Dating Spam Campaign Promotes Bogus Dating Agency - Part Two

Your future template-based wife is here, waiting not only for you, but also, for the hundreds of thousands of spammed gullible future husbands.

Our "dear friends" at Confidential Connections are at it again - spamming out bogus dating profiles, introducing new domains and inevitably exposing the phony company's connections with managed spam services operated by money mules, and sharing DNS servers with more cybercrime-facilitating parties.

As in their previous campaigns, they're spamming from [], and here's the most recent portfolio of domains used in the spam campaigns parked at

dating-forin-loved .com - Email:
matchwithworld .com - Email:
love-f-emale .com - Email:
i-amsingle .com - Email:
for-you-from-me .com - Email:
love-me-long-time .com - Email:
destinycombine .com - Email:
you-isnot-alone .com - Email:
find-some-love .com - Email:
find-thereal-love .com - Email:
all-hot-love .com - Email:
find-the-reallove .com - Email:
sweet-hearts-dating .com - Email:
my-great-dating .com - Email:
yourmatchwith .com - Email:
loking-for-aman .com - Email:
myloving-heart .com - Email:
beautiful-prettywoman .com - Email:
buildyour-happylove .net - Email:
adorelovewon .com - Email:
andiloveyoutoo .com - Email:
myloveamour .com - Email:
luckyheatrs .com - Email:
just-waiting-foryou .com - Email:
dreams-about-lady .com - Email:
inspiredlove .net - Email:
make-family .net - Email:
createyourlove .net
fillinglove .net

Let's connect the dots, shall we? Notice some of the registrant's emails, namely and It gets even more interesting taking into consideration the fact that the money laundering group's botnet command and control domain was registered to Moreover, among the unique usernames used exclusively by this botnet, was in fact the one used in Confidential Connections spam campaigns, confirming their connection.

Naturally, Confidential Connections are also rubbing shoulders with more cybercrime facilitating domains sharing the same DNS infrastructure (ns1.srv .com).

For instance, superfuturebiz .com/maingovermnfer5 .com (Trojan-Spy.Win32.Zbot.uyn) where a Trojan-Spy.Win32.Zbot.uyn is hosted at maingovermnfer5 .com/anyfldr/demo.exe which once executed attempts to download Zeus crimeware from maingovermnfer5 .com/anyfldr/cfg.bin.

Moreover, carder-shop .com which is an ex-Atrivo darling, yourmagicpills .com which is a typical pharmaceutical scam, zaikib .in a malware command and control, and eefs .info which is a phony "East Europe Financial System" and looks like a typical money mule recruitment operation.


Post a Comment