gmail.com
Molide.ru, Private Person, 10000002@mail.ru
Motile.ru, Private Person, 10000002@mail.ru
Mssys.net, Klan Jored, support@hosting-offshore.biz
Muhamed.cn, Caroline Krajka, caroline.krajka@gmail.com
Myeasyhosting.us, Olah Istvan, olah.istvan.ny@gmail.com
Newskyag.com, Robert Baker, robertbaker2110@yahoo.com
Obosraca.net, Nungoyanrgrr Pimdulya, cumo@mail.ru
Ru-r.ru, Anton A Baklanov, pinch18@rambler.ru
Slikons.ru, Private Person, 10000002@mail.ru
Smsvor.ru, Private Person, n.shahov@yandex.ru
Superioradz.info, Bryony, blaze_sanchez3@yahoo.com
Swegol.ru, Private Person, 10000002@mail.ru
Uni-tele-com.ru, Private Person, n.shahov@yandex.ru
Valebe.ru, Private Person, 10000002@mail.ru
Vkonlahte.ru, Private Person, eert@inbox.ru
Vkortakt.ru, Private Person, asfsdfgsg@yandex.ru
Waderos.ru, Private Person, 10000002@mail.ru
Webinst.ru, Private Person, 10000002@mail.ru
Wedikas.ru, Private Person, 10000002@mail.ru
Wedows.ru, Private Person, 10000002@mail.ru
Welcomeone.cn, LucasSteven, steven_lucas_2000@yahoo.com
Werobin.ru, Private Person, 10000002@mail.ru
Wetese.ru, Private Person, 10000002@mail.ru
Wldomen.com, Klan Jored, support@hosting-offshore.biz
Wogolot.ru, Private Person, 10000002@mail.ru
Xaker.cn, Real Host, abuseemaildhcp@gmail.com
Xxhackmail.ru, Private Person, 365346546@mail.ru
Xxvhost.com, Klan Jored, support@hosting-offshore.biz
Yes04ka.cn, Gregory, Michell.Gregory2009@yahoo.com
Yourgoogleanalytics.cn, Real Host, abuseemaildhcp@gmail.com
Yourgoogleanalytics.us, Olah Istvan, olah.istvan.ny@gmail.com


213.182.197.230
Benzonasoss.com, Aleksey Melnikov, mel1simkov@gmail.com
Csollw.com, Aleksey Melnikov, mel1simkov@gmail.com
Jlopi.com, Aleksey Melnikov, mel1simkov@gmail.com
Joltuiwater.com, Aleksey Melnikov, mel1simkov@gmail.com
Kartoshkachamp.com, Aleksey Melnikov, mel1simkov@gmail.com
Lipesr.com, Aleksey Melnikov, mel1simkov@gmail.com
Minfpafs.com, Aleksey Melnikov, mel1simkov@gmail.com
Nerkol.com, Aleksey Melnikov, mel1simkov@gmail.com
Updateserversoft.com, Chen Poon, chen.poon1732646@yahoo.com
Vizllp.com, Aleksey Melnikov, mel1simkov@gmail.com
Vmbs4.com, Aleksey Melnikov, mel1simkov@gmail.com
Werkp.com, Aleksey Melnikov, mel1simkov@gmail.com
Wherg.com, Aleksey Melnikov, mel1simkov@gmail.com

213.182.197.233
Banished.ru, Private Person, abuseemaildhcp@gmail.com
Bargian-hunt.com, Sean McCann, sean.mccann.1@hotmail.com
Pornonova.net, Anya Montague, gr4ndth3ft@hotmail.com
Proxyrent.cn, Chen Poon, chen.poon1732646@yahoo.com

213.182.197.234
Updategoogle.cn, Real Host LTD, abuseemaildhcp@gmail.com
Uppgoogle.cn, Real Host LTD, abuseemaildhcp@gmail.com

213.182.197.235
Aepi.ru, Private Person, polevweb@gmail.com
Evamedstore.com, Nikolai Vukolov, baton@bronzemail.net
Traffic-exchange.ru, Aleksej D Brozdov, ru-traffic-exchange@gmail.com

213.182.197.236
1gen1.ru, Andrey G Zubkov, a.zubkov@exeda.info
71sense.info, Vicky Chan, chan.wai.kay.1@gmail.com
71soldo.info, Vicky Chan, chan.wai.kay.1@gmail.com
71speed.info, Vicky Chan, chan.wai.kay.1@gmail.com
71spice.info, Vicky Chan, chan.wai.kay.1@gmail.com
7addition.info, Vicky Chan, chan.wai.kay.1@gmail.com
8addition.info, Vicky Chan, chan.wai.kay.1@gmail.com
8addition.org, Vicky Chan, chan.wai.kay.1@gmail.com
Add-content-filter.info, PrivacyProtect.org
Deonix.biz, Aleksey Melnikov, mel1simkov@gmail.com
Doplin.biz, Aleksey Melnikov, mel1simkov@gmail.com
Gnbd1.cn, Chen Poon, chen.poon1732646@yahoo.com
Hamatauto.biz, Aleksey Melnikov, mel1simkov@gmail.com
Hel90.biz, Aleksey Melnikov, mel1simkov@gmail.com
Lalalabemsbams.name, Aleksey Melnikov, mel1simkov@gmail.com
Tfx2corp.cn, TiankaiCui, cuitiankai@googlemail.com
Vip-internal.ru, Private Person, spy-logs-l12@inbox.ru

213.182.197.237
1gigabayt.com, Hau Cheng, haucheng@yahoo.com
Beauty-hot-pornxxx.com, Aleksey Melnikov, mel1simkov@gmail.com
Downloadoemsoftware.com, Chen Poon, chen.poon1732646@yahoo.com
Fire-hot-pornxxx.com, Aleksey Melnikov, mel1simkov@gmail.com
Hotflashplayer.com, Aleksey Melnikov, mel1simkov@gmail.com
Metroking.ws, Aleksey Melnikov, mel1simkov@gmail.com
Oneminute2u.biz, Aleksey Melnikov, mel1simkov@gmail.com
Rbckc.com, Aurore Hetu, AuroreHetu@fontdrift.com
Scans.cc, PrivacyProtect.org
Sexual69.ru, Artur G Antonov, antonov@rbcmail.ru
Thebestplayer.biz, Aleksey Melnikov, mel1simkov@gmail.com
Verivell.com, Hau Cheng, haucheng@yahoo.com
Xtraff.cn, Hau Cheng, haucheng@yahoo.com

213.182.197.238
Agroautoparts.com, Aleksey Melnikov, mel1simkov@gmail.com

213.182.197.243
Einrock.com, Puprov Ivan, captainjs@yandex.ru
Geo555.com, Vladim Ivanov, captainjs@yandex.ru
Makomset.com, Vladimir Ivanovich, captainjs@yandex.ru
Ribcot.com, Sergeev Kirill Nikolaevich, captainjs@yandex.ru

213.182.197.247
Sex-proector.ru, Private Person, toolssoft@mail.ru

213.182.197.249
Feed-place.cn, Gregory, Michell.Gregory2009@yahoo.com
Hit-senders.cn, Gregory, Michell.Gregory2009@yahoo.com
Search890.com, Chen Poon, chen.poon1732646@yahoo.com
Traffic-searches.cn, Chen Poon, chen.poon1732646@yahoo.com
Vikd3jj-1.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vikd3jj-2.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vikd3jj-3.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vikd3jj-4.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vintorrils-grag1.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vintorrils-grag2.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vintorrils-grag3.com, Dmitry Ostupin, conroetxwelc@gmail.com


213.182.197.251
Botnet.su, Mihail V Morozov, sdhj3jk@yandex.ru
2k90.cn, Real Host LTD, abuseemaildhcp@gmail.com
Abdulabah.cn, LucasSteven, steven_lucas_2000@yahoo.com
Babjr.cn, LucasSteven, steven_lucas_2000@yahoo.com
D4rkst4r.cn, Real Host LTD, abuseemaildhcp@gmail.com
Luks5.cn, LucasSteven / Cehhost, Michell.Gregory2009@yahoo.com
Serverinlit.cn, Real Host LTD, abuseemaildhcp@gmail.com

213.182.197.254
Go-file.ru, Grigoriy M Aleksandrov, aleksandrov@mail333.com

Wednesday, 22 July 2009

Even more pathetic SpamCop.net phish

I thought that phishing emails couldn't get more rubbish than this but it turns out that I was wrong. Enjoy:

Subject: FINAL ACCOUNT UPDATE!!!
From: "SPAMCOP SUPPORT TEAM" <helpdesk@spamcop.net>
Date: Wed, July 22, 2009 7:15 pm

Dear spamcop.net Subscriber,

We are currently carrying-out a mantainace
process to your spamcop.net account, to
complete this, you must reply to
this mail immediately, and enter your
User Name here (,,,,,,,,) And Password here
(.......) if you are the rightful owner of
this account.

This process we help us to fight against
spam mails.Failure to summit your password,
will render your email address
in-active from our database.

NOTE: If your have done this before, you may ignore
this mail. You will be send a password reset
messenge in next seven (7)
working days after undergoing this process
for security reasons.

Thank you for using spamcop.net!
THE SPAMCOP TEAM


The Reply-To email address is verification_teamss12@yahoo.com.hk, originating IP is 203.59.222.34.

Tuesday, 14 July 2009

43.gs: massive Google SERPs poisoning

I can't tell if this is accidental or deliberate, but there are a whole bunch of spam entries in Google for the 43.gs domain as you can see from this search.

It looks like some sort of redirect or copy, but the odd thing is that the 43.gs subdomain actually points to the legitimate server.

For example, ethviumvthvie.43.gs resolves as 198.246.98.21 which belongs to the US Centers for Disease Control (CDC). For some reason, the CDC server accepts requests for ethviumvthvie.43.gs as a request to display the genuine website.

As a result, Google has about 3.2 million results for 43.gs subdomains, all of which are duplicates of existing sites.

It looks like 43.gs offers some sort of legitimate URL shortening service based on subdomain names rather than the more common tinurl/bit.ly. Have the bad guys found a way to use this to their advantage? Are they suddenly going to switch traffic to somewhere bad?

43.gs is showing a small bump in traffic recently, perhaps as a result of this?

Presumably there is a way of telling your web server to reject this kind of request.

Really pathetic SpamCop.net webmail phish

Probably the most pathetic phish ever - the bad guys nicely provide a space in the email for you to put your username and password and then email it back. Combined with a fairly vague grasp of the English language, then it's hard to see that this would fool anyone at all.

From: "SpamCop Webmaster online" <spamcop.net.webmaster@mchsi.com>
Date: Tue, July 14, 2009 4:11 pm
Cc: recipient list not shown:;
Priority: Normal

Dear SpamCop Webmail online Email Account Owner,

Important notice, harmful virus was detected in your account which can be harmful to our subscriber unit.You are to enter your Username and Password here {____________, __________} to enable us set in an anti virus in your user account to clear up this virus. we do need your co-operation in this, Providing us with this information we enable us insert in your account an anti virus machine for clean up.

We are sorry for the inconveniences this might have cost you. Failure to do this, we are sorry to let you know that your account will be deleted immediately to prevent it from arming our subscriber unit.

Thank you for using SpamCop Webmail,
We are glad at your service,
SpamCop Webmaster online.
Originating IP is an open proxy at 200.65.129.2.

Korea DDOS - run for the hills!

The recent DDOS attacks against Korean and US government sites is well known, with calls for reprisals ranging from "cyber-attacks" to the occasional nutjob suggesting that real bombs are used.

Unfortunately, it turns out that the C&C server for the botnet carrying out the attack may well be in the UK. So perhaps we can expect a rush of malformed packets and/or Tomahawk cruise missiles heading the the UK soon..

via

Monday, 6 July 2009

Phorm: hahahahah

With a bit of luck, it appears that Phorm may be going down the toilet, as BT announce that they are not going to deploy Phorm's deep packet inspection technology. More at the BBC News site.

With a bit of luck, Phorm's share price will end up as a penny stock very soon.

Saturday, 4 July 2009

Piradius.net / Yohost.org - black hat hosting?

Piradius.net is a web host in Malaysia that has cropped up a few times as hosts for this long-running scam.

It seems that this isn't an isolated case. Looking just one server at gives us a number of other fraudulent domains:

  • bestcrisisprices.com - fake ecommerce site registered to Michell.Gregory2009@yahoo.com that has been used for this fraud, this fraud and many others.
  • blizzard-battle.net - fake "World of Warcraft" login page, presumably designed to harvest usernames and passwords.
  • europemedicalnet.com - claims to be a German medical company, in reality it isn't. Purpose unclear, probably run by Manuel Fichter.
  • everyhit.info - front-end for the registry-cleaner-comparisons.com fraudware site.
  • evilcheats.org - registered to kingstonsmith@hushmail.com who is connected with many fraudulent and/or suspect sites.
  • excelcapitals.com - smart looking but suspect "get rich quick" site, apparently based in Panama.
  • flyappraisals.com - fake domain appraisals.
  • flyrating.com - fake domain appraisals.
  • germanymedicalnet.com - currently displaying text from the Pozde.com domain scam.
  • gooogled.com - appears to sell knock-off designer goods.
  • hellas-warez.com - "Warez" as in illegal software downloads.
  • hygetropin-hgh.com - Claims to export prescription drugs from China.
  • indigo-net.org - another "Kingston Smith" domain.
  • jessicassoftware.com - suspiciously cheap software.
  • maximizedlivingscam.com - another "Kingston Smith" domain.
  • nameorange.com - fake domain appraisals.
  • nextdayrelief.com - unconvincing "pharmacy" that claims to be in the US, but hosts in Malaysia
  • pedma.com - fake domain appraisals.
  • podzz.com - fake domain appraisals.
  • poker-bonus-codes.de - Kingston Smith again.
  • pozde.com - fake domain appraisals.
  • r4ishop.com - with prices in pounds sterling, it appears to be passing itself off as a UK-based electronics retailer. In reality, everything is anonymised and it could be based anywhere.
  • rc-chem.net - claims to be a Canadian supplier of steroids, a Google search on the domain is enlightening.
  • replica-prestigious-watches.com - fake designer watches.
  • tropicalnames.com - fake domain appraisals.
  • yohost.org - anonymous hosting.
In fact, it's the last domain "yohost.org" which gives a clue as to what is really going on. Yohost.org looks like a reseller of Piradius.net's hosting and it advertises itself as "100% anonymous hosting and anonymous DNS and domain name services" which is "beyond the reach of virtually any government or law enforcement agency."

If you Google for "anonymous hosting" then Yohost.org comes up as #4. So you can see where their customers are coming from.

Yohost.org also rents other servers from Piradius.net, and they show a mix of sites that appear to be very dodgy indeed, through to sites that appear legitimate.

They appear to run the following IPs and probably others too:

124.217.231.173
124.217.231.209
124.217.250.102
124.217.250.106

Hosting rubbish like this does not enhanced Piradius.net's reputation, they would really be better off booting Yohost.org in order to clean up their IP range.

Thursday, 2 July 2009

Domain scam: ntwifinetwork.com / js-wifi.cn

The old Chinese domain scam has been around for years, but these guys are getting lazy because they haven't changed their domains for months, this is esentially unchanged from April.

Subject: Domain Dispute and Registration
From: "Sunny"
Date: Thu, July 2, 2009 4:07 am

To whom it may concern: 2009-7-2

We are a domain name registration service company in Asia,

Last week we received a formal application submited by Justin Lin who wanted to use the keyword "REDACTED" to register the Internet Brand and with suffix such as .cn /.com.cn /.net.cn/.hk/ .asia/ domain names.

After our initial examination, we found that these domain names to be applied for registration are same as your domain name and trademark. We aren¡¯t sure whether you have any relation with him. Because these domain names would produce possible dispute, now we have hold down his registration, but if we do not get your company¡¯s an reply in the next 5 working days, we will approve his company's application

In order to handle this issue better, Please contact us by Fax ,Telephone or Email as soon as possible.



Yours sincerely

Sunny

Checking Department

Tel: 86 513 8532 1087
Fax: 86 513 8532 2065
Email:Sunny@ntwifinetwork.com
Website: www.js-wifi.cn

Our File No.:2272363

Originating IP is 122.193.216.10.

As ever, legitimate domain registrars do not send out this type of email because they are NOT responsible for this activity. Sometimes the Chinese domains get registered, sometimes they are ALREADY registered, and often they never get registered. But before you panic and pay money to these scammers, consider this: there are hundreds of top-level domains in the world. Do you really want to buy your domain for all of them? The answer is probably "no".

The best advice is to ignore this email completely.