Domain Name: AUSTDEC.CC Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: NS1.AUSTDEC.CC Name Server: NS2.AUSTDEC.CC Name Server: NS3.AUSTDEC.CC Status: CLIENT-XFER-PROHIBITED Updated Date: 11-jan-2011 Creation Date: 11-jan-2011 Expiration Date: 11-jan-2012Registrant Contact: Aleksandr Barhatov Aleksandr Barhatov ()Fax: 1-ij Mikrorayon d.23 kv.177 Kurgan, Kurganskaya oblast 640024 RU Administrative Contact: Aleksandr Barhatov Aleksandr Barhatov (bold@yourisp.ru) +7.3522462300 Fax: +7.3522462300 1-ij Mikrorayon d.23 kv.177 Kurgan, Kurganskaya oblast 640024 RU
So... it's owned by another Russian by the name of Aleksandr Barhatov, or is it? Google maps can't say for sure whether his address is real, as it just couldn't find it. When I did google search his address though, it did have have plenty of phishing, malware, and fake pharmacy activity though. That shows he's definitely into illegal activity, now all we have to prove to any decent registrar is that the whois information has been falsified. First off, let's google his phone number (+7.3522462300). The first site that comes to attention is as follows -
DOMAIN: MYSALES24.NET
RSP: Internet 7 Ltd.
owner-contact: P-AXB1501
owner-fname: Alexander
owner-lname: Barkhatov
owner-street: Perviy Mikrorajon dom 23 kv.177
owner-city: Kurgan
owner-state: Kurganskaya oblast
owner-zip: 640024
owner-country: RU
owner-phone: 7.3522462300
owner-fax: 7.3522462300
owner-email: cr@8081.ru
Updated Date: 05-jun-2010 Creation Date: 04-jun-2009 Expiration Date: 04-jun-2011Source: centralops.net & http://whois.domaintools.com/mysales24.net
Notice the slight change in street address? He also uses the same slight name change here for a domain spreading malware. The street address further changes to "Perviy Mkr." in another domain dishing out more malware -
I'm starting to wonder how many email addresses Mr. Barhatov keeps! Again, his street address during these time periods seems to keep changing -Registrant: Aleksandr Barhatov chute@infotorrent.ru (email address helped spread conficker virus - see: Dancho Danchev) +7.3522462300 Aleksandr Barhatov Perviy Mkr. d.23 kv.177 Kurgan,Kurganskaya oblast,RUSSIAN FEDERATION 640024 Domain Name:kasonkertub.com Record last updated at 2009-08-27 06:36:59 Record created on 2009/8/21 Record expired on 2010/8/21 Source: here
Domain: healthpillstablets.com
owner: Alexander Barhatov
email: thug@ml3.ru
Adresse: Perviy Mikrorayin d.23 kv.177
Stadt: Kurgan
Staat: --
postal-code: 640024
Land: RU
Telefon: +7.3522462300
admin-c: CCOM-1504106 thug@ml3.ru
tech-c: CCOM-1504106 thug@ml3.ru
billing-c: CCOM-1483242 info@gtec.ru
nserver: ns1.yourstorehealth.net
nserver: ns2.goodhealthoutlet.com
status: lock
Erstellt: 2009-11-18 12:00:03 UTC
modified: 2009-11-24 14:34:05 UTC
Gültig: 2010-11-18 12:00:03 UTC
Source: http://whois.gwebtools.de/healthpillstablets.com
Mr. Barhatov seems to "get around the block when it comes to street addresses. Did anyone catch his email he used to register that last domain (thug@ml3.ru)? I guess his fake pharmacy site there makes him a thug! So I think from here we've shown enough registrant information discrepancies in conjunction with cyber criminal activity. Let's move on to AUSTDEC.CC and examine it's more dubious cyber activity via google -
Malware:
http://support.clean-mx.de/clean-mx/viruses.php?domain=drysdale-group-inc.cc&sort=first%20desc
http://support.clean-mx.de/clean-mx/viruses.php?virusname=mdl_money%20mule%20recruitment%20/%20scam&sort=first%20desc *lots of hits here*
Fraud:
http://scamfraudalert.wordpress.com/2011/01/31/money-visual-llc-money-visualuk-cc/
http://ddanchev.blogspot.com/2011/03/keeping-money-mule-recruiters-on-short.html
http://forum.autosec4u.info/showthread.php?tid=3690&pid=16199#pid16199 (German!)
Results a bit short, but there's enough googling in here to show that Aleksandr Barhatov's sites and name servers are involved in plenty of cyber criminal activity. They have been for years. This is not the kind of guy you want registering a site with you, if you're a registrar. The information is falsified/highly obfuscated, and all for the purposes of illegal activity. As we can see, his nameserver AUSTDEC.CC was registered by Enom. Now, in 2009 Enom was mentioned by knujon here as being one of the top 10 registrars not taking action against cyber criminals. Hopefully their attitude has changed since then, as yet again we are dealing with another Russian Business Network (RBN - the multifaceted and well known Russian cyber crime hoster) name server here. Again, the name server AUSTDEC.CC was picked up on Emerging Threats RBN monitoring network (link here).
Enom abuse staff, if you're reading this you can be sure the whois registrant information has been falsified for cyber criminal activity. This is just how the RBN operates, no name and no face to the digital crime.
No comments:
Post a Comment