Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 30 September 2009

Fake registry cleaner using same tactics as fake antimalware

I was sent this one a few moments ago, and was expecting it to be a fake AV (ala Total Protection etc), but no, to my surprise, it was infact, for Registry Repair 2008 (a bogus registry cleaner).

The site in question is securonline.net (IP: 72.44.94.153 - ns2.2amnetwork.com, AS32748)



Which then displays:



Following through, we're taken to:

cart.secureorderstore.com/secureorder/securorder.php
IP: 66.98.218.29 (mail3.smscentar.com, AS21844)



However, contrary to the address bar, the site loads the following via iFrame;

usd.swreg.org/cgi-bin/s.cgi?s=43835&p=43835-regrep&v=0&d=0&q=1&c=USD&bb=1



The certificate issued to secureorderstore.com is courtesy of GoDaddy:

1 comment:

Anonymous said...

Concerning securonline.net the IP has switched from 72.44.94.153 to 127.0.0.1 (localhost) in DNS.

Also for reference there is a similar topic discussed on the WOT Forum