With Microsoft's latest Security Intelligence Report indicating that scareware/fake security software continues growing, it's worth exposing some of the currently circulating rogue security software domains, their registrants, and the usual "Deja Vu" moment putting the spotlight on well-known RBN web properties, whose exposure demonstrates that some of the groups that I've been tracking are still alive and kicking, but this time are much more actively monetizing their cybercrime committing capabilities.
avs-online-scan .org (209.250.241.164) Oleg Bajenov Email: oleg.bajenov@gmail.com
av-lookup .org
am-scan .com
system-scan-1 .biz
sys-scanner-1 .biz
sys-scan-wiz .biz
scanner-wiz-1 .com
webwidesecurity .com (94.247.3.3) Rosalind Lewis Email: RosalindRLewis@text2re.com
webprotectionscan .com
greatvirusscan .com
beststabilityscans .com
todaybestscan .com (174.129.241.185; 174.129.244.106; 209.44.126.14) Elliott Cameron Email: support@zitoclick.com; Anatolij Andreev Email: yeep33@gmail.com
thebestsecurityspot .com
securitytopagent .com
inetsecuritycenter .com
fullandtotalsecurity .com
activesecurityshield .com
getpcguard .com
websecurityvoice .com
onlinescanservice .com
scanalertspage .com
scanbaseonline .com
bestsecurityupdate .com
getsecuritywall .com
bestfiresfull .com
initialsecurityscan .com
websecuritymaster .com
runpcscannow .com
thegreatsecurity .com
truescansecurity .com
checkonlinesecurity .com
spy-protector-pro .com
DNS servers of notice:
ns1.ahuliard .com
ns2.ahuliard .com
ns1.fuckmoneycash .com
ns2.fuckmoneycash .com
ns1.zitodns .com
ns2.zitodns .com
Now comes the deja vu moment. At 174.129.241.185 and 174.129.244.106 we also have parked ilovemyloves .com one of the domains used in the iFrame attack during the "Possibility Media's Malware Fiasco" back in 2007 which was then parked at the RBN's HostFresh ifrastructure (58.65.239.28). Behind the malware campaign back then was the New Media Malware Gang" (Part Three; Part Two and Part One) which was not only using RBN services, but was directly cooperating with the Storm Worm authors. Among their most recent campaigns was the groups direct involvement in the malware campaigns at the Azerbaijanian Embassies in Pakistan and Hungary.
It gets even more interesting to see what they're up to in 2009, considering the fact that they have also parked domains used (174.129.241.185 and 174.129.244.106) in currently ongoing Facebook phishing campaign, which is switching themes from Match.com to Classmates.com :
facebook.shared.id-pegxaaei62.emberuiweb .765access.com
facebook.shared.id-0izlud0w6j.launchpad .765access.com
facebook.shared.id-6oxyclcpus.initiated .765access.com
facebook.shared.id-6xcse5q79c.usermanage .765access.com
facebook.shared.id-9q0bfta8bf.login .765access.com
facebook.shared.id-l8rz3d87j7.processlogon .765access.com
facebook.shared.id-m071qcxkf3.version .765access.com
facebook.shared.id-ao7zx28bhw.identification .765access.com
facebook.shared.id-usxeye68vn.secureconnection .765access.com
facebook.shared.id-lc9i4p09yi.disbursements .765access.com
facebook.shared.id-6y8nzpemkx.securedocuments .765access.com
facebook.shared.id-0u1o0e9gyj.cebmainservlet .765access.com
facebook.shared.id-4b16kzpiuk.ceptservlet .765access.com
facebook.shared.id-xqa6odo94z.content .765access.com
facebook.shared.id-5u10q3vp8q.completeserv .765access.com
facebook.shared.id-ql2fzhydat.intvitation .9845account.com
facebook.shared.id-5ajv5861qd.securedocuments .9845account.com
facebook.shared.id-3dcznhmord.statement .9845account.com
facebook.shared.id-o6lo04atww.statement .9845account.com
The group has clearly diversified its activities, but continues relying on its well known portfolio of domains as a foundation.
Related posts:
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Wednesday, April 08, 2009
A Diverse Portfolio of Fake Security Software - Part Eighteen
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment