Friday, June 05, 2009

A Diverse Portfolio of Fake Security Software - Part Twenty One

The ongoing abuse of AS10929; NETELLIGENT Hosting Services Inc. for scareware distribution purposes is peaking once again, which combined with the well-proven traffic acquisition tactics the campaigners take advantage of, prompts me to proactively undermine the effectiveness of the campaigns by ruining the monetization factor.

Next to listing the scareware domains currently in circulation, in part twenty one of the Diverse Portfolio of Fake Security Software series, it's time we put the spotlight on the so called payment processors mainted by phony in-house operations.

The following scareware domains are parked exclusively within AS10929; NETELLIGENT Hosting Services Inc's network, 209.44.126.102  in particular :

fanscan4 .com 209.44.126.102 Email: brmargul@gmail.com
rayscan4 .com Email: brmargul@gmail.com
scantop4 .com Email: ansouthe@gmail.com
scanlist6 .com Email: metamant@gmail.com
goscanfine .com Email: chirelqas@gmail.com
goscanone .com Email: canrcnad@gmail.com
scan4note .com Email: ansouthe@gmail.com
in4ck .com Email: taboussybr@gmail.com
goscanwork .com Email: govemati@gmail.com
in4tk .com Email: skeltonrw@gmail.com
goscanatom .com Email: gleyersth@gmail.com
top4scan .com  Email: ansouthe@gmail.com
slot6scan .com  Email: metamant@gmail.com
gometascan .com  Email: ricboin@gmail.com
gopagescan .com Email: tanehen@gmail.com
gofinescan .com Email: alcnafuch@gmail.com
goelitescan .com Email: funully@gmail.com
gorankscan .com Email: canrcnad@gmail.com
goworkscan .com Email: govemati@gmail.com
gogoalscan .com Email: chinrfi@gmail.com
gogenscan .com  Email: tanehen@gmail.com
goautoscan .com Email: tanehen@gmail.com
goflexscan .com Email: alcnafuch@gmail.com
goscanauto .com Email: canrcnad@gmail.com
scan6slot .com  Emaik: telerdomb@gmail.com
in4st .com Email: skeltonrw@gmail.com
scan6list .com Email: telerdomb@gmail.com
goscanflex .com Email: chirelqas@gmail.com

goscankey .com Email: ricboin@gmail.com
scanmeta4 .info Email: sitintu@gmail.com
scannote4 .info Email: sitintu@gmail.com
metascan4 .info Email: finewnrk@gmail.com
zonescan4 .info Email: mexnacc@gmail.com
notescan4 .info Email: finewnrk@gmail.com
miniscan4 .info Email: finewnrk@gmail.com
rankscan4 .info Email: mexnacc@gmail.com
atomscan4 .info Email: finewnrk@gmail.com
fanscan4 .info Email: finewnrk@gmail.com
genscan4 .info Email: finewnrk@gmail.com
autoscan4 .info Email: sitintu@gmail.com
topscan4 .info Email: finewnrk@gmail.com
starscan4 .info Email: finewnrk@gmail.com
fixscan4 .info Email: sitintu@gmail.com
mixscan4 .info Email: finewnrk@gmail.com
luxscan4 .info Email: finewnrk@gmail.com
rayscan4 .info Email: finewnrk@gmail.com
keyscan4 .info Email: sitintu@gmail.com
scangen4 .info Email: sitintu@gmail.com
scanauto4 .info Email: mexnacc@gmail.com

scantop4 .info Email: finewnrk@gmail.com
scanflex4 .info Email: mexnacc@gmail.com
scan4meta .info Email: finewnrk@gmail.com
scan6meta .info Email: donboset@gmail.com
scan4fine .info Email: mexnacc@gmail.com
meta4scan .info Email: finewnrk@gmail.com
note4scan .info Email: finewnrk@gmail.com
gen4scan .info Email: finewnrk@gmail.com
flex4scan .info Email: mexnacc@gmail.com
fix4scan .info Email: sitintu@gmail.com
key4scan .info Email: mexnacc@gmail.com
meta6scan .info Email: donboset@gmail.com
note6scan .info Email: donboset@gmail.com
scan4gen .info Email: finewnrk@gmail.com
scan6gen .info Email: donboset@gmail.com
scan4auto .info Email: sitintu@gmail.com
scan4top .info Email: finewnrk@gmail.com
scan4fix .info Email: sitintu@gmail.com
scan4key .info Email: sitintu@gmail.com
fine4scan .info Email: beelriel@gmail.com
scanmega4 .info Email: bnntnkmn@gmail.com
zonescan4 .info Email: mexnacc@gmail.com
rankscan4 .info Email: mexnacc@gmail.com
scanauto4 .info Email: mexnacc@gmail.com
scan4fine .info Email: mexnacc@gmail.com
way4scan .info Email: bnntnkmn@gmail.com
key4scan .info Email: mexnacc@gmail.com
scan4fan .info Email: myscarbe@gmail.com

Exceptions out of  AS10929; NETELLIGENT Hosting Services Inc.:

ia-pro .com - 194.165.4.41; 200.63.45.224; 209.44.126.104; 200.63.45.224 Email: abuse@domaincp.net.cn
generalantivirus .com Email: compalso@gmail.com
genpayment .com Email: seeingrud@gmail.com
livestopbadware .com Email: producergrom@gmail.com
av-payment .com Email: abuse@domaincp.net.cn
antimalware-live-scanv3 .com - 38.99.170.9; 78.47.91.153; 83.133.115.9; 89.47.237.52;91.212.65.125; Email: immigration.beijing@footer.cn
antivirus-scanner-v1 .com Email: tareen@yahoo.com
proantivirusscannerv2 .com Email: ecindia@hotmail.com

Who's processing the payments made by the scammed customers? These are the major payment processors of scareware software that have been changing aliases for a while now, with Pandora Software being the most persistent one:

easybillhere .com - 200.63.45.221; Email: myerysin@gmail.com
secure.softwaresecuredbilling .com - 209.8.45.122; Viktor Temchenko Email: TemchenkoViktor@googlemail.com
secure.propayments .org - 78.46.152.8; Oleg Bajenov Email: oleg.bajenov@gmail.com
secure.soft-transaction .com - 77.91.228.155; Riabokon, Igor; rw6rr69n7z2@networksolutionsprivateregistration.com
secure-plus-payments .com - 209.8.25.204; John Sparck; Email: sparck000@mail.com
secure.pnm-software .com - 209.8.45.124; Live Internet Marketing Limited; pnm-software.com@liveinternetmarketingltd.com
secure.thepaymentonline .com Email: Sergey Ryabov director@climbing-games.com

What is Pandoware Software, and who's behind Pandora Software (pandora-software .com; pandora-software .info; pandoraxxl .com - 209.8.45.121; Live Internet Marketing Limited; Email: pandoraxxl.com@liveinternetmarketingltd.com)?

The payment processor describes itself as :

"PandoraXXL is a company which provides the best adult entertainment online and is the managing company of the adult websites of the group. The concept itself is the carefull creation of websites which are different from the average vanilla adult production. We create them, we run them and we provide customer care to our customers!If You are a customer and would like to know more about our websites please click on Our Websites above. PandoraXXL.com and all sites which listed on PandoraXXL.com owned by Oleg Dvoretskiy Varzinerstr. 127, 44369 Dortmund, Germany"

Upon "doing business" with them they include their very latest domain within the the credit card statement:

"Your credit card statement may show any of the following names: WWW.PANDORAXXL.COM If so , than You have made a purchase on one of our websites! This form on the right will help You to locate these transactions! Absolutely sure You have never ever purchased anything with us? Contact us immediately then! Due to our knowledge we are one of a VERY few adult paysites companies out there providing INHOUSE live support along with telephone support. Please call only when You are sure that this site was not ab to help You with Your transactions. You may call with technical questions as well but You must read all our site's FAQs first."

Going through the terms of service for several scareware domains, there's a contact support image saying "Copyright 2008 Oleg Dvorezky, Dortmund, Germany". Why an image and not a text? Cybercriminals sometimes ensure that sensitive info potentially undermining their OPSEC doesn't get crawled by public search engines. It's gets even more interesting as Oleg Dvorezky, whose activities as payment processor for scareware go beyond the support desk has also included his address - Varzinerstr. 127. 44369 Dortmund, Germany and another phone, again as an image +1(636)549-8103, followed by two more numbers +18669997851 (USA) +33179972633 (France) listed as contact details.

Moreover, despite the fact that they've active affiliates distribution scareware and earning money in the process, next to managing the processing of payments, one should not exclude the possibility that they may also be engaging in customer relationship management for other scareware affiliate partners. For instance, the following support emails are all managed by them :

support@supportdeska.com
support@msantispyware2009.com
support@pandora-software.com
support@pandoraxl.com
support@data-saver.org
support@generalantivirus.com


Fo the time being, scareware remains the single most efficient, managed and high liquidity asset used for monetization cybercrime campaigns.

No comments:

Post a Comment