Tuesday, June 02, 2009

Dating Spam Campaign Promotes Bogus Dating Agency - Part Two

Your future template-based wife is here, waiting not only for you, but also, for the hundreds of thousands of spammed gullible future husbands.

Our "dear friends" at Confidential Connections are at it again - spamming out bogus dating profiles, introducing new domains and inevitably exposing the phony company's connections with managed spam services operated by money mules, and sharing DNS servers with more cybercrime-facilitating parties.

As in their previous campaigns, they're spamming from LRouen-152-82-6-202.w80-13.abo.wanadoo.fr [80.13.101.202], and here's the most recent portfolio of domains used in the spam campaigns parked at 62.90.136.207:

dating-forin-loved .com - Email: deolserdo@safe-mail.net
matchwithworld .com - Email: esheodin@safe-mail.net
love-f-emale .com - Email: lo3664570460504@absolutee.com
i-amsingle .com - Email: i-3685838623704@absolutee.com
for-you-from-me .com - Email: PabloStantonXW@gmail.com
love-me-long-time .com - Email: lo3685839114104@absolutee.com
destinycombine .com - Email: esheodin@safe-mail.net
you-isnot-alone .com - Email: SamNilsenson@gmail.com
find-some-love .com - Email: SamNilsenson@gmail.com
find-thereal-love .com - Email: deolserdo@safe-mail.net
 
all-hot-love .com - Email: sup3portne3west@safe-mail.net
find-the-reallove .com - Email: fi3653005547304@absolutee.com
sweet-hearts-dating .com - Email: SamNilsenson@gmail.com
my-great-dating .com - Email: SamNilsenson@gmail.com
yourmatchwith .com - Email: esheodin@safe-mail.net
loking-for-aman .com - Email: lo3653004406804@absolutee.com
myloving-heart .com - Email: my3685835605504@absolutee.com
beautiful-prettywoman .com - Email: JosiahMillerTP@gmail.com
buildyour-happylove .net - Email: bu3664569267104@absolutee.com
adorelovewon .com - Email: supportnewest@safe-mail.net
andiloveyoutoo .com - Email: enorst10@yahoo.com
 
myloveamour .com - Email: supportnewest@safe-mail.net
luckyheatrs .com - Email: neujelivsamomdeli@gmail.com
just-waiting-foryou .com - Email: SamNilsenson@gmail.com
dreams-about-lady .com - Email: JosiahMillerTP@gmail.com
inspiredlove .net - Email: antonkovalchukk@gmail.com
make-family .net - Email: JosiahMillerTP@gmail.com
createyourlove .net
fillinglove .net

Let's connect the dots, shall we? Notice some of the registrant's emails, namely supportnewest@safe-mail.net and sup3portne3west@safe-mail.net. It gets even more interesting taking into consideration the fact that the money laundering group's botnet command and control domain was registered to supp3ortnewest@safe-mail.net. Moreover, among the unique usernames used exclusively by this botnet, was in fact the one used in Confidential Connections spam campaigns, confirming their connection.

Naturally, Confidential Connections are also rubbing shoulders with more cybercrime facilitating domains sharing the same DNS infrastructure (ns1.srv .com).

For instance, superfuturebiz .com/maingovermnfer5 .com (Trojan-Spy.Win32.Zbot.uyn) where a Trojan-Spy.Win32.Zbot.uyn is hosted at maingovermnfer5 .com/anyfldr/demo.exe which once executed attempts to download Zeus crimeware from maingovermnfer5 .com/anyfldr/cfg.bin.

Moreover, carder-shop .com which is an ex-Atrivo darling, yourmagicpills .com which is a typical pharmaceutical scam, zaikib .in a malware command and control, and eefs .info which is a phony "East Europe Financial System" and looks like a typical money mule recruitment operation.