Today I decided to choose one of the more prevalent spam campaigns and see what was behind it. For some time now we've been seeing a spam campaign that has random words forming the Subject line, one of which will be "debt" or "credit", such as:
reducing debt
science of debt elimination
secured debt consolidation
south carolina debt consolidation
student debt consolidation
student loan debt
student loan debt consolidation
tax debt
tenant debt consolidation
the best way to get out of debt
third world debt
tips on how to get out of debt
tips to get out of debt
to get out of debt
There are three main variations of this spam currently. The first has messages that look like this, and point to a real domain name:
Its time to completely eradicate your debts!
ELIMINATE your carddebts and ALL other unsecured debts
Visit www.kneeddawpresent.com
* NO more payments to creditors
* YOUR long term credit will NOT be affected.
* NO confrontation's
Visit www.kneeddawpresent.com
* 10K minimum combined debts required for eligibility.
* US residents only.
This family, which I call the "Visit group", is currently spamming these websites, some of which have to be typed, because the criminal has placed [DOT] in the website name, such as www.bdstfirstcredit[DOT]com.
www.bastfirstcredit.com - 220.248.185.10 - ONLINENIC
www.bbstfirstcredit.com - 220.248.185.10 - ONLINENIC
www.bcstfirstcredit.com - 220.248.185.10 - ONLINENIC
www.bdstfirstcredit.com - 220.248.185.10 - ONLINENIC
www.bfstfirstcredit.com - 220.248.185.10 - ONLINENIC
www.expatpenpresent.com - 200.63.43.3 - XIN NET
www.gustyekeliving.com - 200.63.43.3 - 35 Technology Co., Ltd
www.kneeddawpresent.com - 200.63.43.3 - HICHINA ZHICHENG TECHNOLOGY
www.scotsoffserious.com - 200.63.43.3 - HICHINA ZHICHENG TECHNOLOGY
www.smokyoleclean.com - 200.63.43.3 - XIN NET
www.stonezitequal.com - 200.63.43.3 - XIN NET
www.tonesprogreat.com - 200.63.43.3 - HICHINA ZHICHENG TECHNOLOGY
www.vineswarloose.com - 220.248.185.10 - XIN NET
www.wipedeonearly.com - 200.63.43.3 - XIN NET
www.zestfirstcredit.com - 220.248.185.10 - ONLINENIC
So, this group of domains, all linked by common spam bodies, uses four different ICANN Registrars, but only one DNS server pair (NS1.WELDNS.COM / NS2.WELDNS.COM) and only two hosting IP addresses. 200.63.43.3 is hosted on Panamaserver.com and 220.248.185.10 is hosted in China on a network that is listed as "Changde-cdcnczxjdia".
Those registered on ONLINENIC and hosting in Changde, Hunan province of China, are registered to the name Shestakov Yuriy, who uses the email address alexvasiliev1987@cocainmail.com and the phone number +7.9218839910
Those registered on XIN NET and hosting on Panamaserver.com were registered by FANJIE in fujiansheng, china with an email of li_xiang253@tom.com.
Those registered on HICHINA and hosting on Panamaserver were registered by HANXIAOWEN with the email 2514862@qq.com - but they still use the DNS "NS1.WELDNS.COM" which is also used by the XIN NET and the ONLINENIC domain names!
That's the "Visit Group".
The second group is the "LiveFileStore.com" group. These emails all contain a spam body that looks like this:
Clear all your Debt. Save $1000s.Free Debt Analysis. No obligation.
http://tfe7ta.bay.livefilestore.com/y1pFg8blopfnoudOpHPXbKKZztaQP5QODFIxxBDAuUB0xO_hdJoJ33CGzn6hEFg8itiAyBpm7oDoSs
With many different "line one" texts, such as:
Prompt Debt Collection Services We are professional, Contract Now!
Get debt relief & start fresh!Helped thousands of clients
Get rid of credit card debtStop garnishments and calls
We sell debt portfolios and workwith new buyers daily
Eliminate Your Debt!Credit Cards, Medical Bills, Loans.
etc. etc.
The URLs point to a page on LiveFileStore.com which does an "autoforward" to another domain. All of them I reviewed today forwarded to this location:
http://platydeyember.com/
So, let's see what that domain is all about:
Registered on XIN NET TECHNOLOGY, this domain was registered to WANGQIHOW using the email "limian_changshi@sina.cn". Its hosted on the IP address 200.63.43.3, Panamaserver.com.
We're actually receiving many "non-debt" spams that use the LiveFileStore.com auto-forwarding trick. Some other examples would be,
Online Casinos, such as pages forwarding to:
http://zombileimound.com/
which was registered on XIN NET TECHNOLOGY and is hosted on PanamaServer.com on the IP address 200.63.43.3, and was registered by limian_changshi@sina.cn.
King Replica watch spam, such as pages forwarding to:
http://lookmyal.com/
which is unrelated to the others, and uses javascript obfuscation to hide its redirection point.
The third group of "debt spam" are the ones using advertisements on "live.com". This group uses spam that points to a "spaces.live.com" url, which contains an advertisement such as this one:
Clicking on these visual ads takes us to domains such as "windstensafe.com", which was registered on XIN NET TECHNOLOGY, is hosted on 200.63.43.3 on PanamaServer.com, and is regsitered to "li_xiang253@tom.com", using the DNS servers NS1.WELDNS.COM and NS2.WELDNS.COM.
Research into PanamaServer.com shows that they are hosting a wide assortment of criminal domains. Qualified researchers are welcome to request a list of more than 2700 domain names hosted there, including many domains registered by Russian named individuals, and using Nameservers ending in ".ru".
I'll let you know if PanamaServer gives me any answer to my queries about these domains:
abuse@panamaserver.com
El cangrejo, 49
Panama
+507 263.3723
0 comments:
Post a Comment