Sponsored by..

Wednesday, 23 September 2009

max-apprais.com and top-name.net scam

max-apprais.com and top-name.net appear to be two fake domain appraisal companies being "recommended" to domain owners as part of a long-running scam which we have touched on many times before.

max-apprais.com was created on 12th September to an anonymous registrant, hosted on 202.157.181.9 at Katz Global Singapore. It's a copy of max-appraisal.com which is hosted on 124.217.231.209 at well-known black hat hosts YoHost.org.

top-name.net is a very familiar template hosted on 66.7.196.186 (Hostdime, Florida) also to an anonymous registrant (although it appears to be a Canadian resident behind all of this spam).


sedo.com are a well-known and wholly legitimate company and are nothing do to with the spam or scam.

The "pitch" email looks like this:

From: "Domain Trade LLC"
Date: Wed, September 23, 2009 4:26 am

Dear sir,
we are interested to purchase your domain [redacted] and offer between 50% and 65% of the appraised value.
We accept appraisals from companies such as

http://www.sedo.com/
http://top-name.net/
http://max-apprais.com/


If you already have an appraisal please forward it to us.

Please let us know whether you are interested. Upon review of your valuation and in case of an agreement we send payments via PayPal for amounts less than $2,000 and via Escrow.com for amounts above $2,000, as well as further instructions on how to complete the transfer of the domain name.

We appreciate your business,

Domain Trade LLC
Originating IP for the spam is 74.55.131.10

Of course, once they have taken your money for the appraisal, then you will never hear from them again.

If you have been conned by these scammers then start a PayPal dispute to get your money back. We understand that Sedo may offer a refund in any case as they are well aware of this scam. You might also want to file a complaint with the police, especially if you live in Canada where the perp appears to be based.

Tuesday, 15 September 2009

Rogue ads on answers.com: dotastoc.com

I'm still trying to track this one down, but somewhere on answers.com is a rogue ad that does through several hops to reach a fake anti-virus application. Don't visit any of the following sites unless you know what you are doing!
  1. dotastoc.com/442417.js?sid=bWtuamJoX2NvZmZlZS1jODMuZG90YXN0b2MuY29t [212.95.56.102, Germany - Netdirekt E.k]
  2. mknjbhyju.exxl.pl/coffee-c83/xalei.html [209.51.196.244, Ohio - XLHost.com Inc]
  3. mknjbh_coffee-c83.dotastoc.com/index.html ?Ref=http%3A%2F%2Fwww.google.co.uk %2Fsearch%3Fhl%3Den%26q%3D[redacted]%26btnG%3DSearch%26meta%3D
  4. myth-busters.cn/go.php?id=2009-01&key=cd19f5036&p=1 [94.102.48.29, Netherlands - Ecatel]
  5. 09computerquickscan.com [multihomed at 78.46.118.1, 78.46.201.89, 78.46.251.41, 88.198.81.153, 88.198.120.177, Germany Hetzner Online AG]
Step 3 requires a referer string to work, depending on the string you may get redirected, for example to usdisturbed.cn/?pid=229&sid=4b5855 [193.169.12.70, Belize "Financial Company Titan Ltd"] then fast-virus-scan4.com [91.213.126.100, Costa Rica Centerinfocom Ltd or 93.169.12.70 again]

Lots of suspect IP addresses there, 212.95.56.102 is the first step and also hosts these following domains that also look suspect:

  • Anidmenonpderche.com
  • Dotastoc.com
  • Ewyuewssf.com
  • Fishbiss.com
  • Iggiksc.com
  • Lur2cont.com
  • Niuk.ru
  • Pornokogu.com
  • Uewiosdasda.com
fast-virus-scan4.com is also being used in some .htaccess attacks, where the hacked site only redirects to the fake virus scanner if accessed through Google or some other search engine, not if it is visited directly.

Update: answers.com appear to have tracked down and removed the ad, although some other sites have been hit by a very similar attack.

YoHost.org on the move to Dragonara.net

It looks like black-hat host YoHost.org is on the move to a set of IP addresses owned by "Dragonara Alliance Ltd" (dragonara.net) - a company that claims to be Swiss (and appears to use hosting in Switzerland) but is registered in the British Virgin Islands.

Dragonara claims to be a high-reliability host where clients can weather out DDOS attacks, which is a useful service. However, a lot of the sites it host seem to be quite dubious, and a lot of sites seems to be pushing "replica" (i.e. fake) Swiss watches. The fact that a Swiss company is hosting sites in Switzerland that appear to be selling fake Swiss watches is something that might end up in an interesting conversation with some Swiss lawyers.

The IP address range to look out for is 194.8.74.1 - 194.8.75.255. The sites listed below are for information purposes only, many may well be perfectly legitimate. If you have any observations, then please use the comments.


194.8.75.34
Liberty72.com
Music-ultra.net
Virtuelldigitale.net

194.8.75.66
Filmkeuze.org
Superadult.org

194.8.75.77
Tyolaly.com

194.8.75.80
Ireplicastore.com

194.8.75.82
Billing-sat.tv

194.8.75.90
Bkjace.com
Jessicareplicas.com
Swissreplicastore.com

194.8.75.94
Good-good-movie.com
I-want-she.com
Oem-workshop.org
Online-oem-store.com
Red-paradise.com
Russian-paradise.com
Net-doktor.eu

194.8.75.98
Highrisefinance.com


194.8.75.107
Watch-replica.net

194.8.75.116
Yohost.org

194.8.75.118
Sadelae.com
Tiffanysets.com
Tyakcek.com

194.8.75.119
Apoace11.com
Beanells.com
Mymodelwatches.com

194.8.75.120
Gaemacs.com
Replicasmart.com

194.8.75.121
Brangelinareplicas.com
Geakcon.com

194.8.75.122
Kejhlle.com
Watch-replicas.com

194.8.75.123
Akeean.com
Brandreplica.com
Sharesdigger.com

194.8.75.124
Beauhi.com
Tiffanylovers.com

194.8.75.125
50st.ru

194.8.75.126
Ppoeatt.com

194.8.75.127
Tyaopce.com

194.8.75.128
Bieaken.com

194.8.75.129
Dakealls.com

194.8.75.135
Replicawatchesreviews.com

194.8.75.141
Agent-service.info
Barlenelectronics.com
Iluvtotravel.com
Sapnastudio.org
Strahovoy-partner.info
Strahovoypartner.ru
Thefbo.com

194.8.75.143
Csmfinance.com

194.8.75.165
Halarona.com

194.8.75.180
Replicas99.com

194.8.75.181
79eurovilla.com

194.8.75.199
Dvd4play.com

194.8.75.202
Thc-torrents.org

*********

194.8.74.12
Aowei.net.ru
Babytrance.us
House-of-friendship.com
Jurassic.net.ru
Kemcua.net
Lightning.net.ru
Tiroteen.net

194.8.74.45
Odnoixniki.com

194.8.74.100
Shara.info

194.8.74.101
Dw-plus.tv

194.8.74.120
Battlenetlogins.com
Directransfer.net
Diyxbox360.com
Flexfolders.com
Hygetropin-hgh.com
Immune-research.com
Premiuma.net
Privacysecured.com
Reversephonenet.com
Tiffanybazaar.com
Topregfix.com
Uc-forum.com
Ucdownloads.com
Vintagevdb.com
Xbox360redlightsguide.com

194.8.74.127
Dw24.tv

194.8.74.129
Anyshop.ch
Huasi.ch
Sowa.ch
Swisstuerk.ch

194.8.74.132
Hotelinsider.info

194.8.74.135
Dw-mobile.org

194.8.74.154
Vaultinvestment.com

194.8.74.158
Fi-success.com
Financijskabuducnost.com
Financijskabuducnost.net
Forexdonos.com
Forexdonos.net
Forexdonos.org
Forexnalozba.com
Forexnalozba.org
Forexnalozbe.com
Forexnalozbe.net
Forexnalozbe.org
Fx-donos.com
Fx-donos.net
Fx-donos.org
Tx-invest.net
Ultra-forex.com
Ultra-forex.net

194.8.74.190
Parnenairdesign.com
Rs-promotion.com
Syjsw.com

194.8.74.193
Practicalsilver.com
Silverurban.com
Solid925silver.com
Tiffanynsnow.com

194.8.74.231
Relsat.org

Thursday, 10 September 2009

Fake HMRC tax refund messages

Looks like there's a spam run in progress with the following fake tax refund message:
From: HM Revenue & Customs [mailto:rsa.messages@hmrc.rsamessages.co.uk]
Sent: 10 September 2009 10:16
Subject: [ HMRC MESSAGE ID NUMBER: 381716209 ]

(This is an outbound message only. Please do not reply.)



Dear Applicant,

The contents of this email and any attachments are confidential and as applicable, copyright in these is reserved to HM Revenue & Customs. Unless expressly authorised by us, any further dissemination or distribution of this email or its attachments is prohibited.

If you are not the intended recipient of this email, please reply to inform us that you have received this email in error and then delete it without retaining any copy.

I'm writing to confirm that after the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 327.54 GBP

You have attached the tax return form with the TAX REFUND NUMBER ID: 381716209, complete the tax return form attached to this message.

After completing the form, please submit the form by clicking the SUBMIT button on form and allow us 5-9 business days in order to process it.

If you have any questions, please refer to our Frequently Asked Questions (FAQs) or visit our head office address can be found on our web site at http://www.hmrc.co.uk/

Yours sincerely,
Kevin Taylor
Manager, HM Revenue & Customs Tax Credit

TAX RETURN FOR THE YEAR 2009
RECALCULATION OF YOUR TAX REFUND
HMRC 2008-2009
LOCAL OFFICE No. 3819
TAX CREDIT OFFICER: Kevin Taylor
TAX REFUND ID NUMBER: 381716209
REFUND AMOUNT: 327.54 GBP


This e-mail is generated by RSA Security United Kingdom on behalf of HM Renenue & Customs


Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.


or another variant:


From: HM Revenue & Customs [mailto:officer.robinson@hmrc.co.uk]
Sent: 10 September 2009 10:23
Subject: TAX REFUND ID NUMBER: 381716209

TAX RETURN FOR THE YEAR 2009

RECALCULATION OF YOUR TAX REFUND

HMRC 2008-2009

LOCAL OFFICE No. 3819

TAX CREDIT OFFICER: NEIL ROBINSON

TAX REFUND ID NUMBER: 381716209

REFUND AMOUNT: 344.79

Dear Applicant,

The contents of this email and any attachments are confidential and as applicable, copyright in these is reserved to HM Revenue & Customs.

Unless expressly authorised by us, any further dissemination or distribution of this email or its attachments is prohibited.

If you are not the intended recipient of this email, please reply to inform us that you have received this email in error and then delete it without retaining any copy.

I am sending this email to announce: After the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 344.79

You have attached the tax return form with the TAX REFUND NUMBER ID: 381716209, complete the tax return form attached to this message.

After completing the form, please submit the form by clicking the SUBMIT button on form and allow us 5-9 business days in order to process it.

Our head office address can be found on our web site at http://www.hmrc.co.uk/

Sincerely,

NEIL ROBINSON

HMRC Tax Credit Officer

officer.robinson@hmrc.co.uk

Preston

PR1 0SB



There's an attachment in both cases that attempt to harvest personal details (basically everything you need for identity theft) and sends it off to the attacker. In this case, domains used are jub23bi.biz and xgen99.biz although there are probably others. Scanning your outbound log files for /luk.php or /luk1.php or .biz/luk might reveal anyone who has fallen for it.


Obviously, if you've entered you details into something like this then you need to contact your bank as soon as possible and explain that your account has been compromised.

Friday, 4 September 2009

Macez.com domain scam

Yet another fake domain appraisal scam following on from this one, macez.com has actually been registered for a while but only came into use in September. If you receive an email recommending this appraisal site, delete it. If you have paid for a fake appraisal with PayPal, then you should open up a dispute about the transaction.