What do you do when you need lots of IPs to house your fake meds and other criminal sites? Use botnets? compromised sites/servers? That's certainly what the bad guys involved in exploits, malware and other badness like to do.
Of course, another favourite of the bad guys, is to set up their own ASNs, complete with batches of IPs and IP ranges, to house their criminal activities. This is exactly what AS56860 have done. They've gotten themselves (so far) 2 /24's that are housing badness including fake meds sites and fake watches sites and the likes. The /24's?
Just looking at 18.104.22.168/24 alone, shows a plethora of fake meds sites, alot of which are being found in spam e-mails (and a huge thank you to the friend that's sending me these as the spammers don't seem to be sending me these particular ones).
One particular site on the range (customers-zone.com), setup just a couple months ago, comprises a single login page and given its name, appears to be the members area for victims that purchase from them. WhoIs records show rather blatant fake details (again begging the question of why registrars are still not doing basic checks on registrant details!, but that's for another time);
The sites found to be living on this /24 recently includes (and you'll not be surprised to find the usual Russian, Ukranian and Chinese registrars involved);
The upstream for AS56860 is showing as AS49130 ARNET-AS SC ArNet Connection SRL, and if we look at their records, it shows they're also the upstream for the rather well known AS42741 ALEXANDRU-NET-TM-AS S.C. ALEXANDRU NET TM S.R.L. and fake AV/malware central, AS48020 RADIOTEL-ISP-AS SC Radiotel S.A..
I'm suddenly in the mood for a little depeering .... watch this space folks!
Processing has finished, and these have moved elsewhere;
These are still on this /24;
And these are no longer resolving;