Investigating these phishing attempts leads down a very dark hole indeed.
The eNom phishing sites are attempting to gather up domain information. For what purposes exactly is unsure, but I'm sure you could imagine: theft of a large number of domains, redirection of previously "good" domains to harmful content.
The contact information on these sites is all identical, and should be familiar to anyone who investigates this crap. Let's take one example domain, sys82.net:
Whois sys82.net
Domain Name: SYS82.NET
Registrar: ONLINENIC, INC.
Whois Server: whois.onlinenic.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS1.KOLBERACN.COM
Name Server: NS2.KOLBERACN.COM
Name Server: NS3.KOLBERACN.COM
Name Server: NS4.KOLBERACN.COM
Name Server: NS5.KOLBERACN.COM
Status: ok
Updated Date: 25-oct-2008
Creation Date: 25-oct-2008
Expiration Date: 25-oct-2009
...
Domain servers in listed order:
ns1.kolberacn.com ns2.kolberacn.com
Administrator:
Name-- Shestakov Yuriy
EMail-: (alexeyvas@safe-mail.net)
tel --: +7.9218839910
org: Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422
Technical Contactor:
Name-- Shestakov Yuriy
EMail-: (alexeyvas@safe-mail.net)
tel --: +7.9218839910
org: Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422
Billing Contactor:
Name-- Shestakov Yuriy
EMail-: (alexeyvas@safe-mail.net)
tel --: +7.9218839910
org: Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422
Registration Service Provider:
name: Shestakov Yuriy
tel: +7.9218839910
fax: +7.9218839910
web:
Let's examine what else those dns servers are supporting:
ns1.kolberacn.com
lolita-bbs.name NS ns1.kolberacn.com
ns1.kolberacn.com A 68.48.197.101
ns1.kolberacn.com A 68.80.158.76
ns1.kolberacn.com A 72.2.13.24
ns1.kolberacn.com A 75.60.192.242
ns1.kolberacn.com A 75.187.202.144
ns1.kolberacn.com A 97.82.229.170
ns1.kolberacn.com A 98.229.69.62
ns1.kolberacn.com A 99.245.182.179
xlpreview.com NS ns1.kolberacn.com
sys82.net NS ns1.kolberacn.com
com94.net NS ns1.kolberacn.com
weblola.net NS ns1.kolberacn.com
littlelolita.net NS ns1.kolberacn.com
nude-kids.net NS ns1.kolberacn.com
xlsites.net NS ns1.kolberacn.com
The server state is: 201 Okay
ns2.kolberacn.com
lolita-bbs.name NS ns2.kolberacn.com
ns2.kolberacn.com A 65.182.248.145
ns2.kolberacn.com A 66.30.49.194
ns2.kolberacn.com A 68.48.197.101
ns2.kolberacn.com A 68.80.158.76
ns2.kolberacn.com A 69.208.85.23
ns2.kolberacn.com A 72.2.13.24
ns2.kolberacn.com A 75.60.192.242
ns2.kolberacn.com A 76.112.161.176
ns2.kolberacn.com A 99.245.182.179
ns2.kolberacn.com A 209.60.226.164
ns2.kolberacn.com A 209.252.169.130
xlpreview.com NS ns2.kolberacn.com
sys82.net NS ns2.kolberacn.com
com94.net NS ns2.kolberacn.com
weblola.net NS ns2.kolberacn.com
littlelolita.net NS ns2.kolberacn.com
nude-kids.net NS ns2.kolberacn.com
xlsites.net NS ns2.kolberacn.com
The server state is: 201 Okay
And the rest are supporting several other domains featuring the enom phishing setup.
Note the diversity of the ip addresses associated with those domains: every single one of these is being hosted via a botnet, assumedly home computers infected with the Asprox infection. I had been reading up on several investigations into that exploit, and now it appears it's directly a part of my own spam investigations.
Many of the domains supported by those name servers are, of course, sites which promote, sell, and distribute child pornography. Fortunately, as I write this, all of these sites are not responding. (Good work on getting those shut down, whoever you are.)
A quick investigation of one of those sites leads to a payment processing site known as Avalonpay.com. A quick search on that domain turns up an interesting blog entry on matchent.com concerning a similar investigation. The registrant contact data for that domain includes the company name "Absolutee Corp. Ltd.", allegedly based in Hong Kong:
Note the company name used, ABSOLUTEE CORP. LTD.
Compare with an article in Wired News, http://www.wired.com/politics/security/news/2007/10/russian_network , about the Russian Business Network from October 2007, quote:
"Jaret [note: speaking on behalf of RBN] also says there's no mystery about the company's ownership. According to Jaret, an offshore company called First Connect Telecom Limited Inc. owns RBN, though the company's principals remain anonymous. The registration information for the company's website lists a company called Absolutee Corp. LTD as the owner of the domain name. "
The article also mentioned that the whois info for RBN was changed later. And it has now expired.
So:
- eNom Phishing sites (all featuring alexeyvas@safe-mail.net contact email in whois.)
- Rogue DNS servers (All featuring fake Chinese registrant information in whois.)
- Child porn sites (All featuring absolutee.com registrant information in whois.)
- Avalonpay.com (Payment processor for child porn sites, also featuring absolutee.com registrant information in whois.)
ALL hosted using botnet-supported fast-flux servers.
You would think that this guy's days in this industry were numbered, but sadly you'd be wrong, at least to gauge it from how long he's maintained these operations.
I would love it if anyone from Russian law enforcement would investigate this scumbag. I guess I would first have to figure out how much they charge to do that. (Pardon my cynicism.)
Stay far, far away from any email related to these eNom "securiy bulletin" emails.
SiL / IKS / concerned citizen
5 comments:
Thank you for this site. I run a music business and I am sick and tired of friggin spammers. I really do want to kill spammers. LOL. I will keep reading this blog with hopes that I learn to better defend myself.
Thank you so much for your blog on glavmed. I have tried fo four months to have Caroline at ICANN take glavmed.com down due to fraudulent WHOIS, without any response from ICANN. Glavmed uses Regtime, a Russian regsitrar [beleive it or not an ICANN approved registrar!!]and provides contact deatils as follows:
Registrar: Regtime Ltd.
Creation date: 2009-01-15
Expiration date: 2013-03-14
Registrant:
PHARMOS LIMITED
Email: info@glavmed.com
Organization: PHARMOS LIMITED
Address: 177 WHALLEY RANGE
City: BLACKBURN
State: LANCS
ZIP: BB1 6NL
Country: GB
Phone: +1.8778062747
Fax: +1.8778062747
Administrative Contact:
PHARMOS LIMITED
Email: info@glavmed.com
Organization: PHARMOS LIMITED
Address: 177 WHALLEY RANGE
City: BLACKBURN
State: LANCS
ZIP: BB1 6NL
Country: GB
Phone: +1.8778062747
Fax: +1.8778062747
Technical Contact:
PHARMOS LIMITED
Email: info@glavmed.com
Organization: PHARMOS LIMITED
Address: 177 WHALLEY RANGE
City: BLACKBURN
State: LANCS
ZIP: BB1 6NL
Country: GB
Phone: +1.8778062747
Fax: +1.8778062747
Billing Contact:
PHARMOS LIMITED
Email: info@glavmed.com
Organization: PHARMOS LIMITED
Address: 177 WHALLEY RANGE
City: BLACKBURN
State: LANCS
ZIP: BB1 6NL
Country: GB
Phone: +1.8778062747
Fax: +1.8778062747
Pharmos LTD has no listed phone number in the UK, although one business blog site mentions the company's alleged assets. I sent a registered letter to Pharmos LTD, and it was returned as undeliverable, no usch addressee. I rang the Lancashire UK police who informed that the address is actually a truckstop-service station on a main highway. The email address never responds to my many complaints. The phone number is a blind answering device, I have left messages which never receive responses. The phone is provided by Kall8 out of Seattle, and that compnay refuses to shut the service down, saying that the customer pays his bills on time. I know tehse crims are mobile, they move from regstrar to phone compnat etc. But why cannot we at I Kill Spammers make a concerted effort to have Kall8 shut down glavmed's phone number by mentioning that they will be referred to law enforcement? and why cannot we make a similar focussed effort to have ICANN shut down the domain registration and place Regtime on notcie that any further spammer registrations will result in termination from ICANN? While we are at it, how can we locate the phone company that provides 888 numbers to that pryamid scammer/spammer with messages, "Hi Juliana here!" By ensuring that phone service providers know we are on the warpath against fradulent services, we have another prong of attack against spammers eh?
Here finally is the response from VISA USA regarding their policy to allow VISA's continued acquiesence in giving spammers access to VISA credit facilities. As they say, money is everything:
Thank you for your inquiry. Visa sets high standards for all its products and services; however, the fact that a merchant displays the Visa logo or uses it on a Visa sales draft, does not indicate that Visa endorses the merchant, nor does it guarantee the quality of goods or services purchased from the merchant.
To verify the legitimacy of a business, you may wish to contact local and regional organizations, such as the trade licensing bureaus, government regulatory and consumer protection agencies, to inquire.
In addition to the above, please notify the disputes area at the financial institution that services the card account of any merchant practices that you feel are inappropriate. The card issuing bank has access to the appropriate Visa rules and regulations as well as to the Notification of Customer Complaint forms which should be used by your bank to document and file merchant complaints. It is not necessary for your bank to be the offending merchant's financial institution in order to file a complaint for you.
We hope this information is useful.
Thanks for writing.
Visa Webmaster
The past week has notcied a drastic reduction in spam--no more Rabbit Vibrator; only one Canadian Pharmacy every second day; the occasional Jonathan Parr "gifting" phone call scam; NO phoney watches or software. Good on yas all for not deleting and for reporting it all to IP adminstrators, ICANN, IANA, the FBI, various state Attorneys General, and other agencies. Hopefully by the end of this year we will have spammers on the run or imprisoned.
To the anonymous commenter claiming to represent "avalonpayments.com":
a) You commented anonymously and provided no contact information. Therefore I'm not able to discuss your alleged issue.
b) When I google "Avalonpayments" as you suggested), this posting does not appear, at all.
c) You're commenting on a three-year-old article. Don't you have something better to argue about?
I left pretty specific instructions on my commenting form as to how to post a comment. Please follow them.
SiL
Post a Comment