I received an e-mail earlier, pointing to an Angelfire hosted site;
Expecting malware or fake meds, I decided to take a look to see which of the two it was. Surprisingly I was wrong - it was neither. The site leads to mobilnaked.com, a site completely in Russian (and annoyingly, given most of the text is actually image based, untranslatable with Google). Remembering a previous episode and something my friend Dmitry at Kaspersky advised me, I took a closer look.
mobilnaked.com claims to offer a program for your mobile phone, that will allow you to see through everyones clothes (errr, yeah, you can see where this is going). Indeed, shown on the site is a woman dancing, and someone holding a phone in front of her, showing her clothing magically removed whilst she's dancing, and all via the program offered by the site.
However, to get this miracle program, you've got to send them an SMS at a charge of approx £0.14GBP. The real cost however, is likely MUCH higher (indeed, the one Dmitry looked at for me, actually cost you closer to £5, though that one was claiming to be a rogue!!, ah the joys).
The short codes (numbers) you are told to send the SMS to (for those in the UK) are 79067 or 69067. There is of course, a list of others (/download.php), that appear to be used for other countries;
NB: The numbers encased in , match up with the short code, cost, country etc
The scam is run, from what I can find, by Sergey S Pirozhnikov (email@example.com), owner of smsdostup.ru and sms911.ru (and several others apparently, still looking into that), registered in 2007 and 2008 via RegTime (surprise surprise) and NAUNET (associated with spam, Zeus and other criminal activities), and hosted at 184.108.40.206 and 220.127.116.11 respectively.
You'll also have noticed the link to ephelp.ru, which as you've guessed, is also involved. ephelp.ru was also registered in 2008 (again via NAUNET) by someone that apparently doesn't want to be known. It's hosted at 18.104.22.168.
Getting back to mobilnaked.com et al. They do of course, provide a "rules" page, which when translated reads (I've formatted it for readability);
As you've no doubt noticed, this miracle application doesn't exist at all. You've been scammed, and will continue to be, given it's not a single SMS you've got to send. It's apparently a "joke gaming service" (some joke huh?), that provides you with some "java application" once you've been gullible enough to pay them via SMS.
There is of course, as there always is with this type of thing, a long list of other domains involved, and for your viewing pleasure, here they are.
A few of these are no longer alive (failing to resolve). You'll find the validation results (domains were verified as of a few seconds ago) at;
I'm in no doubt that there's alot more I've not yet identified.
So who is providing the upstream connectivity for Seva-Host, and why are they allowing this? Well, the connectivity is provided courtesy of AS47143 TDHN Transit Data Hyper Network, an ISP with ties to other well known criminal organizations, such as root eSolutions, Kabelfoon, WEDARE We Dare BV, amongst many others (it's worth noting aswell, TDHN also have ties to a plethora of LEGIT companies aswell).
A tracert result is also showing Seva-host have connections to UK based firm, c4l.co.uk. Their offices are apparently closed now (ISP's really should learn to run 24/7, abuse and technical issues aren't time specific .....), but I'll be looking into that too.
In the meantime, I'd strongly urge everyone blackhole Seva-Host Ltd's entire range. There's not a single legit domain present, so you're not going to miss anything.