Make it your homepage Add to favorites Site map 
|
Ukrainian Information Security Center - all about IT security |
| ||||
Navigation Read RSSSubscribe to news Subscribe to articles Advertising
|
A Diverse Portfolio of Fake Security Software - Part Twenty Two
 In this particular case the scareware front-ends ultimately leading to ChronoPay, which Germany-based Pandora Software has been abusing since 2008 under its countless number of aliases such as Meyrocorp for instance.  The scareware domains are as follows:atomscan6 .info - 38.105.19.27 - Email: donboset@gmail.com listscan6 .com - Email: loiskiltz@gmail.com goscanedge .com - Email: subtenda@gmail.com goscanfine. com - Email: chirelqas@gmail.com in6ch .com - Email: relgetn@gmail.com goscanrich .com - Email: pathstals@gmail.com goscanrank .com - Email: alcnafuch@gmail.com ina6sk .com - Email: equatelepi@gmail.com in6sk .com - Email: thomas.truby@gmail.com goscanslim .com - Email: chinrfi@gmail.com gowidescan .com - Email: alcnafuch@gmail.com goedgescan .com - Email: subtenda@gmail.com gofinescan .com - Email: alcnafuch@gmail.com goelitescan .com - Email: funully@gmail.com gorichscan .com - Email: pathstals@gmail.com goslimscan .com - Email: chinrfi@gmail.com gosoonscan .com - Email: aloxier@gmail.com goironscan .com - Email: aloxier@gmail.com goflexscan .com - Email: alcnafuch@gmail.com gomanyscan .com - Email: alcnafuch@gmail.com goscaniron .com - Email: aloxier@gmail.com ina6co .com - Email: equatelepi@gmail.com in6co .com - Email: thomas.truby@gmail.com goscantop .com - Email: funully@gmail.com ina6iq .com - Email: equatelepi@gmail.com goscanstar .com - Email: stgeyman@gmail.com goscanflex .com - Email: chirelqas@gmail.com goscanmany .com - Email: chirelqas@gmail.com scantrue6 .info - Email: jokinzer@gmail.com scantool6 .info - Email: jokinzer@gmail.com scanzoom6 .info - Email: jokinzer@gmail.com litescan6 .info - Email: litescan6.info truescan6 .info - Email: jokinzer@gmail.com toolscan6 .info - Email: jokinzer@gmail.com  atomscan6 .info - Email: donboset@gmail.comgenscan6 .info - Email: imendegal@gmail.com luxscan6 .info - Email: donboset@gmail.com wayscan6 .info - Email: jokinzer@gmail.com scanuser6 .info - Email: jokinzer@gmail.com scanway6 .info - Email: jokinzer@gmail.com scan6line .info - Email: jokinzer@gmail.com scan6note .info - Email: jokinzer@gmail.com scan6true .info - Email: jokinzer@gmail.com scan6tool .info - Email: jokinzer@gmail.com true6scan .info - Email: jokinzer@gmail.com tool6scan .info - Email: jokinzer@gmail.com top6scan .info - Email: jokinzer@gmail.com user6scan .info - Email: jokinzer@gmail.com list6scan .info - Email: jokinzer@gmail.com way6scan .info - Email: jokinzer@gmail.com scan6user .info - Email: jokinzer@gmail.com scan6list .info - Email: jokinzer@gmail.com scan6fix .info - Email: jokinzer@gmail.com scan6way .info - Email: jokinzer@gmail.com It's pretty obvious case demonstrating the dynamics of the underground ecosystem. A thousand bogus accounts purchased for $10 used in a bulk registration of scareware serving domains on a revenue sharing affiliate model ends up in a win-win-win situation for the cybercriminals involved in these processes. The practice is becoming rather popular not only due to their interest in less centralization of the domain control under a single email address -- cross checking reveals the entire portfolio managed under it -- but due to the availability of the service.  clean-pc-now .net - 94.75.233.162 - Email: robertsimonkroon@gmail.comfast-spyware-cleaner .org - Email: robertsimonkroon@gmail.com spyware-scaner .com - Email: robertsimonkroon@gmail.com scan-pc-now .com - Email: robertsimonkroon@gmail.com free-tube-porn .biz - Email: robertsimonkroon@gmail.com spyware-killer .biz - Email: robertsimonkroon@gmail.com softportal-extrafiles .com - 64.20.38.172 exe-profile .com - Email: kimwerner92@yahoo.com extrafiles-softportal .com - Email: opipkl@googlemail.com softportal-files .com - Email: kimwerner92@yahoo.com softportal-extrafiles .com load-exe-soft .com - Email: kimwerner92@yahoo.com exe-box .com - Email: normtroup@yahoo.com hot-exe-area .net - Email: josepetie@gmail.com  spywarecomputerscanv2 .com - 69.10.59.35 - Email: huang@bark.edu.hk1live-antimalware-pro-scan .com - Email: hongkong@campusparis.org 1live-antimalware-scanner .com - Email: hongkong@campusparis.org folderantispywarescanner .com - Email: xinhuawuhan@yahoo.com antivirushelpscanner .com - Email: info@brandturkey.com fastfolderscanner .com - Email: info@brandturkey.com mycomputerscanner .com - Email: vanmullem@yahoo.com restricteddomainhelp .com - 83.133.124.81 - Email: franklinnig@yahoo.com msncoreupdate .com - Email: jen@parallelslive.cn world-payment-system .com - Email: info@yashitaindian.com liveinternetupdates .com - Email: kuzya77@freebbmail.com onlineantivirusmarket .com Email: podbisb@hotmail.com  threats-scanner .com - 69.4.230.204 - Email: vanmullem@yahoo.comsecuritypcscanner2 .com - Email: office@actionaidinusa.org anti-virussecurity3 .com - Email: office@actionaidinusa.org private-online-scan .com - Email: info@kianah.org liveantivirusproscan .com - Email: second@freebbmail.com no1virusscan .com - Email: info@kianah.org my-private-protection .com - Email: info@kianah.org scanmyfolders .com - Email: info@kianah.org scanmycomputerforvirus .com - Email: vanmullem@yahoo.com onlinescan-ultraantivirus2009 .com - 206.53.61.76 relevantwebsearches .com virussweeper-scanvirus .com guardincorp .info mainsecsys .info - Email: andrew.fbecket@gmail.com guardsecurity .info - Email: poljaykop@gmail.com virusalarm-scanvirus .net  best-protect .info - 174.142.113.205 - Email: chainadmin@gmail.combest-protect-av1 .info - Email: chainadmin@gmail.com best-antivirus-pc .info - Email: chainadmin@gmail.com best-av1-protect .info - Email: chainadmin@gmail.com av1-protect .info - Email: chainadmin@gmail.com av1-best-protect .info - Email: chainadmin@gmail.com best-protect .info - Email: chainadmin@gmail.com best-av .info - Email: chainadmin@gmail.com pay-virusshield .cn - 64.213.140.70 - Email: unitedisystems@gmail.com shieldinc .info systemprotectinc .info ironshield .info myofficeguard .info protectionurl .info my-protection .info antivirus09 .net fast-antivirus.net  virusshieldpro .com - 64.86.16.127 - Email: unitedisystems@gmail.comprestotuneup .com - Email: hycderxvur@whoisservices.cn virussweeper-scanvirus .com virusmelt .com - Email: nuhuarrczq@whoisservices.cn systemsec .info shieldinc .info myofficeguard .info protect-online .info protectionlol .info protectionurl .info virussweeper-scan .net advanced-virus-remover2009 .com - 92.241.176.188 - Email: masle@masle.kz trucount3005 .com - Email: chen.poon1732646@yahoo.com antivirus-scan-2009 .com - Email: cheng2009@yahoo.com antivirusxppro-2009 .com - Email: u@sochi.ru advanced-virusremover2009 .com - Email: giogr@ua.fm bestscanpc .com trucountme .com - Email: valentin@gergiea.kz vs-codec-pro .com - Email: bhtjnjhggn@googlemail.com vscodec-pro .com - Email: cyber38462@hotmail.com antivirus-2009-ppro .com - Email: cheng2009@yahoo.com onlinescanxppro .com - Email: chen.poon1732646@yahoo.com downloadavr .com - Email: gorbun@ua.fm bestscanpc .net  activation-antivirus-software .com - 208.43.124.83 - Email: matlee@fsuk.edufxantispy .com - Email: TycoonMichael@googlemail.com my-protection .info - 64.213.140.70 - Email: hop.davis@gmail.com protectonline .info - 64.86.17.47 - Email: hop.davis@gmail.com safetywwwtools .com - 209.44.126.36 - Email: martin.s.johnson@spambob.com defenderupdates2 .com - 89.248.168.46 - Email: china@seban.se securitytoolsdirect .com - 209.44.126.22 - Email: RuthMMarcotte@text2re.com best-antivirus-security .com - 84.16.237.52 - Email: valentinyermolaev@gmail.com malwaresdestructor .com - 206.53.61.74 suprotect .com - 89.149.212.218 - uuuuu@ua.fm threatpcscanner .com - 63.223.110.177 ; 78.47.132.216 ; 78.47.172.66 - Email: vanmullem@yahoo.com antimalwareliveproscannerv3 .com - Email: vanmullem@yahoo.com antivirus-online-pro-scan .com - Email: vanmullem@yahoo.com avpro-labs .com - 213.182.197.229 avprotectionstat .com - 74.50.99.236 explorerfilescan .com - 63.223.110.178; 78.47.132.221; 78.47.172.68 Email: xinhuawuhan@yahoo.com antivirushelpscanner .com A 83.133.125.116; 69.10.59.35; 83.133.125.116 - Email: info@brandturkey.com fastfolderscanner .com - Email: info@brandturkey.com mycomputerscanner .com - Email: info@brandturkey.com mal-warexls .net - 72.9.108.26 - Email: joehugardo@ya.ru internetware-safe .com - Email: candikeller@ya.ru  scanonlinesite .info - 66.148.74.126 scanonlineblog .info scanonlineshop .info scanonlinenow .info youravprotection .com - 74.50.98.162 - Email: armandgregory3@gmail.com registerantivirus .com Email: ed.areyra@gmail.com avprotectionstat .com avagent-pro .com - 83.133.126.46 - Email: dwrdcardenas95@gmail.com downloads-123 .com - Email: dwrdcardenas95@gmail.com soft-process .com - Email: dwrdcardenas95@gmail.com download-123 .cn - Email: dwrdcardenas95@gmail.com actupdate .net - Email: dwrdcardenas95@gmail.com  Now the emphasis on the payment gateways, currently active and processing the scareware transactions:softwaresecuredbilling .com - 209.8.45.122 - TemchenkoViktor@googlemail.com softsales-discount .com - Email: daunrwwciq@whoisservices.cn best-internet-payments .com - 209.8.45.148 - Email: specsupport@gmail.com adioro .com - 213.174.152.32 - Email: xyhsbjlrl@whoisprivacyprotect.com secure-plus-payments .com - 209.8.25.204 - Email: sparck000@mail.com secure.pnm-software .com - 209.8.45.124 - Email: pnm-software.com@liveinternetmarketingltd.com soft-process .com - 83.133.126.46 - Email: XtPbtP@privacypost.com privatesecuredpayments .com - 78.46.216.238 - Email: TemchenkoViktor@googlemail.com  These payment processing gateways are sometimes front-end to the original and often legitimate payment processors. In this particular case, the the legitimate processor is Netherlands-based ChronoPay, which is known to have been used in the past by affiliates in the scareware affiliate model in the past, with several complaints for repeated credit card billing, which in reality is included in the scareware's Terms of Service.Upon a successful purchase - the customer is told that "This charge will appear on your card statement as CHRPay.com/ducforceide". Interestingly, Pandora Software has also been using the following ChronoPay accounts for over an year - Chrpay.com/meyrocorp; CHrpay.com/pnra using disconnected numbers, CallerID's of scareware operations, desperate attempts to contact the alias for the front-end payment processor, ultimately resulting in several hundred ChronoPay related complaints. Next to scareware, ChronoPay (Pavel Vrublevsky acting as CEO) is also known to have been used in a mobile application scam dissected here, as well as being a victim of a DDoS attack in 2008, which is pretty logical since if ChronoPay is the payment processor of choice for the hundreds of thousands of scareware generated revenues on daily basis, the commissions ChronoPay takes from cybercriminals would be more than welcome in the competing payment processor's network. Related posts: Dissecting a Swine Flu Black SEO Campaign Massive Blackhat SEO Campaign Serving Scareware From Ukrainian Blackhat SEO Gang With Love From Ukrainian Blackhat SEO Gang With Love - Part Two From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot A Diverse Portfolio of Fake Security Software - Part Twenty One A Diverse Portfolio of Fake Security Software - Part Twenty A Diverse Portfolio of Fake Security Software - Part Nineteen A Diverse Portfolio of Fake Security Software - Part Eighteen A Diverse Portfolio of Fake Security Software - Part Seventeen A Diverse Portfolio of Fake Security Software - Part Sixteen A Diverse Portfolio of Fake Security Software - Part Fifteen A Diverse Portfolio of Fake Security Software - Part Fourteen A Diverse Portfolio of Fake Security Software - Part Thirteen A Diverse Portfolio of Fake Security Software - Part Twelve A Diverse Portfolio of Fake Security Software - Part Eleven A Diverse Portfolio of Fake Security Software - Part Ten A Diverse Portfolio of Fake Security Software - Part Nine A Diverse Portfolio of Fake Security Software - Part Eight A Diverse Portfolio of Fake Security Software - Part Seven A Diverse Portfolio of Fake Security Software - Part Six A Diverse Portfolio of Fake Security Software - Part Five A Diverse Portfolio of Fake Security Software - Part Four A Diverse Portfolio of Fake Security Software - Part Three A Diverse Portfolio of Fake Security Software - Part Two Diverse Portfolio of Fake Security Software This post has been reproduced from Dancho Danchev's blog.  Source:  Comments: 0Other news for 3 July 2009
|
The latest news
|
 Created by "Clever Crayon" |
The link to www.bezpeka.com is required if you use the content or any part of it. |