Exposing a Portfolio of Pay Per Install Rogue and Fraudulent and Malicious Affiliate Network Domains - An OSINT Analysis

 

Dear blog readers,

I've decided to share with everyone an in-depth historical OSINT analysis on some of the primary pay per install rogue fraudulent and malicious affiliate network based rogue and fraudulent revenue sharing scheme operating malicious software gangs that are known to have been active back in 2008 with the idea to assist everyone in their cyber campaign attribution efforts.

Sample portfolio of pay per install rogue fraudulent and malicious affiliate network domains known to have been in operation in 2008 include:

vipsoftcash[.]com

iframevip[.]com

avicash[.]com

softmonsters[.]biz

cashboom[.]biz

loader[.]cc

luxecash[.]com

iframepartners[.]com

installsforyou[.]biz

topsale2[.]ru

cashcodec[.]com

go-go-cash[.]com

oxocash[.]com

3xl-cash2[.]com

3xlpartnership[.]com

installs4sale[.]com

profitclick[.]org

megatraffer[.]com

oemcash[.]com

goldencashworld[.]biz

topsale[.]us

installsmarket[.]com

profit-cash[.]biz

ADWSearch[.]com

ovocash[.]com

loadsprofit[.]com

exerevenue[.]com

adwaredollars[.]com

yabucks[.]com

installing[.]cc

installconverter[.]com

topsale[.]us

bakasoftware[.]com

goldencashworld[.]net

niftystats[.]com

niftystats[.]com

royal-cash[.]com

dogmasoftware[.]com

3xlsoftware[.]com

rashacash[.]com

3xltop[.]com

vipinstall[.]cn

installercash[.]com

spicycodec[.]com

softwareprofit[.]com

codecmoney[.]biz

trafcash[.]com

smilecash[.]biz

bucksloads[.]com

traffic-converter[.]biz

eupays[.]com

seocash[.]us

vipppc[.]ru

cashwrestler[.]com

VipSoftCash[.]com

vscstatistics[.]com

vipsoftcashstats[.]com

Spy-Partners[.]com

vippirog[.]com

cashbotnet[.]com

installsforyou[.]biz

profit-cash[.]biz

bestcash[.]biz

VisitPay[.]com

partnerka[.]com

spy-partners[.]com

download4money[.]com

luxecash[.]net

iframe911[.]com

LOADBUCKS[.]BIZ

Cashpanic[.]com

longbucks[.]com

drugrevenue[.]com

evapharmacy[.]ru

bucksloads[.]com

spydevastator[.]com

softcash[.]org

3xlsoftware[.]com

rashacash[.]com

3xlcash[.]com

spicycodec[.]com

buckster[.]ru

trafficconverter2[.]biz

bucksware[.]com

bucksware-admin[.]com

mac-codec[.]com

traffic-converter[.]biz

klikadult[.]com

goldencash[.]com

payperinstall[.]org

pay-per-install[.]com

pay-per-install[.]org

zangocash[.]com

iframebiz[.]com

webmaster-money[.]org

cash4toolbar[.]com

toolbar4cash[.]com

bluechillies[.]com

adwaredollars[.]com

iframestat[.]org

snapinstalls[.]com

installercash[.]com

installcash[.]org

earnperinstall[.]com

dollarsengine[.]com

installercash[.]com

vombacash[.]com

softahead[.]com

iframestat[.]org

antispy[.]ws

sexprofit[.]com

evapharmacy-login[.]biz

vipsoftcash[.]com

glavmed[.]com

Sample name servers known to have been used by the same rogue fraudulent and malicious pay per install affiliate network domains include:

ns1[.]cgymwmlcaa[.]com A 85[.]17[.]136[.]135

ns1[.]cdpvaqnlod[.]com A 85[.]17[.]136[.]135

ns1[.]ccytvpbsdg[.]com A 85[.]17[.]136[.]135

ns1[.]cbfkzhtyik[.]com A 85[.]17[.]136[.]135

ns1[.]cezqtessjo[.]com A 85[.]17[.]136[.]135

ns1[.]cfsiqejclo[.]com A 85[.]17[.]136[.]135

ns1[.]catjepzcft[.]com A 85[.]17[.]136[.]135

ns1[.]dhxkycjmrg[.]net A 85[.]17[.]136[.]135

ns1[.]dglcxlcfmk[.]net A 85[.]17[.]136[.]135

ns1[.]damqrgldev[.]net A 85[.]17[.]136[.]135

ns1[.]dfhatnjfjw[.]net A 85[.]17[.]136[.]135

ns1[.]ddzmuatncz[.]net A 85[.]17[.]136[.]135

ns1[.]cgymwmlcaa[.]com A 72[.]232[.]184[.]10

ns1[.]cdpvaqnlod[.]com A 72[.]232[.]184[.]10

ns1[.]ccytvpbsdg[.]com A 72[.]232[.]184[.]10

ns1[.]cbfkzhtyik[.]com A 72[.]232[.]184[.]10

ns1[.]cezqtessjo[.]com A 72[.]232[.]184[.]10

ns1[.]cfsiqejclo[.]com A 72[.]232[.]184[.]10

ns1[.]chyaicpvxo[.]com A 72[.]232[.]184[.]10

ns1[.]catjepzcft[.]com A 72[.]232[.]184[.]10

ns1[.]dhxkycjmrg[.]net A 72[.]232[.]184[.]10

ns1[.]dcorbtfyni[.]net A 72[.]232[.]184[.]10

ns1[.]dglcxlcfmk[.]net A 72[.]232[.]184[.]10

ns1[.]detjstniup[.]net A 72[.]232[.]184[.]10

ns1[.]damqrgldev[.]net A 72[.]232[.]184[.]10

ns1[.]dfhatnjfjw[.]net A 72[.]232[.]184[.]10

ns1[.]dbsjxuvijx[.]net A 72[.]232[.]184[.]10

ns1[.]ddzmuatncz[.]net A 72[.]232[.]184[.]10

cgymwmlcaa[.]com  A  195[.]2[.]253[.]247 

cezqtessjo[.]com  A  195[.]2[.]253[.]247 

cfsiqejclo[.]com  A  195[.]2[.]253[.]247 

chyaicpvxo[.]com  A  195[.]2[.]253[.]247 

cdpvaqnlod[.]com  A  195[.]2[.]253[.]246 

ccytvpbsdg[.]com  A  195[.]2[.]253[.]246 

cbfkzhtyik[.]com  A  195[.]2[.]253[.]246 

catjepzcft[.]com  A  195[.]2[.]253[.]246 

http://catjepzcft[.]com

http://catjepzcft[.]com

http://damqrgldev[.]net

http://catjepzcft[.]com 

http://damqrgldev[.]net

catjepzcft[.]com

damqrgldev[.]net  195[.]2[.]253[.]248  

dcorbtfyni[.]net A 195[.]2[.]253[.]248

damqrgldev[.]net A 195[.]2[.]253[.]248

dbsjxuvijx[.]net A 195[.]2[.]253[.]248

ddzmuatncz[.]net A 195[.]2[.]253[.]248

dhxkycjmrg[.]net A 195[.]2[.]253[.]249

dglcxlcfmk[.]net A 195[.]2[.]253[.]249

detjstniup[.]net A 195[.]2[.]253[.]249

dfhatnjfjw[.]net A 195[.]2[.]253[.]249

dhxkycjmrg[.]net NS ns1[.]dhxkycjmrg[.]net

ns1[.]dhxkycjmrg[.]net A 72[.]232[.]184[.]10

ns1[.]dhxkycjmrg[.]net A 85[.]17[.]136[.]135

dcorbtfyni[.]net NS ns1[.]dhxkycjmrg[.]net

dglcxlcfmk[.]net NS ns1[.]dhxkycjmrg[.]net

detjstniup[.]net NS ns1[.]dhxkycjmrg[.]net

damqrgldev[.]net NS ns1[.]dhxkycjmrg[.]net

dfhatnjfjw[.]net NS ns1[.]dhxkycjmrg[.]net

dbsjxuvijx[.]net NS ns1[.]dhxkycjmrg[.]net

ddzmuatncz[.]net NS ns1[.]dhxkycjmrg[.]net

Related pay per install rogue fraudulent and malicious domains known to have been used back in 2008 for various rogue fraudulent and malicious purposes include:

drawn-cash[.]com

vippay[.]com

bucksware-admin[.]com

www[.]system-protector[.]net

sys-scan-1[.]biz

sys-scan-wiz[.]biz

topsale2[.]ru

earning4u[.]com

flashdollars[.]com

installing[.]cc

siteload[.]cn A 94[.]247[.]2[.]54

hostnsload[.]cn

siteinstall[.]cn

hostnsinstall[.]cn

jjupsport[.]ru

installz[.]cn

adware-help[.]com

fliporn[.]com

dailybucks[.]org

installloader[.]com

installaga[.]cn

georgenatas[.]in

naemnitibo[.]in

tirosanare[.]in

mialo-goodle[.]info

nailcash[.]com

ultraantivirus2009[.]com

nailcash[.]com  A  64[.]86[.]17[.]9 

virusalarmpro[.]com  A  64[.]86[.]17[.]9 

vmfastscanner[.]com  A  64[.]86[.]17[.]9 

mysuperviser[.]com  A  64[.]86[.]17[.]9 

virusmelt[.]com  A  64[.]86[.]17[.]9 

payvirusmelt[.]com  A  64[.]86[.]17[.]9 

updvmfnow[.]cn  A  64[.]86[.]17[.]9 

mysupervisor[.]net  A  64[.]86[.]17[.]9

Related personal email accounts known to have been used for various related pay per install rogue fraudulent and malicious affiliate network domain registrations include:

pvc6168@sina[.]com

windinv@yahoo[.]com

new@loveplus[.]in

johnson8402@post[.]com

lmunozv1@live[.]com

ididid828@gmail[.]com

onlineprivacy@aol[.]com

alex@bnetworks[.]us

milen[.]radumilo@gmail[.]com

ztao72945@gmail[.]com

redsunray@hotmail[.]com

WINDINV@YAHOO[.]COM

tvmt2000@yahoo[.]com

325214476@qq[.]com

adxluxe@gmail[.]com

SexPicker@gmail[.]com

domainaccount@protonmail[.]com

ancientholdings@fastmail[.]fm

newseowork12@gmail[.]com

oem[.]myrian@gmail[.]com

229848501@qq[.]com

bdmailhere@gmail[.]com

danny9@gmail[.]com

phone49012@yahoo[.]com

miok2001@mail[.]ru

zuev@cmedia-online[.]ru

daniel[.]bastien@gmail[.]com

domainadmin1900@gmail[.]com

larsonown@gmail[.]com

ppcseo2@gmail[.]com

sima[.]jogminaite@inbox[.]lt

topsaleus@gmail[.]com

Stay tuned!

This presentation aims to detail Dancho Danchev's perspective into gathering threat intelligence processing it and enriching and disseminating it to users vendors and organizations globally heavily relying on a threat intelligence "rock star" model and methodology where the ultimate goal for this case study would be to take down Iran-based hackers and hacking groups and their entire online operations and attempt to shut them down and take them offline citing possible malicious use and actual abuse of international Internet laws and regulations and ultimatetely attempt to make an impact in terms of tracking them down and offering never-published and discussed personally identifiable information on their whereabouts and malicious online activities.

Exposing the Internet-Connected Infrastructure of the REvil Ransomware Gang - An In-Depth OSINT Analysis

Dear blog readers,

In this post I've decided to do an in-depth OSINT analysis on the recently busted REvil ransomware gang and decided to elaborate more and emphasize on the key fact in specific how come that a single ransomware group with several publicly accessible and easy to shut down C&C (command and control) server domains including several randomly generated Dark Web Onion URLs could easily result in millions of damage and who really remembers a situation when getting paid for getting hacked including the basic principle that you should never interact with cybercriminals but instead should passively and proactively monitor them could result in today's modern and unspoken ransomware growth epidemic and the rise of wrong buzz words as for instance ransomware-as-a-corporation where you basically have the bad guys obtain initial access to an organization's network and then hold its information encryption leading us to the logical conclusion who on Earth would pay millions of dollars to avoid possible bad reputation damage including to fuel growth into a rogue and fraudulent scheme as as for instance the encryption of sensitive company information and leaking it to the public in exchange for financial rewards.

Sample REvil ransomware gang publicly accessible C&C (command and control) servers include:

hxxp://decoder[.]re

hxxp://decryptor[.]cc - 136[.]243[.]214[.]30; 45[.]138[.]74[.]27

hxxp://decryptor[.]top

Related name servers known to have been used in the campaign include:

hxxp://1-you[.]njalla[.]no

hxxp://3-get[.]njalla[.]fo

hxxp://2-can[.]njalla[.]in

hxxp://1-you[.]njalla[.]no

Related responding IPs for hxxp://decryptor[.]cc:

2021/12/30 - 103[.]224[.]212[.]219

2021/10/23 - 198[.]58[.]118[.]167

2021/10/23 - 45[.]79[.]19[.]196

2021/10/23 - 45[.]56[.]79[.]23

2021/10/23 - 45[.]33[.]18[.]44

2021/10/23 - 72[.]14[.]178[.]174

2021/10/23 - 45[.]33[.]2[.]79

2021/10/23 - 45[.]33[.]30[.]197

2021/10/23 - 96[.]126[.]123[.]244

2021/10/23 - 45[.]33[.]23[.]183

2021/10/23 - 173[.]255[.]194[.]134

2021/10/23 - 45[.]33[.]20[.]235

2021/10/23 - 72[.]14[.]185[.]43

2021/10/08 - 78[.]41[.]204[.]37

2021/10/03 - 209[.]126[.]123[.]12

2021/09/24 - 78[.]41[.]204[.]28

2021/09/03 - 209[.]126[.]123[.]13

2021/08/19 - 78[.]41[.]204[.]38

2021/08/02 - 81[.]171[.]22[.]4

2021/07/27 - 81[.]171[.]22[.]6

2021/04/17 - 103[.]224[.]212[.]219

2020/11/10 - 45[.]138[.]74[.]27

2020/11/04 - 45[.]138[.]74[.]27

2020/09/14 - 136[.]243[.]214[.]30

2020/09/06 - 136[.]243[.]214[.]30

2020/08/30 - 212[.]22[.]78[.]23

2020/08/23 - 212[.]22[.]78[.]23

2020/07/30 - 212[.]22[.]78[.]23

2020/07/24 - 212[.]22[.]78[.]23

2020/07/07 - 212[.]22[.]78[.]23

2020/05/30 - 193[.]164[.]150[.]68

2020/05/20 - 193[.]164[.]150[.]68

2020/05/10 - 194[.]36[.]190[.]41

2020/05/08 - 194[.]36[.]190[.]41

2020/04/29 - 194[.]36[.]190[.]41

2020/04/06 - 194[.]36[.]190[.]41

2020/02/17 - 94[.]103[.]87[.]78

Related responding IPs for hxxp://decryptor[.]top (185[.]193[.]127[.]162; 192[.]124[.]249[.]13; 96[.]9[.]252[.]156):

2021/07/12 - 45[.]9[.]148[.]108

2020/09/18 - 185[.]193[.]127[.]162

2020/09/15 - 185[.]193[.]127[.]162

2020/08/07 - 185[.]193[.]127[.]162

2020/01/16 - 162[.]251[.]120[.]66

2019/12/23 - 45[.]138[.]96[.]206

2019/12/12 - 107[.]175[.]217[.]162

2019/10/07 - 96[.]9[.]252[.]156

2019/09/04 - 96[.]9[.]252[.]156

2019/07/15 - 91[.]214[.]71[.]139

Related MD5s known to have been involved in the campaign:

MD5: 57d4ea7d1a9f6b1ee6b22262c40c8ef6

MD5: fe682fad324bd55e3ea9999abc463d76

MD5: e87402a779262d1a90879f86dba9249acb3dce47

MD5: 4334009488b277d8ea378a2dba5ec609990f2338

MD5: 2dccf13e199b60dd2cd52000a26f8394dceccaa6

Stay tuned!

Inquire About One-on-One or One-to-Many Virtual OSINT Training Today!

Folks,

Who's been following my work on this blog since December, 2005? Are you interested in OSINT training? One-on-one or one-to-many sessions? Drop me a line today at dancho.danchev@hush.com on behalf of you or your organization or team and let's help you take your team and organization to the next level.

Sample portfolio of services which I'm currently offering can be also seen here - https://disruptive-individuals.com including a copy of my CV here including the following two sample of my work here and here.

Check out some sample chapters from a free book on cyber attribution that I'm currently working on to get a better idea of what I have in mind including my style and methodology:

Stay tuned!

My Participation in GCHQ's Top Secret "Lovely Horse" Program to Monitor Hackers Online - An Elaboration

Dear blog readers,

Did you know that you can actually find me in Snowden's archive by simply searching for my name where it will eventually lead you to a GCHQ Top Secret lawful surveillance program to monitor hackers online in specific their Twitter accounts?

Check out the following Medium article where I do my best to elaborate on my participation in the Top Secret GCHQ Program "Lovely Horse".

Stay tuned!

Profiling the Blood and Honor Online Hate Group - An OSINT Analysis

As it's been a while since I've last posted a quality update I wanted to take the time and effort and elaborate more on a current project of mine which is the "International OSINT Journal Compilation on Online Terrorism Hate and Militarized Social Movements" which aims to expose and offer a massive information on currently active online terrorism hate and militarized social movements including actionable information on their online infrastructure.

In this post I'll elaborate more and offer actionable intelligence on the online infrastructure of the Blood and Honor hate group with the idea to help you get a better perspective of their online infrastructure and possibly assist you in your cyber campaign attribution efforts.

Sample personal email address accounts belonging to Blood and Honor International Groups include:

bloodandhonouraustralis@hotmail[.]com 

 bloodhonournsw@hotmail[.]com 

 bloodhonoursa@hotmail[.]com 

 bloodhonourqld@hotmail[.]com 

 bloodhonourvic@hotmail[.]com 

 bloodhonourwa@hotmail[.]com 

 bhvlaanderen@hotmail[.]com 

 bh_wallonie@hotmail[.]com 

 bloodandhonour_bulgaria@abv[.]bg 

 bandhcanada@yahoo[.]co[.]uk 

 bhhexagone@hotmail[.]fr 

 bh_hellas@yahoo[.]gr 

 support_28_zh@hotmail[.]com 

 nederland@bloodhonournederland[.]com 

 bloodandhonourhungary28@gmail[.]com 

 isdm2010@gmail[.]com 

 vfs@libero[.]it 

 bhportugal28@yahoo[.]com 

 brotherhood28serbia@hotmail[.]com 

 28slov@gmail[.]com 

 bhe_bloodhonour@yahoo[.]es 

 28sweden@hotmail[.]se 

 ehukraine@bhukraine[.]org 

 RAGEN[.]FURY@VIRGIN[.]NET 

 axis@bloodandhonourworldwide[.]co[.]uk 

 southlands28@hotmail[.]com 

 westcountrybloodandhonour@yahoo[.]co[.]uk 

 wycombe828@yahoo[.]com 

 bandhcentral@bloodandhonourcentral[.]co[.]uk 

 westmidsbandh@yahoo[.]co[.]uk 

 bnsm@bnsm[.]co[.]uk 

 general@bloodandhonourworldwide[.]co[.]uk 

 webmaster@bloodandhonourworldwide[.]co[.]uk 

 s[.]london-bh@hotmail[.]co[.]uk 

 bloodandhonour[.]yorkshire@hotmail[.]co[.]uk 

 northeast1488@hotmail[.]co[.]uk 

 highlanderdivision28@hotmail[.]co[.]uk 

 highlander[.]eastcoast@hotmail[.]com ;

 bhamericandivision@yahoo[.]com 

 bhwales@googlemail[.]com 

 ulsterbg@hotmail[.]co[.]uk

Sample screenshots of logo of Blood and Honor Bulgaria include:

Stay tuned!

An Update on My Disappearance and Kidnapping Attempt Courtesy of Bulgarian Law Enforcement Officers from the City of Troyan Bulgaria Circa 2010 - An Analysis

Folks,

Check this out! An image is worth a thousand words.

Related Facebook profile IDs known to have been involved in the case:

https://www.facebook.com/profile.php?id=100005932519460 - Birthdate - 1976 - July 12

https://www.facebook.com/profile.php?id=100030506870037 - Birthdate - 1964 - August 21

Related posts:

What You Get From "Peasant-aria Land" - A New Cyber Security Center - Behold Yourself To the Almighty Savior! - An Analysis

Dancho Danchev's Disappearance - An Elaboration - Part Two
Dancho Danchev's Disappearance 2010 - Official Complaint Against Republic of Bulgaria
Dancho Danchev's Disappearance - 2010 - Official Complaint Against Republic of Bulgaria - Part Three
Dancho Danchev's Disappearance - 2010 - Official Complaint Against Republic of Bulgaria - Part Two
Deep from the Trenches in Bulgaria - Part Three
Deep from the Trenches in Bulgaria - Part Two
How I Got Robbed and Beaten and Illegally Arrested by a Local Troyan Gang in Bulgaria
A Profile of a Bulgarian Kidnapper – Pavlin Georgiev (Павлин Георгиев/Васил Моев Гачевски/Явор Колев) – An Elaboration on Dancho Danchev’s Disappearance circa 2010 – An Analysis

Sample Portfolio of Dancho Danchev's Personal and Conference Event Photos - A Compilation - Part Two

 

Exposing the Pay Per Install (PPI) Underground Market Fraudulent and Rogue Business Model - A Photos Compilation

Dear blog readers,

I've decided to share with everyone a photos compilation which I obtained and actually collected back in 2008 using Technical Collection for the purtpose of demonstrating the basics of the pay per install fraudulent anda rogue underground market business model with the idea to improve's situational awareness in the field of researching the pay per install underground business model.

Sample Pay Per Install Rogue and Fraudulent Underground Market Business Model Photos Compilation Photos:

Stay tuned!