This appears to be a binary options scam that is using illegally hacked sites as redirectors, and I suspect that it is using a botnet to send the spam in the first place, although this is not clear. Eventually, victims are sent via an affiliate link to a site searchingprofit.me, more of which in another post.
It turns out that dailybusinessdirect.com is hosted alongside a cluster of related domains on a set of IPs apparently belonging to a firm called Echo Romeo LLP in the UK. From the research I have done, it appears that Echo Romeo are a legitimate small business doing web design and hosting. However, they are listed as the owner 184.108.40.206/24 which seems to be almost completely full of spam, scam and malware sites.
UPDATE: there is evidence that Echo Romeo are the victim of a type of corporate identity theft. Scroll to the bottom for me.
Here's an oddity - Echo Romeo have a portfolio on their site of designs they have done for customers. As far as I can tell, none of those customer sites are actually hosted in this IP address range.
The first thing I noticed was a cluster of sites and IPs that appear to be closely related to dailybusinessdirect.com:
Some of these domains have anonymous WHOIS details, some have details that look fake. I have not found any way to trace ownership of these domains.. after all, these are not amateurs, these are professional fraudsters who tend not to make silly mistakes.
I checked all the active sites in the 220.127.116.11/24 range against SURBL which came up with these results [csv]. Out of 56 sites identified, 13 are identified by SURBL as being spamming and/or phishing. But what of the rest?
A look at the Google Safe Browsing Diagnostic for AS199762 gave some interesting results:
Drilling down to the Google diagnostic for t9e.net is surprising:
Diagnostic page for AS199762 (ECHOROMEO-AS)What happened when Google visited sites hosted on this network?Of the 13 site(s) we tested on this network over the past 90 days, 1 site(s), including, for example, 18.104.22.168/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2015-09-07, and the last time suspicious content was found was on 2015-08-24.Has this network hosted sites acting as intermediaries for further malware distribution?Over the past 90 days, this network has not hosted any sites that appeared to function as intermediaries for the infection of any other sites.Has this network hosted sites that have distributed malware?Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 2 site(s), including, for example, t9e.net/, 22.214.171.124/, that infected 7 other site(s), including, for example, kgdbase.com/, kgdbase.eu/, softbase.xyz/.
25,596 trojans and 61 exploits? I think that's a site to avoid, and as you might guess t9e.net has anonymous WHOIS details.
Diagnostic page for t9e.netWhat is the current listing status for t9e.net?This site is not currently listed as suspicious.
Part of this site was listed for suspicious activity 150 time(s) over the past 90 days.What happened when Google visited this site?Of the 22277 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2015-09-07, and the last time suspicious content was found on this site was on 2015-08-24.Malicious software includes 25596 trojan(s), 61 exploit(s).
This site was hosted on 2 network(s) including AS199762 (ECHOROMEO-AS), AS35042 (ISP4P).Has this site acted as an intermediary resulting in further distribution of malware?Over the past 90 days, t9e.net did not appear to function as an intermediary for the infection of any sites.Has this site hosted malware?Yes, this site has hosted malicious software over the past 90 days. It infected 3 domain(s), including kgdbase.com/, kgdbase.eu/, softbase.xyz/.
Also in this range:
- The domains travsolut.com and travsolut.org on 126.96.36.199 are associated with suspect-looking job offers and claim to have been founded in 2002 in Australia, yet the domains were only created in 2015 with the .org being registered to an address in Spain.
- On 188.8.131.52, the domains weksrubaz.ru, linturefa.ru and xablopefgr.ru are all associated with with the POSeidon malware. On the same IP, srachechno.com is associated with a later version of the same malware.
- Meanwhile on 184.108.40.206, dornegromant.com is also associated with POSeidon [pdf]
- On 220.127.116.11 another POSeidon domain lurks, repherfeted.com.
- And on 18.104.22.168 there is litramoloka.com which is again POSeidon, as is cawasuse.ru on 22.214.171.124.
- On 126.96.36.199 is the domain ranferolto.com tagged as Infostealer.Posfind by Symantec.
- On 188.8.131.52 the domains gowasstalpa.com and nasedrontit.com are associated with the Pony Downloader.
- On 184.108.40.206 the website clarkgrp.org has been accused of being fake. If that is the case, then marlin-staff.com on the same IP will probably be too.
I asked Echo Romeo about this and their response was very quick..
org-name: ECHO ROMEO LLP
address: 47 GLENMOOR ROAD , WEST PARLEY , FERNDOWN , DORSET , UNITED KINGDOM
phone: +44 1202872908
changed: email@example.com 20140128
But in fact, their domain name is just echoromeo.co.uk and not echoromeonet.co.uk at all. The WHOIS details for the fake domain are:
ECHO ROMEO LLP
47 GLENMOOR ROAD
Nominet was able to match the registrant's name and address against a 3rd party data
source on 25-Jan-2014
101Domain, Inc. [Tag = 101INC-US]
Registered on: 25-Jan-2014
Expiry date: 25-Jan-2016
Last updated: 03-Nov-2014
Registered until expiry date.
These closely match the real contact details of Echo Romeo. The fake website itself is hosted on 220.127.116.11 (one of the nameservers). It looks very different from the real website.
Let's go back to these IPs..
The 18.104.22.168/24 range with the fake registration details is carved out of an IP block belonging to isp4p.net (IP Interactive UG, Germany). Presumably the bad guys used the fake Echo Romeo domain and name to persuade IP Interactive to lease them a set of IP addresses.
Although the nameservers of 22.214.171.124 and 126.96.36.199 appear to be on very different blocks, they are actually allocated to the same person:
inetnum: 188.8.131.52 - 184.108.40.206
descr: IPSERVER WORLD LTD
remarks: abuse-mailbox: firstname.lastname@example.org
status: ASSIGNED PA
changed: email@example.com 20120918
person: Oleg Nikol'skiy
address: British Virgin Islands, Road Town, Tortola, Drake Chambers
changed: firstname.lastname@example.org 20150528
changed: email@example.com 20120712
A quick look at the 220.127.116.11/24 and 18.104.22.168/24 ranges indicates they are full of crap. There may be legitimate sites hosted there, but I would recommend blocking them.
The evidence that I can find does seem to point toward this spoof IP range being set up by organised criminals in Russia, and my opinion is that Echo Romeo LLP have nothing to do with this at all and are the good guys.