Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday 19 January 2010

Yet another phishing campaign: ukbusinessforums.co.uk + Netelligent + touchcampaign.com + v2mailservice.com

I received a rather surprising e-mail earlier. Surprising because it was sent to an e-mail address I used specifically for registering on the ukbusinessforums.co.uk website a few years ago, and not an address I'd published anywhere (and nope, I'd not given them permission to give it to anyone else).

This particular e-mail is shown to the left, but in short, advertises pdf-adobe.org, which leads to pdfnewdownload.com and secure.signup-way.com (SSL certificate for signup-way.com is provided by GoDaddy). These sites are all not surprisingly, involved in fraud.


The people and sites responsible for this are;

touchcampaign.com (lives at 118.69.203.7, AS18403
FPT-AS-AP FPT Telecom Company 66-68 Vo Van Tan Ho Chi Minh City Vietnam)
v2mailservice.com (lives at 77.68.54.173, FastHosts)

Domain name: TOUCHCAMPAIGN.COM
Name Server: dns15.fpt.vn
Name Server: dns16.fpt.vn
Creation Date: 2010.01.17
Updated Date: 2010.01.17
Expiration Date: 2011.01.17

Status: DELEGATED

Registrant ID: RNCV48A-RU
Registrant Name: Kevin Stubbs
Registrant Organization: Kevin Stubbs
Registrant Street1: 23 Bringston Rd
Registrant City: Lancers
Registrant State: Cheshire
Registrant Postal Code: SM2 7LS
Registrant Country: GB

Administrative, Technical Contact
Contact ID: RNCV48A-RU
Contact Name: Kevin Stubbs
Contact Organization: Kevin Stubbs
Contact Street1: 23 Bringston Rd
Contact City: Lancers
Contact State: Cheshire
Contact Postal Code: SM2 7LS
Contact Country: GB
Contact Phone: +44 645 8393820
Contact E-mail: kevinstub1231@yahoo.co.uk

Registrar: ANO Regional Network Information Center dba RU-CENTER


Oh and yes, the WhoIs details are fake (for starters, 0645 isn't a valid UK dialing code, it was changed to 0845 years ago)

Domain name: V2MAILSERVICE.COM
Name Server: ns1.v2mailservice.com 77.68.54.173
Name Server: ns2.v2mailservice.com 77.68.54.172
Creation Date: 2010.01.03
Updated Date: 2010.01.04
Expiration Date: 2011.01.03

Status: DELEGATED

Registrant ID: LXHHBQO-RU
Registrant Name: Laurie Harford
Registrant Organization: Laurie Harford
Registrant Street1: 72 Sunshine Rd
Registrant City: Torquay
Registrant Postal Code: TQ2 6AM
Registrant Country: GB

Administrative, Technical Contact
Contact ID: LXHHBQO-RU
Contact Name: Laurie Harford
Contact Organization: Laurie Harford
Contact Street1: 72 Sunshine Rd
Contact City: Torquay
Contact Postal Code: TQ2 6AM
Contact Country: GB
Contact Phone: +44 7976776382
Contact E-mail: laurieharford@yahoo.co.uk

Registrar: ANO Regional Network Information Center dba RU-CENTER


The phone number listed here is valid, and belongs to an Orange Telecom customer (I'd have called it if it weren't 04:00).

A lovely little list of domains they are also the owners of are;

5-startv.com
antivirus-new-downloads.com
antivirusofficialdownload.com
ares-ultradownloads.com
ares-ultrapro.com
aresultra-pro.com
best-chef-recipes.com
bestmovies-net.com
browserdownloadsnow.com
browsernewdownload.com
build-army-of-followers.com
burnerdownloads.com
buy-all-wholesale.com
cddvd-burner-pro.com
completeantivirusprotection.com
download-gamespro.com
download-mediahome.com
download-musicpro.com
downloadantiviruspro.com
downloadfor-all.com
downloadfree-movies.com
downloadmusicnew.com
emp3now.com
fast-free-movies.com
fast-movies-download.com
fast-movies-downloads.com
fastmovie-download.com
fastmovie-downloads.com
fasttv-downloads.com
find-keywords-guide.com
find-niche-guide.com
fivestar-tv.com
foreclosure-guide-site.com
free-movienow.com
full-tvdownloading.com
full-tvdownloads.com
fullmedia-access.com
game-mediacenter.com
games-download-network.com
getall-togo.com
getalltogonow.com
getfollowersblog.com
hot-mp3-downloads.com
hot-mp3download.com
hypnosis-guide-pro.com
internet-televisiononline.com
internet-tv-networks.com
isoftwaretvdownloads.com
isoftwaretvstations.com
latestmobiledownloads.com
live-boxingchannel.com
live-cricketchannel.com
live-soccerchannel.com
live-tennischannel.com
live-tv-channels-online.com
livebaseball-channel.com
livecyclingchannel.com
livefootball-channel.com
livegolf-channel.com
medianewdownload.com
mobiledownloads-pro.com
movie-downloadsnow.com
moviedownloads-pro.com
mp3-download-network.com
mp3-downloadingnet.com
mp3download-net.com
mp3downloading-net.com
mp3sectionentitled.com
music-moviesnetwork.com
musicdownload-site.com
musictoyourplayer.com
mydownloadings.com
net-gamedownloading.com
net-moviedownloads.net
net-movies-download.com
netdownloadsnow.com
netmovies-download.com
new-gamingexperience.com
new-internettelevision.com
new-satellite-tv-for-pc.com
newantivirusdownload.com
newplayer-downloads.com
newsatellite-tv-forpc.com
officesuite-download.com
onlinebasketballchannel.com
onlinefightingchannel.com
onlinehockeychannel.com
onlineracingchannel.com
onlinerugbychannel.com
onlinestream-movies.com
onlinewatersportschannel.com
overload-yourconsole.com
pdf-pro2009.com
pdfnewdownload.com
pdfprodownload.com
premium-tattoo-design.com
profit-foreclosure-guide.com
profit-forex-market.com
quick-free-movie.com
quickfree-movie.com
recession-guide-pro.com
sattv-downloads.com
searchdestroypro.com
securityantivirussite.com
stream-and-watch.com
streamcinemas.com
the-best-download-place.com
the-movie-download.com
the-moviecenter.com
the-movies-downloading.com
the-moviesdownload.com
thebest-mediaonline.com
themovie-downloading.com
total-acne-treatments.com
ultimateofficesuites.com
ultra-games-downloads.com
ultra-gamesdownload.com
ultragames-download.com
unlimited-download-center.com
unlimited-mediaaccess.com
unlimitedconsole-games.com


These are all hosted at 67.212.90.67. And who owns this IP? Why, our old friends Netelligent of course.

Other connected domains include;

64.40.114.87 (AS14280 NETNATION Communications Inc.)

termsandprivacy.com
faqandtestimonials.com
online-disclaimer.com

67.205.108.166 (AS32613
IWEB-AS iWeb Technologies Inc.)


signup-way.com

77.68.54.172 (AS15418
FASTHOSTS-INTERNET Fasthosts Internet Ltd. Gloucester, UK.)


adobe-pdf-new-download.com
pdf-reader-writer.com

What's funny of course, is Netelligent recently wanted to convince us they were simply victims, and they'd killed off the criminals on their network. Wonder how they're going to explain this one huh? Especially given the history of the particular /24 in question (previously used by US based XLMarketing, who weren't exactly known for legit marketing methods)

/update 14:28 20-01-2010

I called the mobile number for v2mailservice.com, and not surprisingly, the number no longer exists.

4 comments:

Conrad Longmore said...

Sounds familiar. Did you notice the "Affiliate" link at the bottom takes you to marketbay.com, the page at marketbay.com/merchants.aspx lists these so-called merhants.

Now, marketbay.com was originally yourclick.com (Google it) owned by "Three W Networks Ltd" (Google *that*) who appears to be registered in the Bahamas (although that's probably just a nameplate).

MysteryFCM said...

I'd missed the marketbay.com link. Cheers for the heads up :o)

Unknown said...

I had the adobe email today, but not with any fancy graphics. Header said it had come from touchcampaign.org, similar whois
IP: 118.69.203.14
email to kevinstub1231@yahoo.co.uk
bounced.

Unknown said...

There's now a fraud with a very similar web layout, but updated software "versions" in an e-mail from (ostensibly) "newsletter@adobe-pdf-solutions.com" linking to www.adobe-pdf-solutions.com. The domain contact is a Tommy Anderson at 273 Parkway, Miami, FL. This address is on a large fenced off vacant block without road access. It links through for payment for the "free" upgrade to https://signupway.ru.