Piradius.net / Yohost.org - black hat hosting?

Piradius.net is a web host in Malaysia that has cropped up a few times as hosts for this long-running scam.

It seems that this isn't an isolated case. Looking just one server at gives us a number of other fraudulent domains:

• bestcrisisprices.com - fake ecommerce site registered to Michell.Gregory2009@yahoo.com that has been used for this fraud, this fraud and many others.
  
• blizzard-battle.net - fake "World of Warcraft" login page, presumably designed to harvest usernames and passwords.
  
• europemedicalnet.com - claims to be a German medical company, in reality it isn't. Purpose unclear, probably run by Manuel Fichter.
  
• everyhit.info - front-end for the registry-cleaner-comparisons.com fraudware site.
• evilcheats.org - registered to kingstonsmith@hushmail.com who is connected with many fraudulent and/or suspect sites.
• excelcapitals.com - smart looking but suspect "get rich quick" site, apparently based in Panama.
  
• flyappraisals.com - fake domain appraisals.
• flyrating.com - fake domain appraisals.
• germanymedicalnet.com - currently displaying text from the Pozde.com domain scam.
• gooogled.com - appears to sell knock-off designer goods.
• hellas-warez.com - "Warez" as in illegal software downloads.
• hygetropin-hgh.com - Claims to export prescription drugs from China.
• indigo-net.org - another "Kingston Smith" domain.
• jessicassoftware.com - suspiciously cheap software.
• maximizedlivingscam.com - another "Kingston Smith" domain.
• nameorange.com - fake domain appraisals.
• nextdayrelief.com - unconvincing "pharmacy" that claims to be in the US, but hosts in Malaysia
  
• pedma.com - fake domain appraisals.
• podzz.com - fake domain appraisals.
  
• poker-bonus-codes.de - Kingston Smith again.
• pozde.com - fake domain appraisals.
• r4ishop.com - with prices in pounds sterling, it appears to be passing itself off as a UK-based electronics retailer. In reality, everything is anonymised and it could be based anywhere.
• rc-chem.net - claims to be a Canadian supplier of steroids, a Google search on the domain is enlightening.
• replica-prestigious-watches.com - fake designer watches.
• tropicalnames.com - fake domain appraisals.
• yohost.org - anonymous hosting.

In fact, it's the last domain "yohost.org" which gives a clue as to what is really going on. Yohost.org looks like a reseller of Piradius.net's hosting and it advertises itself as "100% anonymous hosting and anonymous DNS and domain name services" which is "beyond the reach of virtually any government or law enforcement agency."

If you Google for "anonymous hosting" then Yohost.org comes up as #4. So you can see where their customers are coming from.

Yohost.org also rents other servers from Piradius.net, and they show a mix of sites that appear to be very dodgy indeed, through to sites that appear legitimate.

They appear to run the following IPs and probably others too:

124.217.231.173
124.217.231.209
124.217.250.102
124.217.250.106

Hosting rubbish like this does not enhanced Piradius.net's reputation, they would really be better off booting Yohost.org in order to clean up their IP range.

Domain scam: ntwifinetwork.com / js-wifi.cn

The old Chinese domain scam has been around for years, but these guys are getting lazy because they haven't changed their domains for months, this is esentially unchanged from April.

Subject: Domain Dispute and Registration
From: "Sunny"
Date: Thu, July 2, 2009 4:07 am

To whom it may concern: 2009-7-2

We are a domain name registration service company in Asia,

Last week we received a formal application submited by Justin Lin who wanted to use the keyword "REDACTED" to register the Internet Brand and with suffix such as .cn /.com.cn /.net.cn/.hk/ .asia/ domain names.

After our initial examination, we found that these domain names to be applied for registration are same as your domain name and trademark. We aren¡¯t sure whether you have any relation with him. Because these domain names would produce possible dispute, now we have hold down his registration, but if we do not get your company¡¯s an reply in the next 5 working days, we will approve his company's application

In order to handle this issue better, Please contact us by Fax ,Telephone or Email as soon as possible.



Yours sincerely

Sunny

Checking Department

Tel: 86 513 8532 1087
Fax: 86 513 8532 2065
Email:Sunny@ntwifinetwork.com
Website: www.js-wifi.cn

Our File No.:2272363

Originating IP is 122.193.216.10.

As ever, legitimate domain registrars do not send out this type of email because they are NOT responsible for this activity. Sometimes the Chinese domains get registered, sometimes they are ALREADY registered, and often they never get registered. But before you panic and pay money to these scammers, consider this: there are hundreds of top-level domains in the world. Do you really want to buy your domain for all of them? The answer is probably "no".

The best advice is to ignore this email completely.

%SI_subj: miserable spam failure

Possibly one of the most miserable spam failures I have ever seen - the idiot spammer somehow forgot to populate the % fields with actual data. It just goes to reinforce that spammers are stupid.

Subject: %SI_subj
From: "Lily Lovett"
Date: Tue, June 30, 2009 2:47 pm

You don’t need to %SI3_rnd10
rod’s %SI3_rnd11 and %SI3_rnd12 %SI3_rnd13’ jokes!

This is a %SI3_rnd14 for
%SI3_rnd15 your
%SI3_rnd16! It will
%SI3_rnd17 in seconds after she %SI3_rnd18 and %SI3_rnd19 as good as if it was
a %SI3_rnd20 rod!

No more jokes – you will always get %SI3_rnd21 and moans! The huge pack
costs less than 30 %SI3_rnd22!

%SI3_rnd23 can be a %SI3_rnd24! No one will know about your %SI3_rnd25!

%SI3_rnd26 now and save more than $10 regardless of
your order’s size!

The hypertext link goes to %SI_link3 rather than a valid address.

Presumably this is a penile enhancement product. By the looks of it, the spammer you do with an intelligence enhancement product.

Password masking facepalm

A bizarre shot in the security vs usability argument, as reported by El Reg: Masked passwords must go which reports on research saying that masked passwords are more trouble than they are worth.

A key bit of the argument? "Shoulder surfing is largely a phantom problem".. umm yeah, because people's passwords usually just show as blobs or stars so there's no point. If your damned password comes up as plaintext then you can betcha that it WILL be a problem.

Facepalm

flyrating.com scam

Flyrating.com is a re-run of the flyappraisals.com scam - a fake domain name evaluation service that is spamvertised through a bogus offer to buy a domain.


Although the servers are hosted in Malaysia, there is strong evidence linking these to a person of German origin living in Canada. More information here.

Mystery mibug-credit.com / wiremouse.com spam

This is one of those "wft" spams.

Subject: Refund of Duplicate Payment
From: "Customer Care Center" <2712@mibug-credit.com>
Date: Sat, June 20, 2009 8:12 pm

Dear Business Partner!

Enclosed is our e-check in the amount of EURO 1,750.00 which represents a refund for your inadvertent duplicate
remittance for payment of transaction no. 267.

We are pleased that our bookkeeping department discovered this overpayment so quickly.

Thank you.

Instant Number Accounts
Credit Cards Bulk and Wholesale
http://mibug-credit.com

Yes, you'd think that there's a malware payload or something, but there isn't. Let's check out the domain registrations details - hosted at 213.208.134.154 in Austria:

owner-contact: P-GFB634
owner-organization: MIBUG CREDIT UG
owner-fname: Georg
owner-lname: BENDL
owner-street: Menzingerstrasse 130
owner-city: MUENCHEN
owner-zip: D80997
owner-country: DE
owner-phone: +49.180523363313143
owner-email: wmt18703@kunde.webmachine.eu

This is meant to be some sort of financial services site, but it was only registered on 8th June 2009.


The site does very little, you can try to open an account (which requires you handing over a bunch of personal information), but there's no way of getting this "refund". There are a few links to wiremouse.com on the site, something that's hosted on the same server.. so let's have a look at what else is on 213.208.134.154:

• Afrohair.at
• Altkatholiken.net
• Bankparadies.com
• Bmc-london.co.uk
• Bmc-shop.co.uk
• Cocodonia.com
• Firmenparadies.com
• Jr-austria.com
• Mibug-credit.com
• Quotum.at
• Schmeissfliegen.com
• Server1.biz
• Sofortbetrieb.com
• Tiefpreiszentrum.com
• Turi-landhaus.com
• Wiremouse.com

The server identifies itself as Server1.biz, also registered to Georg Bendl, but this time in Aust

Registrant ID: C6565959-B-CO
Registrant Name: Georg BENDL
Registrant Address1: Bacherstrasse 7
Registrant City: GRIES
Registrant Postal Code: A5662
Registrant Country: Austria
Registrant Country Code: AT
Registrant Phone Number: +43.66492436352
Registrant Email: WMT5549@kunde.wmtech.net

Hmmm.. OK, well what about wiremouse.com?

owner-contact: P-NVM192
owner-organization: Managed Offshore Payment Services Limited
owner-fname: Nikolas owner-lname: MAKIN
owner-street: Cariocca Business Park 2 Sawley Road
owner-city: MANCHESTER
owner-zip: GM40 8BB
owner-country: GB
owner-phone: +44.7031887152
owner-email: wmt8464@kunde.webmachine.eu

So, it's based in the UK? Well, the postcode is incorrect.. but in fact, Companies House does have a firm of the name Managed Offshore Payment Services Limited registered. But its accounts are overdue and there is a proposal to "strike off" the firm:

Let's look at bmc-london.co.uk on the same server:

Domain name:
bmc-london.co.uk

Registrant:
Bendl Georg

Registrant type:
Unknown

Registrant's address:
38 Homer Street
LONDON
GW1H 4NH
GB

Registrar:
Key-Systems GmbH [Tag = KEY-SYSTEMS-DE]
URL: http://www.Key-Systems.net

Relevant dates:
Registered on: 04-Sep-2008
Renewal date: 04-Sep-2010

Registration status:
Registered until renewal date.

Name servers:
ns1.webmachine.at
ns2.webmachine.at

This Georg Bendl chap moves around a lot. The address is valid although it's hard to verify if there's a real company operating from that address.

In fact, most domains seem to be registered to "Georg Bendl", but the address is different in almost every case (although Salzburg features more than once).

It's hard to fathom what this spam is about, although these sites do consistently link back to wiremouse.com. Some sort of SEO? A Joe Job? A phish? Email marketing gone horribly wrong? I don't know.

The final clue is the the sending IP address is 62.47.184.176 which is an ADSL subscriber in Austria. Draw your own conclusions, but I would be tempted to give all of these domains a wide berth.

FAIL: "Microsoft has released an update for Microsoft Outlook"

This email looks like it's from Microsoft, but it is really intended to load a trojan onto your PC:

From: Microsoft Customer Support [mailto:no-reply@microsoft.com]
Sent: 18 June 2009 22:47
Subject: Microsoft has released an update for Microsoft Outlook

Critical Update

Update for Microsoft Outlook / Outlook Express (KB910721)
Brief Description
Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.
Instructions
• To install Update for Microsoft Outlook / Outlook Express (KB910721) please visit Microsoft Update Center:
http://update.microsoft.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
Quick Details
• File Name: officexp-KB910721-FullFile-ENU.exe
• Version: 1.4
• Date Published: Thu, 18 Jun 2009 16:46:55 -0500
• Language: English
• File Size: 81 KB
System Requirements
• Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista
• This update applies to the following product: Microsoft Outlook / Outlook Express
Contact Us
© 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement

Although the link appears to be for the Microsoft web site, underneath is a hidden URL which is quite different. From samples I have plus some scraped from teh interwebs, I came up with the following samples:

hxxp:||update.microsoft.com.ijlijji.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijj1hjf.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijjh.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijj1.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijji.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.il1if1.com.mx/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]

The reason why this is a FAIL? None of the domains are registered apart from the .com.mx one, so clicking the links will do precisely nothing. il1if1.com.mx is hosted on a botnet with presumably fake registration details, but it seems to be quite unreliable.

Even though this attack doesn't work, it might be a good idea to keep an eye out for it and advise any end users you have. Also checking your proxy logs for update.microsoft.com.i may well be useful.

WebTrends just doesn't get it

WebTrends is a service I used to run a few years ago for web analytics, until the hundreds of dollars per month it was charging for analytics which I could get cheaper elsewere (or now even free) became ridiculous.

So, I stopped using the service and opted out of all email communications as I was no longer interested. So, this bizarre email from WebTrends plops into my mailbox today:

Thank you for taking a moment to look at this email. We know you've unsubscribed from Marketing Communications from us and respect your request, but wanted to let you know that we're making some much-needed changes to our email programming. Our new approach lets you tell us what messages you want. Tell us which of these topics are most valuable to you and we'll limit what we send to what you're interested in. Simply click on the link below to personalise your email subscription. Still not interested? Ignore this message, it'll be the last email you receive from us.

Let's read that again.. "We know you've unsubscribed from Marketing Communications from us and respect your request".. well, clearly you bloody aren't respecting my request, are you?

WebTrends is not the worst offender - some companies simply do not understand the meaning of the word "unsubscribe". Doesn't it mean "don't send me anything unless I change my mind"? It seems it now means "don't send me anything unless you really want to" instead.