Sponsored by..

Showing posts with label Yohost.org. Show all posts
Showing posts with label Yohost.org. Show all posts

Thursday, 11 October 2012

ppinomore.com PPI SMS spam

These PPI spammers are at it again, this time promoting a website ppinomore.com.

URGENT you are owed £3350 for the PPI you took out, time is running out to claim, please visit www.ppinomore.com to claim, thank you. To opt out reply STOP.

The sending number is +447787446160 although this will change at they get blocked for spamming. If you have any more numbers, then please considered adding them in the Comments section.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

The thing with these spam PPI messages is that they are also a scam. I don't have any mis-sold PPI, so I'm not eligible for anything, but it seems that the spammers are encouraging you to make a fraudulent claim, which is a criminal offence.

So who is behind ppinomore.com? It has anonymous WHOIS details so no clue there. They claim their address is in Pakistan:
PPI-Today
586, Park Towers,
Block 26, P.E.C.H.S.,
Shahrah-e-Faisal,
Karachi

And they're not regulated by anyone..
ppinomore is a marketing agent. Our partners are regulated by the Ministry of Justice in respect of regulated claims management activities - their authorisation number is available on request and their registration is recorded on the Ministry of Justice website 

So who are their partners. Of note, the ppinomore.com site is hosted on 217.23.12.215 which is hosted by Worldstream in the Netherlands, but actually allocated to a scam/spam friendly outfit called YoHost . The following sites are on the same server:

antismsspam.com
birthdaywishlist.net
buyfacebookfriends.info
claimsdirects.com
cpamatch.net
downloads4.biz
easyexplorer.net
englandinsolvency.com
filewizard.net
flywith.org
glasgowtrustdeeds.com
guystube.net
homeworkers.tv
ineedajob.tv
jizzin.me
kimdotcom.biz
liquidationadvice.info
megahost.tv
memorysticks.tv
monstercv.tv
mortgagecharges.info
myppi.org
numbergenerator.info
phoneapps.tv
ppinomore.com
ppinow.org
prepaidcards.tv
protectedtrustdeeds.tv
referafriend.info
rofl.hk
scotlandtrustdeeds.info
scottishdebtinfo.com
scottishtrustdeed.info
smsoptout.com
streamingloads.com
surveymonster.info
textforgold.com
transfermypension.info
txtforloans.com
whatsbetterapp.com
yadoo.tv

Some of these look quite interesting.. they're also using SMS and PPI themed sites. Almost all the sites have anonymous WHOIS details.. apart from myppi.org that is..

Domain ID:D166396094-LROR
Domain Name:MYPPI.ORG
Created On:21-Aug-2012 10:52:54 UTC
Last Updated On:21-Aug-2012 10:52:55 UTC
Expiration Date:21-Aug-2013 10:52:54 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R91-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:CR122029936
Registrant Name:john mcneish
Registrant Organization:surveycentre
Registrant Street1:flat 3 11a whitworth street
Registrant Street2:opal house
Registrant Street3:
Registrant City:manchester
Registrant State/Province:lancashire
Registrant Postal Code:m1 3gw
Registrant Country:GB
Registrant Phone:+1.614083744
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:gary@tetr.us
Admin ID:CR122029938
Admin Name:john mcneish
Admin Organization:surveycentre
Admin Street1:flat 3 11a whitworth street
Admin Street2:opal house
Admin Street3:
Admin City:manchester
Admin State/Province:lancashire
Admin Postal Code:m1 3gw
Admin Country:GB
Admin Phone:+1.614083744
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:gary@tetr.us
Tech ID:CR122029937
Tech Name:john mcneish
Tech Organization:surveycentre
Tech Street1:flat 3 11a whitworth street
Tech Street2:opal house
Tech Street3:
Tech City:manchester
Tech State/Province:lancashire
Tech Postal Code:m1 3gw
Tech Country:GB
Tech Phone:+1.614083744
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:gary@tetr.us
Name Server:NS19.DOMAINCONTROL.COM
Name Server:NS20.DOMAINCONTROL.COM


John McNeish? So why is his email address gary@tetr.us then? Probably because this is really Gary McNeish who has been involved in offshore SMS spamming before.

So, is Gary McNeish responsible for the ppinomore.com SMS spam? It could just be a coincidence that a server stuffed with dodgy finance and marketing sites contains both a site belonging to Gary McNeish and these ppinomore.com scammers, after all there's no indication that this is actually Gary McNeish's server, just that he has a site on it.

Still, hopefully the recently announced ICO crackdown on SMS spammers might have a positive effect.

Update:
Here is another link between ppinomore.com and Gary McNeish's myppi.org - if you search for the text "ppinomore is a marketing agent. Our partners are regulated by the Ministry of Justice" on Google, it also appears on myppi.org:


Funnily enough, the content for myppi.org has changed to some search engine called "Yadoo" since it was indexed by Google. It must just be a coincidence that the ppinomore text appeared on Mr McNeish's site, yes?

The following numbers also seem to be in use for this spam:
+447867368703
+447780458447 

Please add any more in the comments, thanks!

Tuesday, 15 September 2009

YoHost.org on the move to Dragonara.net

It looks like black-hat host YoHost.org is on the move to a set of IP addresses owned by "Dragonara Alliance Ltd" (dragonara.net) - a company that claims to be Swiss (and appears to use hosting in Switzerland) but is registered in the British Virgin Islands.

Dragonara claims to be a high-reliability host where clients can weather out DDOS attacks, which is a useful service. However, a lot of the sites it host seem to be quite dubious, and a lot of sites seems to be pushing "replica" (i.e. fake) Swiss watches. The fact that a Swiss company is hosting sites in Switzerland that appear to be selling fake Swiss watches is something that might end up in an interesting conversation with some Swiss lawyers.

The IP address range to look out for is 194.8.74.1 - 194.8.75.255. The sites listed below are for information purposes only, many may well be perfectly legitimate. If you have any observations, then please use the comments.


194.8.75.34
Liberty72.com
Music-ultra.net
Virtuelldigitale.net

194.8.75.66
Filmkeuze.org
Superadult.org

194.8.75.77
Tyolaly.com

194.8.75.80
Ireplicastore.com

194.8.75.82
Billing-sat.tv

194.8.75.90
Bkjace.com
Jessicareplicas.com
Swissreplicastore.com

194.8.75.94
Good-good-movie.com
I-want-she.com
Oem-workshop.org
Online-oem-store.com
Red-paradise.com
Russian-paradise.com
Net-doktor.eu

194.8.75.98
Highrisefinance.com


194.8.75.107
Watch-replica.net

194.8.75.116
Yohost.org

194.8.75.118
Sadelae.com
Tiffanysets.com
Tyakcek.com

194.8.75.119
Apoace11.com
Beanells.com
Mymodelwatches.com

194.8.75.120
Gaemacs.com
Replicasmart.com

194.8.75.121
Brangelinareplicas.com
Geakcon.com

194.8.75.122
Kejhlle.com
Watch-replicas.com

194.8.75.123
Akeean.com
Brandreplica.com
Sharesdigger.com

194.8.75.124
Beauhi.com
Tiffanylovers.com

194.8.75.125
50st.ru

194.8.75.126
Ppoeatt.com

194.8.75.127
Tyaopce.com

194.8.75.128
Bieaken.com

194.8.75.129
Dakealls.com

194.8.75.135
Replicawatchesreviews.com

194.8.75.141
Agent-service.info
Barlenelectronics.com
Iluvtotravel.com
Sapnastudio.org
Strahovoy-partner.info
Strahovoypartner.ru
Thefbo.com

194.8.75.143
Csmfinance.com

194.8.75.165
Halarona.com

194.8.75.180
Replicas99.com

194.8.75.181
79eurovilla.com

194.8.75.199
Dvd4play.com

194.8.75.202
Thc-torrents.org

*********

194.8.74.12
Aowei.net.ru
Babytrance.us
House-of-friendship.com
Jurassic.net.ru
Kemcua.net
Lightning.net.ru
Tiroteen.net

194.8.74.45
Odnoixniki.com

194.8.74.100
Shara.info

194.8.74.101
Dw-plus.tv

194.8.74.120
Battlenetlogins.com
Directransfer.net
Diyxbox360.com
Flexfolders.com
Hygetropin-hgh.com
Immune-research.com
Premiuma.net
Privacysecured.com
Reversephonenet.com
Tiffanybazaar.com
Topregfix.com
Uc-forum.com
Ucdownloads.com
Vintagevdb.com
Xbox360redlightsguide.com

194.8.74.127
Dw24.tv

194.8.74.129
Anyshop.ch
Huasi.ch
Sowa.ch
Swisstuerk.ch

194.8.74.132
Hotelinsider.info

194.8.74.135
Dw-mobile.org

194.8.74.154
Vaultinvestment.com

194.8.74.158
Fi-success.com
Financijskabuducnost.com
Financijskabuducnost.net
Forexdonos.com
Forexdonos.net
Forexdonos.org
Forexnalozba.com
Forexnalozba.org
Forexnalozbe.com
Forexnalozbe.net
Forexnalozbe.org
Fx-donos.com
Fx-donos.net
Fx-donos.org
Tx-invest.net
Ultra-forex.com
Ultra-forex.net

194.8.74.190
Parnenairdesign.com
Rs-promotion.com
Syjsw.com

194.8.74.193
Practicalsilver.com
Silverurban.com
Solid925silver.com
Tiffanynsnow.com

194.8.74.231
Relsat.org

Saturday, 4 July 2009

Piradius.net / Yohost.org - black hat hosting?

Piradius.net is a web host in Malaysia that has cropped up a few times as hosts for this long-running scam.

It seems that this isn't an isolated case. Looking just one server at gives us a number of other fraudulent domains:

  • bestcrisisprices.com - fake ecommerce site registered to Michell.Gregory2009@yahoo.com that has been used for this fraud, this fraud and many others.
  • blizzard-battle.net - fake "World of Warcraft" login page, presumably designed to harvest usernames and passwords.
  • europemedicalnet.com - claims to be a German medical company, in reality it isn't. Purpose unclear, probably run by Manuel Fichter.
  • everyhit.info - front-end for the registry-cleaner-comparisons.com fraudware site.
  • evilcheats.org - registered to kingstonsmith@hushmail.com who is connected with many fraudulent and/or suspect sites.
  • excelcapitals.com - smart looking but suspect "get rich quick" site, apparently based in Panama.
  • flyappraisals.com - fake domain appraisals.
  • flyrating.com - fake domain appraisals.
  • germanymedicalnet.com - currently displaying text from the Pozde.com domain scam.
  • gooogled.com - appears to sell knock-off designer goods.
  • hellas-warez.com - "Warez" as in illegal software downloads.
  • hygetropin-hgh.com - Claims to export prescription drugs from China.
  • indigo-net.org - another "Kingston Smith" domain.
  • jessicassoftware.com - suspiciously cheap software.
  • maximizedlivingscam.com - another "Kingston Smith" domain.
  • nameorange.com - fake domain appraisals.
  • nextdayrelief.com - unconvincing "pharmacy" that claims to be in the US, but hosts in Malaysia
  • pedma.com - fake domain appraisals.
  • podzz.com - fake domain appraisals.
  • poker-bonus-codes.de - Kingston Smith again.
  • pozde.com - fake domain appraisals.
  • r4ishop.com - with prices in pounds sterling, it appears to be passing itself off as a UK-based electronics retailer. In reality, everything is anonymised and it could be based anywhere.
  • rc-chem.net - claims to be a Canadian supplier of steroids, a Google search on the domain is enlightening.
  • replica-prestigious-watches.com - fake designer watches.
  • tropicalnames.com - fake domain appraisals.
  • yohost.org - anonymous hosting.
In fact, it's the last domain "yohost.org" which gives a clue as to what is really going on. Yohost.org looks like a reseller of Piradius.net's hosting and it advertises itself as "100% anonymous hosting and anonymous DNS and domain name services" which is "beyond the reach of virtually any government or law enforcement agency."

If you Google for "anonymous hosting" then Yohost.org comes up as #4. So you can see where their customers are coming from.

Yohost.org also rents other servers from Piradius.net, and they show a mix of sites that appear to be very dodgy indeed, through to sites that appear legitimate.

They appear to run the following IPs and probably others too:

124.217.231.173
124.217.231.209
124.217.250.102
124.217.250.106

Hosting rubbish like this does not enhanced Piradius.net's reputation, they would really be better off booting Yohost.org in order to clean up their IP range.