Wednesday, October 29, 2008

eNom Phishing, Child Porn and Avalonpay.com

Lots of spam suddenly showing up claiming to be on behalf of eNom.com, a well-known domain registrar.

Investigating these phishing attempts leads down a very dark hole indeed.

The eNom phishing sites are attempting to gather up domain information. For what purposes exactly is unsure, but I'm sure you could imagine: theft of a large number of domains, redirection of previously "good" domains to harmful content.

The contact information on these sites is all identical, and should be familiar to anyone who investigates this crap. Let's take one example domain, sys82.net:

Whois sys82.net

Domain Name: SYS82.NET
Registrar: ONLINENIC, INC.
Whois Server: whois.onlinenic.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS1.KOLBERACN.COM
Name Server: NS2.KOLBERACN.COM
Name Server: NS3.KOLBERACN.COM
Name Server: NS4.KOLBERACN.COM
Name Server: NS5.KOLBERACN.COM
Status: ok
Updated Date: 25-oct-2008
Creation Date: 25-oct-2008
Expiration Date: 25-oct-2009

...

Domain servers in listed order:
ns1.kolberacn.com ns2.kolberacn.com

Administrator:
Name-- Shestakov Yuriy
EMail-: (alexeyvas@safe-mail.net)
tel --: +7.9218839910
org: Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422

Technical Contactor:
Name-- Shestakov Yuriy
EMail-: (alexeyvas@safe-mail.net)
tel --: +7.9218839910
org: Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422

Billing Contactor:
Name-- Shestakov Yuriy
EMail-: (alexeyvas@safe-mail.net)
tel --: +7.9218839910
org: Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422


Registration Service Provider:
name: Shestakov Yuriy
tel: +7.9218839910
fax: +7.9218839910
web:


Let's examine what else those dns servers are supporting:

ns1.kolberacn.com

lolita-bbs.name NS ns1.kolberacn.com
ns1.kolberacn.com A 68.48.197.101
ns1.kolberacn.com A 68.80.158.76
ns1.kolberacn.com A 72.2.13.24
ns1.kolberacn.com A 75.60.192.242
ns1.kolberacn.com A 75.187.202.144
ns1.kolberacn.com A 97.82.229.170
ns1.kolberacn.com A 98.229.69.62
ns1.kolberacn.com A 99.245.182.179
xlpreview.com NS ns1.kolberacn.com
sys82.net NS ns1.kolberacn.com
com94.net NS ns1.kolberacn.com
weblola.net NS ns1.kolberacn.com
littlelolita.net NS ns1.kolberacn.com
nude-kids.net NS ns1.kolberacn.com
xlsites.net NS ns1.kolberacn.com

The server state is: 201 Okay


ns2.kolberacn.com

lolita-bbs.name NS ns2.kolberacn.com
ns2.kolberacn.com A 65.182.248.145
ns2.kolberacn.com A 66.30.49.194
ns2.kolberacn.com A 68.48.197.101
ns2.kolberacn.com A 68.80.158.76
ns2.kolberacn.com A 69.208.85.23
ns2.kolberacn.com A 72.2.13.24
ns2.kolberacn.com A 75.60.192.242
ns2.kolberacn.com A 76.112.161.176
ns2.kolberacn.com A 99.245.182.179
ns2.kolberacn.com A 209.60.226.164
ns2.kolberacn.com A 209.252.169.130
xlpreview.com NS ns2.kolberacn.com
sys82.net NS ns2.kolberacn.com
com94.net NS ns2.kolberacn.com
weblola.net NS ns2.kolberacn.com
littlelolita.net NS ns2.kolberacn.com
nude-kids.net NS ns2.kolberacn.com
xlsites.net NS ns2.kolberacn.com

The server state is: 201 Okay


And the rest are supporting several other domains featuring the enom phishing setup.

Note the diversity of the ip addresses associated with those domains: every single one of these is being hosted via a botnet, assumedly home computers infected with the Asprox infection. I had been reading up on several investigations into that exploit, and now it appears it's directly a part of my own spam investigations.

Many of the domains supported by those name servers are, of course, sites which promote, sell, and distribute child pornography. Fortunately, as I write this, all of these sites are not responding. (Good work on getting those shut down, whoever you are.)

A quick investigation of one of those sites leads to a payment processing site known as Avalonpay.com. A quick search on that domain turns up an interesting blog entry on matchent.com concerning a similar investigation. The registrant contact data for that domain includes the company name "Absolutee Corp. Ltd.", allegedly based in Hong Kong:

Note the company name used, ABSOLUTEE CORP. LTD.
Compare with an article in Wired News, http://www.wired.com/politics/security/news/2007/10/russian_network , about the Russian Business Network from October 2007, quote:

"Jaret [note: speaking on behalf of RBN] also says there's no mystery about the company's ownership. According to Jaret, an offshore company called First Connect Telecom Limited Inc. owns RBN, though the company's principals remain anonymous. The registration information for the company's website lists a company called Absolutee Corp. LTD as the owner of the domain name. "

The article also mentioned that the whois info for RBN was changed later. And it has now expired.


So:

- eNom Phishing sites (all featuring alexeyvas@safe-mail.net contact email in whois.)
- Rogue DNS servers (All featuring fake Chinese registrant information in whois.)
- Child porn sites (All featuring absolutee.com registrant information in whois.)
- Avalonpay.com (Payment processor for child porn sites, also featuring absolutee.com registrant information in whois.)

ALL hosted using botnet-supported fast-flux servers.

You would think that this guy's days in this industry were numbered, but sadly you'd be wrong, at least to gauge it from how long he's maintained these operations.

I would love it if anyone from Russian law enforcement would investigate this scumbag. I guess I would first have to figure out how much they charge to do that. (Pardon my cynicism.)

Stay far, far away from any email related to these eNom "securiy bulletin" emails.

SiL / IKS / concerned citizen

Thursday, October 23, 2008

Is UADreams the new VPXL?

UADreams (Formerly UALadys) is back to spamming everybody whether they want it or not with 100% bogus "Russian dating" messages. Here's a sampling from mere moments ago:

Subject: RE: Message 00

Im a charming blue-eyed blonde, who looks for a male pen friend, or just a man to talk with on Skype or in real life!

Don't loose time and come get registered FREE at: http://el1te-russ1an-g1rls.com/?idAff=5


Subject: RE: Message 61

I'm a beautiful girl, who looks for a male pen friend, or just a man to talk with on Skype or in real life!

I have registered my profile at: http://el1te-russ1an-g1rls.com/?idAff=5


Subject: RE: Message 11

I'm a beautiful girl, who looks for a male pen friend, or just a man to talk with on Skype or in real life!

My home page: http://el1te-russ1an-g1rls.com/?idAff=5


Subject: RE: Message 54

I'm a hot brunette girl, who looks for a male pen friend, or just a man to talk with on Skype or in real life!

My home page: http://el1te-russ1an-g1rls.com/?idAff=5


Subject: RE: Message 30

I am an atractive blonde, and I'm searching for a man to chat with by email or by Skype, or even meet in reality!

My home page: http://el1te-russ1an-g1rls.com/?idAff=5


Of course I never initiated any communication with anyone in Russia (thus: why would there be a "Re:" in the subject in the first place?) This same affiliate (idAff=5) is sending me, on average, five to ten of these per hour, and the wording makes it clear he has utterly no idea what he's doing. Nobody should be dumb enough to click on any of these messages, especially since they all arrived virtually simultaneously.

Ignoring all of that: who describes themselves this way? There's just no basis of reality in any of these messages. Also: nobody is dumb enough to assume they are the sole object of this "woman's" affection. Literally everyone I discuss spam with has received these messages, and continue to do so.

This affiliate was previously sending me non-stop VPXL spam (prior to the shutdown of SanCash / AffKing, of course.) I can tell simply because he's applying the same template and frequency to this "UADreams" spam run. He also mails on behalf of GlavMed / Spamit and is among the mailers sending four times as much "Canadian Pharmacy" spam to everyone on the planet.

I've blogged about UALadys in the past. They clearly have no problem paying mailers to send millions of messages illegally to anybody. This idiot has no idea who's in his lists, and he doesn't care. I could be a 98 year old woman or a five year old boy. He will still assume I am interested in meeting a Russian woman to date and / or marry. This is the typical intellect of the average mailer. Not only do they not segment their lists or clean them, they just flat-out have no idea whatsoever of who is in their lists. Yet they believe it's up to us to take care of that by "just deleting" the millions -- or billions, as we've seen recently -- of messages they clog the Internet with on a daily basis.

Needless to say: you should never join ANY dating site which uses unsolicited email to promote itself.

SiL / IKS / concerned citizen

Tuesday, October 14, 2008

GenBucks + SanCash + AffKing + Tulip Lab + Shane and Lance Atkinson: BUH BYE!

A quick note today about some recent news which I think we've all been expecting for some time now.

Shane Atkinson, his brother Lance, and several others are currently the subject of intense legal action against the by-know well known spam operation SanCash, aka GenBucks.

If you caught any of the news last year regarding this setup, you might remember the BBC4 report which connected several dots between Atkinson, GenBucks, a product called "Manster" and a company called Tulip Lab.

Well two very big announcements today confirm, and place in the public record, that this investigative work was definitely on the right track.

This story, posted mere minutes ago, outlines pending fines of $200,000 per person against each of Shane and Lance Atkinson (together the foundation of SanCash), Roland Smits, and also confirms that they ran both GenBucks and SanCash, to promote what are now confirmed to be bogus and / or dangerous products which were manufactured and distributed by Tulip Lab, most notably Express Herbal (called approximately a dozen names over the past two years.)

It gets better: The US Federal Trade Commission also has taken action against the abovementioned operators of GenBucks / SanCash, as well as Jody Smith, a resident of Texas, and four companies they operate. They further make mention of the widespread illegality of how they sent their messages (using an internationally-seeded botnet), and also mention AffKing, which is what SanCash used to be called.

Assets for all of the above entities have been frozen, effectively cutting off the profit source for any mailers who still insist on promoting these bogus, dangerous products.

The FTC press release puts a very fine point on the rampant falsehoods perpetrated on a daily (hell: hourly) basis by these criminals:

One product called "VPXL" was touted as an herbal male-enhancement pill. Advertised as "100% herbal and safe," it supposedly caused a permanent increase in the size of a user's penis. The agency alleged that not only did the pills not work, but they were neither "100% herbal" nor "safe," because they contained sildenafil – the active ingredient in Viagra. At the FTC's request, the pills were tested by the FDA. According to medical experts, men taking nitrate-containing drugs – which are commonly prescribed to treat diabetes, high blood pressure, high cholesterol, or heart disease – can experience an unsafe drop in their blood pressure when they also take sildenafil.


And more:

The FTC also alleges that the defendants made false claims about the security of consumers' credit card information and the other data they were required to provide to buy goods. In operating the online pharmacy, which was called "Target Pharmacy" and later "Canadian Healthcare," the defendants' Web site assured potential consumers that "TARGET PHARMACY treats your personal information (including credit card data) with the highest level of security," according to papers filed with the court. The Web site went on to describe its encryption process, which supposedly involved "Secure Socket Layer (SSL) technology." FTC investigators, however, found no indication that the Web sites were encrypted using SSL technology.

The FTC also challenged claims made for a weight-loss supplement pill purportedly containing Hoodia gordonii, a cactus-like plant found in southern Africa that supposedly could cause users to lose up to six pounds a week. The FTC charged that the claims were false and violated federal law.


Really: just read the whole thing. It'll bring a huge smile to your face. If you have an email address, you've most likely (98% chance) received spam for these "products", and anybody with half a brain already knows most of what was just quoted above.

This is a good day, and makes this among the worst years ever for illegal spammers, as well as their sponsors and supply chain operators.

I fully expect to see lots of nonchalant postings on any of the remaining underground spam forums (whatever happened to Bulkerforum.biz anyway?) They can all claim that we should have all "just deleted" all of the billions of inbound messages that these scumbags continually pumped into everybody's inboxes with impugnity. They're wrong. [How does one "just delete" 3000 of these per day without throwing the baby out with the bathwater? They've essentially ruined email as a usable form of communication.]

My congratulations and gratitude go out to members of New Zealand law enforcement who worked so diligently over the past 9 months to fully investigate these cretins. Also: kudos to the author of spaminmyinbox.com who did such great investigative work on his own, as well as Simon Cox from the BBC.

SiL / IKS / concerned citizen