Blog for hpHosts, and whatever else I feel like writing about ....

Thursday, 1 July 2010

Scam Alert: theconsumerherald.com

Following in the footsteps of the lot I previously mentioned, we have theconsumerherald.com, which lives at;

IP: 173.204.4.210
IP PTR: yellowhammermg.com
ASN: 26228 173.204.0.0/17 SERVEPATH - ServePath, LLC.

This lovely little fellow was found whilst checking up on darkprofits.com. Loading the site, I was pleasantly surprised to find it was now parked - but as with most parking servers, there was a nasty little catch waiting, and this was one of them (the other was a popup ad for popularscreensavers.com, but we're used to seeing them).



Clicking on this advert, we're taken to;

hxxp://www.theconsumerherald.com/uk_mens_health_choyung/?weather=0&sub=cpx_uk

Which gives us this;



You'll notice it's exactly the same kind of fake news site as before. So where are we led to this time? Well, if you click "Cho Yung Tea", you're taken to (note: both links take you through x.azjmp.com);

hxxp://www.choyung.com/index.php?ep=1&subID=41735

IP: 94.236.59.237
IP PTR: Resolution failed
ASN: 15395 94.236.0.0/17 UK Rackspace

And if you click "Pure Cleanse", you're taken to;

hxxp://www.procleansegold.com/?epic=1&f=1&subID=41735

IP: 94.236.32.57
IP PTR: Resolution failed
ASN: 15395 94.236.0.0/17 UK Rackspace

Both are sub-ranges, owned by "Cho Yung";

inetnum: 94.236.59.232 - 94.236.59.239
netname: RSPC-UK-CHO-YUNG
descr: CHO YUNG IP SPACE
country: GB
admin-c: IA247-RIPE
tech-c: IA247-RIPE
status: ASSIGNED PA
mnt-by: RSPC-MNT
source: RIPE # Filtered

inetnum: 94.236.32.56 - 94.236.32.63
netname: RSPC-UK-CHO-YUNG
descr: CHO YUNG IP SPACE
country: GB
admin-c: IA247-RIPE
tech-c: IA247-RIPE
status: ASSIGNED PA
mnt-by: RSPC-MNT
source: RIPE # Filtered

Cho Yung (UK) Ltd
136-140 old Shoreham Road
Hove, East Sussex BN3 7BD
United Kingdom

I've not done much digging, but other sites known to be owned/run by "Cho Yung" (aka "Cho Yung Ltd") include;

acaiberry-plus.com
choyung.com
cho-yung.com
cho-yungdirect.com
choyungaffiliates.com
choyungtea.net
choyungtea.com
choyungteareview.co.uk
choyungteareviews.co.uk
choyungteareviews.com
mysisters-dietsecret.com
mysistersdietsecret.com
procleansegold.com
procleansegoldformen.com
slimmingsolutionreviews.co.uk
visionmarktech.com

You'll no doubt not be surprised to hear, that aside from their testimonials of being "recommended by doctors" (pretty sure every single one of them will warn you off things such as this, at least, honest doctors concerned about your health anyway) and requiring you ensure you're eligble (FYI: doesn't matter what you enter, they always tell you you're the "perfect candidate", irrespective of whether you're 8 or 80, 6 pounds or 600), Cho Yung are also taking money from peoples accounts, apparently on the pretence of their not receiving all of the samples back (obviously I cannot verify whether the complainants actual complaint is valid or not, as I'm neither a lawyer, mind reader, etc etc, but given other similar scams, it certainly wouldn't surprise me).

http://forums.moneysavingexpert.com/showthread.php?t=2360045
http://forums.moneysavingexpert.com/showthread.php?t=1832601

There was also a thread on it at consumeractiongroup.co.uk, but that's now returning an invalid URL error.

To make matters worse however, not content with a phishing scam, there's also another domain on the same IP as theconsumerherald.com, that's auto-redirecting you straight to SmileyCentral;

autoquoteamerica.com

This domain when first loaded, helpfully displays;



But alas, all it does, is redirect you to;

hxxp://smiley.smileycentral.com/download/index.jhtml?partner=ZNxuk101&spu=true&sub_id=41735&click_hash=12tFdON&nsrc=az2

GET / HTTP/1.1
Accept: */*
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET4.0C)
Connection: Keep-Alive
Host: autoquoteamerica.com

HTTP/1.1 200 OK
Date: Fri, 02 Jul 2010 04:28:41 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.4
Content-Length: 4174
Connection: close
Content-Type: text/html; charset=UTF-8

------------------------------------------------------------------
GET /javascripts/sifr/css/sifr.css HTTP/1.1
Accept: */*
Referer: http://autoquoteamerica.com/
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET4.0C)
Host: autoquoteamerica.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Fri, 02 Jul 2010 04:28:43 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 19 Jan 2010 22:48:08 GMT
ETag: "21be2a-7ef-47d8c437cfa00"
Accept-Ranges: bytes
Content-Length: 2031
Connection: close
Content-Type: text/css

------------------------------------------------------------------
GET /stylesheets/main.css HTTP/1.1
Accept: */*
Referer: http://autoquoteamerica.com/
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET4.0C)
Host: autoquoteamerica.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Fri, 02 Jul 2010 04:28:43 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 19 Jan 2010 22:48:14 GMT
ETag: "21be31-538-47d8c43d88780"
Accept-Ranges: bytes
Content-Length: 1336
Connection: close
Content-Type: text/css

------------------------------------------------------------------
GET /javascripts/sifr/js/sifr.js HTTP/1.1
Accept: */*
Referer: http://autoquoteamerica.com/
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET4.0C)
Host: autoquoteamerica.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Fri, 02 Jul 2010 04:28:43 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 19 Jan 2010 22:48:13 GMT
ETag: "21be2f-72b2-47d8c43c94540"
Accept-Ranges: bytes
Content-Length: 29362
Connection: close
Content-Type: application/x-javascript

------------------------------------------------------------------
GET /javascripts/sifr/js/sifr-config.js HTTP/1.1
Accept: */*
Referer: http://autoquoteamerica.com/
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET4.0C)
Host: autoquoteamerica.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Fri, 02 Jul 2010 04:28:44 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 19 Jan 2010 22:48:12 GMT
ETag: "21be2e-a73-47d8c43ba0300"
Accept-Ranges: bytes
Content-Length: 2675
Connection: close
Content-Type: application/x-javascript

------------------------------------------------------------------
GET /images/body-bg.jpg HTTP/1.1
Accept: */*
Referer: http://autoquoteamerica.com/
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET4.0C)
Host: autoquoteamerica.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Fri, 02 Jul 2010 04:28:48 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 19 Jan 2010 22:48:04 GMT
ETag: "21be24-37b-47d8c433ff100"
Accept-Ranges: bytes
Content-Length: 891
Connection: close
Content-Type: image/jpeg

------------------------------------------------------------------
GET /images/super-bg.jpg HTTP/1.1
Accept: */*
Referer: http://autoquoteamerica.com/
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET4.0C)
Host: autoquoteamerica.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Fri, 02 Jul 2010 04:28:48 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 19 Jan 2010 22:48:06 GMT
ETag: "21be26-e00c-47d8c435e7580"
Accept-Ranges: bytes
Content-Length: 57356
Connection: close
Content-Type: image/jpeg
X-Pad: avoid browser bug

------------------------------------------------------------------
GET /images/progress.gif HTTP/1.1
Accept: */*
Referer: http://autoquoteamerica.com/
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET4.0C)
Host: autoquoteamerica.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Fri, 02 Jul 2010 04:28:48 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 19 Jan 2010 22:48:05 GMT
ETag: "21be25-3a7a-47d8c434f3340"
Accept-Ranges: bytes
Content-Length: 14970
Connection: close
Content-Type: image/gif
X-Pad: avoid browser bug

------------------------------------------------------------------
GET /4DNZP?azauxurl=60903&sub=_age=_state= HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET4.0C)
Connection: Keep-Alive
Host: x.azjmp.com
Cookie: OAID=AF88667BE7FA446BE950919971F7553D; 7953_long_tracker=12-0-cNvIlIYYK0wOE9aAkyHbmJDdvFTmg4%2FQX7JEfNcUQw2YEvZft09dFPhTNSVApcVlQoGtei9SqhZ7Co%2BMYg4JeUQnErLvzaNd%2BPP%2FJWEZz9JaRG5yLuhK7iR8cQFmOXUv3S%2FtMfc4Aw7adlQ3lytgDIIY5MGXJKCx4Bn8Mg8pjGCopoCfN5qeBxDrVzwf9qiRzalhdLZSsmsyE6A%3D; 7953_41735_short_tracker=12-438313903-cpx_uk; 9247_long_tracker=12-0-cNvIlIYYK0wOE9aAkyHbmJDdvFTmg4%2FQX7FEfNcaSAycEvZft09dFPhTNSVApcVlQoGtei9SqhZ7Co%2BMYg4JeUQnErLvzaNd%2BPP%2FJWEZz9JaRG5yLuhK7iR8cQFmOXUv3S%2FtMfc4Aw7adlQ3lytgDIIY5MGXJKCx4Bn8Mg8pjGCopoCfN5qeBxDrVzwf9qiRzalhdLZSsmsyEKY%3D; 9247_41735_short_tracker=12-438313935-cpx_uk; 9248_long_tracker=12-0-cNvIlIYYK0wOE9aAkyHbmJDdvFTmg4%2FQX7BEfNcaSAyTEvZft09dFPhTNSVApcVlQoGtei9SqhZ7Co%2BMYg4JeUQnErLvzaNd%2BPP%2FJWEZz9JaRG5yLuhK7iR8cQFmOXUv3S%2FtMfc4Aw7adlQ3lytgDIIY5MGXJKCx4Bn8Mg8pjGCopoCfN5qeBxDrVzwf9qiRzalhdLZSsmsyFac%3D; 9248_41735_short_tracker=12-438313964-cpx_uk; 9249_long_tracker=12-0-cNvIlIYYK0wOE9aAkyHbmJDdvFTmg4%2FQX7dEfNcaSAySEvZft09dFPhTNSVApcVlQoGtei9SqhZ7Co%2BMYg4JeUQnErLvzaNd%2BPP%2FJWEZz9JaRG5yLuhK7iR8cQFmOXUv3S%2FtMfc4Aw7adlQ3lytgDIIY5MGXJKCx4Bn8Mg8pjGCopoCfN5qeBxDrVzwf9qiRzalhdLZSsmsyG6o%3D; 9249_41735_short_tracker=12-438313989-cpx_uk; imp_12_1885_0_3_1=961969287_22; 9981_long_tracker=12-0-cNvIlIYYK0wOE9aAkyHbmJDdvFTmg4nWWrZEfNcaQwCaEvZft09dFPhTNSVApcVlQoGtei9SqhZ7Co%2BMYg4JeUQnErLvzaNd%2BPP%2FJWEZz9JaRG5yLuhK7iR8cQFmOXUv3S%2FtMfc4Aw7adlQ3lytgDIIY5MGXJKCx4Bn8Mg8pjGCopoCfN5qeBxDrVzwf9qiRzalhdLZSsm07EaM%3D; 9981_41735_short_tracker=12-438315020-cpx_uk; imp_16015_9980_0_13_1=1433826473_12; imp_16015_9981_0_13_1=1433826519_12; PHPSESSID=uansp1qevailvq0cbio4kui925; PHPSESSID=uansp1qevailvq0cbio4kui925

HTTP/1.1 302 Found
Server: nginx
Date: Fri, 02 Jul 2010 04:26:05 GMT
Transfer-Encoding: chunked
Connection: close
Location: http://www.smileycentral.com/?partner=ZNxuk101&spu=true&sub_id=41735&click_hash=12tFdON&nsrc=az2
Set-Cookie: OAID=AF88667BE7FA446BE950919971F7553D; Expires=Sat, 02 Jul 2011 04:26:05 GMT; Max-Age=31536000; Domain=azjmp.com; Path=/
Set-Cookie: 919_long_tracker=12-0-cNvIlIYYK0wyAsm6w3m5t96Y%2B1W%2Bk4yjT%2FRfIsxWRwqdB7MO9x0IWb0aNnc8tMYUVIbNbjFBuVYgV9%2FQNE5NJw%3D%3D; Expires=Sun, 01 Aug 2010 04:26:05 GMT; Max-Age=2592000; Domain=azjmp.com; Path=/
Set-Cookie: 919_41735_short_tracker=12-438338313-_age=_state=; Expires=Sat, 03 Jul 2010 04:26:05 GMT; Max-Age=86400; Domain=azjmp.com; Path=/
P3P: policyref="http://azjmp.com/w3c/policy.xml", CP="ALL BUS LEG DSP COR ADM CUR DEV PSA OUR NAV INT"

------------------------------------------------------------------
GET /?partner=ZNxuk101&spu=true&sub_id=41735&click_hash=12tFdON&nsrc=az2 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET4.0C)
Connection: Keep-Alive
Cookie: __utmc=152833723
Host: www.smileycentral.com

HTTP/1.1 200 OK
Date: Fri, 02 Jul 2010 04:26:07 GMT
Server: Apache/1.3.27 (Unix) Resin/2.0.5
Pragma: no-cache
Cache-control: max-age=0, must-revalidate
Expires: Sat 02 Apr 1977 17:15:00 GMT
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

------------------------------------------------------------------

No comments: