A while ago now, I was asked to test AnchorFree's "Hotspot Shield", to determine whether or not it did what it claimed. I've had no contact with their software or website ever since, and as such, was rather shocked this morning when an e-mail came through to an e-mail address I'd only ever used for them (was a tracked e-mail address), pointing me to a fake Adobe site.
This e-mail from click-synergy.com, and I've checked the headers - it wasn't spoofed. There's even a lovely little tracking image at the bottom of the e-mails source code;
The e-mail itself, in its original HTML form, looks like this;
Because the e-mail address it was sent to, was only ever used for the anchorfree.com website, this means one of three possibilities;
1. They're now selling the e-mail addresses
2. They've had their database compromised
3. They've permitted click-synergy.com to send out phishing scams to e-mail addresses this so-called "security provider" has been entrusted with
Although not out of the realms of possibility, given companies seem to focus more on cash rather than their reputation, I'd be surprised if click-synergy.com were stupid enough to do this on their own, as AnchorFree would have a green light instantly, to sue them - but I've sent AnchorFree an e-mail asking them to explain themselves, so we'll see which is indeed the case here.
Incase you're wondering, the sites involved in the phishing scam itself are;
18.104.22.168 uf1.nic.ru AS48287 22.214.171.124/21 RU-SERVICE-AS RU-SERVICE Ltd
126.96.36.199 188.8.131.52.in-addr.arpa AS34109 184.108.40.206/19 CB3ROB
Interesting tidbit - guess who AS34109's upstream is (and according to CIDR-Report, their ONLY upstream ............. Ecatel of course!!
220.127.116.11 ADVANCE-2 AS19122 18.104.22.168/22 19THFLOORNET-HOSTING-SERVICES - 19thfloor.net
Interesting tidbit - guess who AS19122's upstream is - again, according to CIDR-Report, their ONLY upstream - Netelligent (both Ecatel and Netelligent of course, are familiar faces in the cybercrime world)
secureonline.ru's SSL provider is Starfield Technology Inc. The domain is owned by "Media E Guide", using the e-mail address firstname.lastname@example.org.
official-adobe-software.com was registered through "REGIONAL NETWORK INFORMATION CENTER, JSC DBA RU-CENTER", however, their Whois server is currently trying to tell me there's no record of this domain (checked via internic, which refers me to whois.nic.ru, which simply points me back to the registrar).
official-pdf-pro.com was registered through "Wild West Domains", and has its WhoIs hidden.
/update 20:24 GMT London
I've still not had a response from AnchorFree, but in the meantime, my friend Derek pointed me to a blog he did on this issue last month;
Certainly makes us wonder where they're getting the addresses from, especially in my case, given it was a tracked address (only place the scammer could've gotten the address from was AnchorFree)