Part twenty two of the diverse portfolio of fake security software series will summarize the typosquatted scareware serving domains currently in circulation, pushed through the usual distribution channels, but will also emphasize on the "money trail", namely the payment processing gateways used in the scareware campaigns.
In this particular case the scareware front-ends ultimately leading to ChronoPay, which Germany-based Pandora Software has been abusing since 2008 under its countless number of aliases such as Meyrocorp for instance.
The scareware domains are as follows:
atomscan6 .info - 38.105.19.27 - Email: donboset@gmail.com
listscan6 .com - Email: loiskiltz@gmail.com
goscanedge .com - Email: subtenda@gmail.com
goscanfine. com - Email: chirelqas@gmail.com
in6ch .com - Email: relgetn@gmail.com
goscanrich .com - Email: pathstals@gmail.com
goscanrank .com - Email: alcnafuch@gmail.com
ina6sk .com - Email: equatelepi@gmail.com
in6sk .com - Email: thomas.truby@gmail.com
goscanslim .com - Email: chinrfi@gmail.com
gowidescan .com - Email: alcnafuch@gmail.com
goedgescan .com - Email: subtenda@gmail.com
gofinescan .com - Email: alcnafuch@gmail.com
goelitescan .com - Email: funully@gmail.com
gorichscan .com - Email: pathstals@gmail.com
goslimscan .com - Email: chinrfi@gmail.com
gosoonscan .com - Email: aloxier@gmail.com
goironscan .com - Email: aloxier@gmail.com
goflexscan .com - Email: alcnafuch@gmail.com
gomanyscan .com - Email: alcnafuch@gmail.com
goscaniron .com - Email: aloxier@gmail.com
ina6co .com - Email: equatelepi@gmail.com
in6co .com - Email: thomas.truby@gmail.com
goscantop .com - Email: funully@gmail.com
ina6iq .com - Email: equatelepi@gmail.com
goscanstar .com - Email: stgeyman@gmail.com
goscanflex .com - Email: chirelqas@gmail.com
goscanmany .com - Email: chirelqas@gmail.com
scantrue6 .info - Email: jokinzer@gmail.com
scantool6 .info - Email: jokinzer@gmail.com
scanzoom6 .info - Email: jokinzer@gmail.com
litescan6 .info - Email: litescan6.info
truescan6 .info - Email: jokinzer@gmail.com
toolscan6 .info - Email: jokinzer@gmail.com
atomscan6 .info - Email: donboset@gmail.com
genscan6 .info - Email: imendegal@gmail.com
luxscan6 .info - Email: donboset@gmail.com
wayscan6 .info - Email: jokinzer@gmail.com
scanuser6 .info - Email: jokinzer@gmail.com
scanway6 .info - Email: jokinzer@gmail.com
scan6line .info - Email: jokinzer@gmail.com
scan6note .info - Email: jokinzer@gmail.com
scan6true .info - Email: jokinzer@gmail.com
scan6tool .info - Email: jokinzer@gmail.com
true6scan .info - Email: jokinzer@gmail.com
tool6scan .info - Email: jokinzer@gmail.com
top6scan .info - Email: jokinzer@gmail.com
user6scan .info - Email: jokinzer@gmail.com
list6scan .info - Email: jokinzer@gmail.com
way6scan .info - Email: jokinzer@gmail.com
scan6user .info - Email: jokinzer@gmail.com
scan6list .info - Email: jokinzer@gmail.com
scan6fix .info - Email: jokinzer@gmail.com
scan6way .info - Email: jokinzer@gmail.com
It's pretty obvious case demonstrating the dynamics of the underground ecosystem. A thousand bogus accounts purchased for $10 used in a bulk registration of scareware serving domains on a revenue sharing affiliate model ends up in a win-win-win situation for the cybercriminals involved in these processes. The practice is becoming rather popular not only due to their interest in less centralization of the domain control under a single email address -- cross checking reveals the entire portfolio managed under it -- but due to the availability of the service.
clean-pc-now .net - 94.75.233.162 - Email: robertsimonkroon@gmail.com
fast-spyware-cleaner .org - Email: robertsimonkroon@gmail.com
spyware-scaner .com - Email: robertsimonkroon@gmail.com
scan-pc-now .com - Email: robertsimonkroon@gmail.com
free-tube-porn .biz - Email: robertsimonkroon@gmail.com
spyware-killer .biz - Email: robertsimonkroon@gmail.com
softportal-extrafiles .com - 64.20.38.172
exe-profile .com - Email: kimwerner92@yahoo.com
extrafiles-softportal .com - Email: opipkl@googlemail.com
softportal-files .com - Email: kimwerner92@yahoo.com
softportal-extrafiles .com
load-exe-soft .com - Email: kimwerner92@yahoo.com
exe-box .com - Email: normtroup@yahoo.com
hot-exe-area .net - Email: josepetie@gmail.com
spywarecomputerscanv2 .com - 69.10.59.35 - Email: huang@bark.edu.hk
1live-antimalware-pro-scan .com - Email: hongkong@campusparis.org
1live-antimalware-scanner .com - Email: hongkong@campusparis.org
folderantispywarescanner .com - Email: xinhuawuhan@yahoo.com
antivirushelpscanner .com - Email: info@brandturkey.com
fastfolderscanner .com - Email: info@brandturkey.com
mycomputerscanner .com - Email: vanmullem@yahoo.com
restricteddomainhelp .com - 83.133.124.81 - Email: franklinnig@yahoo.com
msncoreupdate .com - Email: jen@parallelslive.cn
world-payment-system .com - Email: info@yashitaindian.com
liveinternetupdates .com - Email: kuzya77@freebbmail.com
onlineantivirusmarket .com Email: podbisb@hotmail.com
threats-scanner .com - 69.4.230.204 - Email: vanmullem@yahoo.com
securitypcscanner2 .com - Email: office@actionaidinusa.org
anti-virussecurity3 .com - Email: office@actionaidinusa.org
private-online-scan .com - Email: info@kianah.org
liveantivirusproscan .com - Email: second@freebbmail.com
no1virusscan .com - Email: info@kianah.org
my-private-protection .com - Email: info@kianah.org
scanmyfolders .com - Email: info@kianah.org
scanmycomputerforvirus .com - Email: vanmullem@yahoo.com
onlinescan-ultraantivirus2009 .com - 206.53.61.76
relevantwebsearches .com
virussweeper-scanvirus .com
guardincorp .info
mainsecsys .info - Email: andrew.fbecket@gmail.com
guardsecurity .info - Email: poljaykop@gmail.com
virusalarm-scanvirus .net
best-protect .info - 174.142.113.205 - Email: chainadmin@gmail.com
best-protect-av1 .info - Email: chainadmin@gmail.com
best-antivirus-pc .info - Email: chainadmin@gmail.com
best-av1-protect .info - Email: chainadmin@gmail.com
av1-protect .info - Email: chainadmin@gmail.com
av1-best-protect .info - Email: chainadmin@gmail.com
best-protect .info - Email: chainadmin@gmail.com
best-av .info - Email: chainadmin@gmail.com
pay-virusshield .cn - 64.213.140.70 - Email: unitedisystems@gmail.com
shieldinc .info
systemprotectinc .info
ironshield .info
myofficeguard .info
protectionurl .info
my-protection .info
antivirus09 .net
fast-antivirus.net
virusshieldpro .com - 64.86.16.127 - Email: unitedisystems@gmail.com
prestotuneup .com - Email: hycderxvur@whoisservices.cn
virussweeper-scanvirus .com
virusmelt .com - Email: nuhuarrczq@whoisservices.cn
systemsec .info
shieldinc .info
myofficeguard .info
protect-online .info
protectionlol .info
protectionurl .info
virussweeper-scan .net
advanced-virus-remover2009 .com - 92.241.176.188 - Email: masle@masle.kz
trucount3005 .com - Email: chen.poon1732646@yahoo.com
antivirus-scan-2009 .com - Email: cheng2009@yahoo.com
antivirusxppro-2009 .com - Email: u@sochi.ru
advanced-virusremover2009 .com - Email: giogr@ua.fm
bestscanpc .com
trucountme .com - Email: valentin@gergiea.kz
vs-codec-pro .com - Email: bhtjnjhggn@googlemail.com
vscodec-pro .com - Email: cyber38462@hotmail.com
antivirus-2009-ppro .com - Email: cheng2009@yahoo.com
onlinescanxppro .com - Email: chen.poon1732646@yahoo.com
downloadavr .com - Email: gorbun@ua.fm
bestscanpc .net
activation-antivirus-software .com - 208.43.124.83 - Email: matlee@fsuk.edu
fxantispy .com - Email: TycoonMichael@googlemail.com
my-protection .info - 64.213.140.70 - Email: hop.davis@gmail.com
protectonline .info - 64.86.17.47 - Email: hop.davis@gmail.com
safetywwwtools .com - 209.44.126.36 - Email: martin.s.johnson@spambob.com
defenderupdates2 .com - 89.248.168.46 - Email: china@seban.se
securitytoolsdirect .com - 209.44.126.22 - Email: RuthMMarcotte@text2re.com
best-antivirus-security .com - 84.16.237.52 - Email: valentinyermolaev@gmail.com
malwaresdestructor .com - 206.53.61.74
suprotect .com - 89.149.212.218 - uuuuu@ua.fm
threatpcscanner .com - 63.223.110.177 ; 78.47.132.216 ; 78.47.172.66 - Email: vanmullem@yahoo.com
antimalwareliveproscannerv3 .com - Email: vanmullem@yahoo.com
antivirus-online-pro-scan .com - Email: vanmullem@yahoo.com
avpro-labs .com - 213.182.197.229
avprotectionstat .com - 74.50.99.236
explorerfilescan .com - 63.223.110.178; 78.47.132.221; 78.47.172.68 Email: xinhuawuhan@yahoo.com
antivirushelpscanner .com A 83.133.125.116; 69.10.59.35; 83.133.125.116 - Email: info@brandturkey.com
fastfolderscanner .com - Email: info@brandturkey.com
mycomputerscanner .com - Email: info@brandturkey.com
mal-warexls .net - 72.9.108.26 - Email: joehugardo@ya.ru
internetware-safe .com - Email: candikeller@ya.ru
scanonlinesite .info - 66.148.74.126
scanonlineblog .info
scanonlineshop .info
scanonlinenow .info
youravprotection .com - 74.50.98.162 - Email: armandgregory3@gmail.com
registerantivirus .com Email: ed.areyra@gmail.com
avprotectionstat .com
avagent-pro .com - 83.133.126.46 - Email: dwrdcardenas95@gmail.com
downloads-123 .com - Email: dwrdcardenas95@gmail.com
soft-process .com - Email: dwrdcardenas95@gmail.com
download-123 .cn - Email: dwrdcardenas95@gmail.com
actupdate .net - Email: dwrdcardenas95@gmail.com
Now the emphasis on the payment gateways, currently active and processing the scareware transactions:
softwaresecuredbilling .com - 209.8.45.122 - TemchenkoViktor@googlemail.com
softsales-discount .com - Email: daunrwwciq@whoisservices.cn
best-internet-payments .com - 209.8.45.148 - Email: specsupport@gmail.com
adioro .com - 213.174.152.32 - Email: xyhsbjlrl@whoisprivacyprotect.com
secure-plus-payments .com - 209.8.25.204 - Email: sparck000@mail.com
secure.pnm-software .com - 209.8.45.124 - Email: pnm-software.com@liveinternetmarketingltd.com
soft-process .com - 83.133.126.46 - Email: XtPbtP@privacypost.com
privatesecuredpayments .com - 78.46.216.238 - Email: TemchenkoViktor@googlemail.com
These payment processing gateways are sometimes front-end to the original and often legitimate payment processors. In this particular case, the the legitimate processor is Netherlands-based ChronoPay, which is known to have been used in the past by affiliates in the scareware affiliate model in the past, with several complaints for repeated credit card billing, which in reality is included in the scareware's Terms of Service.
Upon a successful purchase - the customer is told that "This charge will appear on your card statement as CHRPay.com/ducforceide". Interestingly, Pandora Software has also been using the following ChronoPay accounts for over an year - Chrpay.com/meyrocorp; CHrpay.com/pnra using disconnected numbers, CallerID's of scareware operations, desperate attempts to contact the alias for the front-end payment processor, ultimately resulting in several hundred ChronoPay related complaints.
Next to scareware, ChronoPay (Pavel Vrublevsky acting as CEO) is also known to have been used in a mobile application scam dissected here, as well as being a victim of a DDoS attack in 2008, which is pretty logical since if ChronoPay is the payment processor of choice for the hundreds of thousands of scareware generated revenues on daily basis, the commissions ChronoPay takes from cybercriminals would be more than welcome in the competing payment processor's network.
Related posts:
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot
A Diverse Portfolio of Fake Security Software - Part Twenty One
A Diverse Portfolio of Fake Security Software - Part Twenty
A Diverse Portfolio of Fake Security Software - Part Nineteen
A Diverse Portfolio of Fake Security Software - Part Eighteen
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software
This post has been reproduced from Dancho Danchev's blog.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Friday, July 03, 2009
A Diverse Portfolio of Fake Security Software - Part Twenty Two
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment