A while ago now, I was asked to test AnchorFree's "Hotspot Shield", to determine whether or not it did what it claimed. I've had no contact with their software or website ever since, and as such, was rather shocked this morning when an e-mail came through to an e-mail address I'd only ever used for them (was a tracked e-mail address), pointing me to a fake Adobe site.
This e-mail from click-synergy.com, and I've checked the headers - it wasn't spoofed. There's even a lovely little tracking image at the bottom of the e-mails source code;
hxxp://ct.mail.click-synergy.com/rd/hos?d=[REMOVED]-1-1-1-1-98
The e-mail itself, in its original HTML form, looks like this;
Because the e-mail address it was sent to, was only ever used for the anchorfree.com website, this means one of three possibilities;
1. They're now selling the e-mail addresses
2. They've had their database compromised
3. They've permitted click-synergy.com to send out phishing scams to e-mail addresses this so-called "security provider" has been entrusted with
Although not out of the realms of possibility, given companies seem to focus more on cash rather than their reputation, I'd be surprised if click-synergy.com were stupid enough to do this on their own, as AnchorFree would have a green light instantly, to sue them - but I've sent AnchorFree an e-mail asking them to explain themselves, so we'll see which is indeed the case here.
Incase you're wondering, the sites involved in the phishing scam itself are;
-> official-adobe-software.com
109.70.27.4 uf1.nic.ru AS48287 109.70.24.0/21 RU-SERVICE-AS RU-SERVICE Ltd
--> secureonline.ru
84.22.98.29 29.98.22.84.in-addr.arpa AS34109 84.22.96.0/19 CB3ROB
Interesting tidbit - guess who AS34109's upstream is (and according to CIDR-Report, their ONLY upstream ............. Ecatel of course!!
---> official-pdf-pro.com
208.82.121.140 ADVANCE-2 AS19122 208.82.120.0/22 19THFLOORNET-HOSTING-SERVICES - 19thfloor.net
Interesting tidbit - guess who AS19122's upstream is - again, according to CIDR-Report, their ONLY upstream - Netelligent (both Ecatel and Netelligent of course, are familiar faces in the cybercrime world)
secureonline.ru's SSL provider is Starfield Technology Inc. The domain is owned by "Media E Guide", using the e-mail address stevenbates11@gmail.com.
official-adobe-software.com was registered through "REGIONAL NETWORK INFORMATION CENTER, JSC DBA RU-CENTER", however, their Whois server is currently trying to tell me there's no record of this domain (checked via internic, which refers me to whois.nic.ru, which simply points me back to the registrar).
official-pdf-pro.com was registered through "Wild West Domains", and has its WhoIs hidden.
/update 20:24 GMT London
I've still not had a response from AnchorFree, but in the meantime, my friend Derek pointed me to a blog he did on this issue last month;
http://hijack-this.co.uk/2010/09/adobe-reader-update-scam/
Certainly makes us wonder where they're getting the addresses from, especially in my case, given it was a tracked address (only place the scammer could've gotten the address from was AnchorFree)
Wednesday, 27 October 2010
Subscribe to:
Post Comments (Atom)
1 comment:
I'm inquiring about 19th floor you have listed amongst this post. I'm really not computer savvy, at all, so I'm really not sure what this company does. I'm under the impression they are a hosting company. Is this correct? My problem stems from publicyellowpages.com. When I search them I am led to 19th floor. Are you able to tell me if they are more connect to this yellow page site , then just a host. This yellow page site is runny criminals and are acting in a seriously illegal manner. I have reported them however I really want to know who these people are. The website also seems to go thru godaddy and their proxy server, making it hard for me to find out anything. Heck I don't even know the definitions of half the computer terminology I am running into. Any information you can find on 19th floor and how they are connected to publicyellowpages.com would be greatly appreciated. I'm under the impression they share the same ip, which I'm not 100% certain what that even means. Any info on publicyellowpages would be even better. Hope to hear from you, thanks
Post a Comment