Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday, 2 February 2011

Soviet Union, fakes, phishing and spam

If x = b, what do we need numbers for?

Last time I checked, the Soviet Union didn't exist anymore, yet as we all know, the .su TLDs live on.

Random musings are great aren't they? Well not in this case. I've yet to see a .su domain that's actually legit, and this one is no different. The domain in this case, is officialversion.su (also known as officialversion.ru), a domain we're all familiar with.

This particular one, was arrived at courtesy of an e-mail a friend received and forwarded to me. You'll like this, but not be surprised. The e-mail contained;

From: reply@inbox-mediaone.com
To: [REMOVED]
Subject: Avast, AVG and Avira Users - Your Alternative is Here
Date: Wed, 2 Feb 2011 03:00:00 -0500


The New AVG 2011 AntiVirus Alternative <http://list.traclickmedia.com/t/115971/2214149/756/0/>
Complete Antivirus Protection Solution<http://i27.tinypic.com/2928g37.jpg> Complete Antivirus Protection Solution
Dear valued customers,

We are pleased to announce the newest version of Antivirus 2011 for Windows which will provide you with total security against the latest spyware, malware, viruses, trojans and any other online threats.

Simply visit the link below and enter your Antivirus code:

Antivirus Code: 5014
Scan Your Computer Now! <http://list.traclickmedia.com/t/115971/2214149/755/0/>

See why more & more businesses and families trust their security to AV AntiVirus.

Thank you for choosing us, the worldwide leader Antivirus solutions.

Mike Robertson
Internet Security Specialist


Latest Threat Level Warning
Latest Threat Levels<http://i32.tinypic.com/34s2bl0.jpg>
Signs Your PC is Infected
Signs your PC is Infected<http://i30.tinypic.com/bg21zo.jpg> Opening files takes forever
Signs your PC is Infected<http://i30.tinypic.com/bg21zo.jpg> Pop-ups while browsing
Signs your PC is Infected<http://i30.tinypic.com/bg21zo.jpg> Frequent System Warnings
Signs your PC is Infected<http://i30.tinypic.com/bg21zo.jpg> Constant Program errors
Signs your PC is Infected<http://i30.tinypic.com/bg21zo.jpg> Computer is running slow
Signs your PC is Infected<http://i30.tinypic.com/bg21zo.jpg> Browser freezes Online
Signs your PC is Infected<http://i30.tinypic.com/bg21zo.jpg> Right click menu is slow
Signs your PC is Infected<http://i30.tinypic.com/bg21zo.jpg> Changed homepage Online

Awarded the Best Antivirus<http://i27.tinypic.com/2hegjdd.jpg>

<http://list.traclickmedia.com/db/115971/2214149/1.gif>
You are enrolled to dailynews_mar09 as tictestbox@hotmail.com
Safely take me off <http://list.traclickmedia.com/u?id=2214149.7e18cbbc99c77d1101b922bc434401cd&n=T&l=dailynews_mar09&o=115971> from dailynews_mar09 at any time.

MEGUIDE LTD, No. 14 Robinson Road, #13-00, Far East Finance Building, Singapore 048545


Headers:

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtTQ0w9Ng==
X-Message-Status: n
X-SID-PRA: dailynews_mar09@m0.bm02.net
X-SID-Result: Pass
X-AUTH-Result: PASS
X-Message-Info: 3c21WZ1hAltI9DuizMAEE0xwpqlHpZwfVbqMPT3BfX6RZ3W8ifONCn+eEK3mNQiHfRMXG+0h5ILm2+lZ0q/H7BUjNRw9chHPe5XUkZgAKAA=
Received: from m0.bm02.net ([209.123.39.23]) by bay0-mc1-f47.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 2 Feb 2011 01:23:49 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; q=dns/txt; l=9156;
d=m0.bm02.net;s=2010;
h=from;
bh=HeXqN8zEUr9+/9Ny9x4Hrxf1DPuA1M2Ey1ouZmRrR7A=;
b=nobK4cMg+6LsDosZC3cf/42+ogXEtmGu0Bz2UwEyAru+OExkjFNcPMv9+bOWz4MPfqMPcLsNvNtRogFzjuifSYs92xG1I6HVsrG/pOXI/FqoGOxXscD2XOjNBFU/wq1ISSfnS9wmRQw3DGgVmogLVO5fw/zO9JBepDFjpr/WMxc=;
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=2010; d=m0.bm02.net;
h=sender;
b=RLEQSfBQ/GoXrTXT+j6k79stZSyVCctOhkXupTAHU9w+r60pfF5qMTj95cQi0EfQ3wITsPkKAWLh4tQ9fZF44xHLOcVk3SsHQ4KA62WoR/28gnMLISeYeBcpm1hyPaPMD/g87dZQQHBb3EY7UVrzBxPk97XS25gDzM519tPUJ4w=
Sender: dailynews_mar09@m0.bm02.net
From: Antivirus for Windows <reply@inbox-mediaone.com>
To: [REMOVED]
Subject: Avast, AVG and Avira Users - Your Alternative is Here
Date: Wed, 02 Feb 2011 03:00:00 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="MIMEBoundarya987aea7ba47630da82c5ba8fd5d8a31"
List-Unsubscribe: <mailto:leave-115971-2214149.7e18cbbc99c77d1101b922bc434401cd@m0.bm02.net>
Reply-To: reply@inbox-mediaone.com
Message-ID: <LYRIS-2214149-115971-2011.02.02-03.00.08--[REMOVED]@m0.bm02.net>
X-time: 2214149
X-member: [REMOVED]
X-unsub: leave-115971-2214149.7e18cbbc99c77d1101b922bc434401cd@m0.bm02.net
Return-Path: bounce-115971-2214149@m0.bm02.net
X-OriginalArrivalTime: 02 Feb 2011 09:23:49.0627 (UTC)
FILETIME=[E6742CB0:01CBC2BA]


Both traclickmedia.com and secure-signupway.com are registered through GoDaddy and should be down shortly. They're housed at;

Current IP: 209.123.39.20
IP PTR: m0.bm02.net
ASN: 8001 209.123.0.0/16 NET-ACCESS-CORP - Net Access Corporation

Current IP: 216.18.20.224
IP PTR: kenya.lexiearzabalanix.net
ASN: 6539 216.18.0.0/19 GT-BELL - Bell Canada

And officialversion.su;

Current IP: 66.197.222.182
IP PTR: reverse.sysnoc.com
ASN: 21788 66.197.128.0/17 NOC - Network Operations Center Inc.

With the exception of officialversion.su, the domains are hidden behind a privacy service. The WhoIs for officialversion.su doesn't show much either;

domain: OFFICIALVERSION.SU
nserver: ns10.dnsmadeeasy.com
nserver: ns11.dnsmadeeasy.com
nserver: ns12.dnsmadeeasy.com
nserver: ns13.dnsmadeeasy.com
nserver: ns14.dnsmadeeasy.com
nserver: ns15.dnsmadeeasy.com
state: REGISTERED, DELEGATED
phone: +1 242 502 8715
e-mail: markpetersemail@gmail.com
org: Media I Consultants
registrar: RUCENTER-REG-FID
created: 2009.08.16
paid-till: 2011.08.16
source: RU-CENTER


Surprised there's no details? Nope, me neither.

Needless to say, ANYTHING you receive via e-mail that wants to sell you something, or has arrived without you asking for it, should be consigned straight to the junk. That also goes for anything arriving via e-mail offering so-called security software or such (legit vendors do not spam).

1 comment:

Kas said...

Not just that but no where at all in the pic or the email do they actually say what the name of their Anti-Virus is!