FOLOWDNS.CC

Time for another analysis of some of the Russian Business Network's (RBN) nameservers I talked about in my first blog post. Today we will be looking at the domain FOLOWDNS.CC, a confirmed RBN name server according to Emerging Threat's RBN IP List Update on 2-6-2011. A quick google search on FOLOWDNS.CC does show multiple hits for malware dispersal and fraud, but then again why should we be shocked. The RBN promotes this stuff, it's their job (of sorts) to do this. Diving right in, let's take a look at the whois registrant details for FOLOWDNS.CC -

Domain Name: FOLOWDNS.CC
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.FOLOWDNS.CC
Name Server: NS2.FOLOWDNS.CC
Name Server: NS3.FOLOWDNS.CC
Status: CLIENT-XFER-PROHIBITED
Status: CLIENT-DELETE-PROHIBITED
Updated Date: 11-jan-2011
Creation Date: 11-jan-2011
Expiration Date: 11-jan-2012

Registrant Contact:
Nikolaj Stolbikov
Nikolaj Stolbikov dyed@bz3.ru
+78123274547 fax: +78123274547
ul. Marshala Kazakova d.1 k.2 kv.360
Sankt-Peterburg Sankt-Peterburg 198302
RU
Source: centralops.ne

Nikolaj Stolbikov huh? Great! Another Russian name, let's just call him Nick. Googling Nick's street address shows plenty of hits for fraud, malware, fake pharmacy websites, and some phishing. Shocking! Of those results, we find some interesting things where Nick seems to have changed his name to Sergey for a fake pharmacy website -

DOMAIN: PHARMACYPILLSSITE.NET
RSP: DNReg Limited
owner-contact: P-SKK1691
owner-fname: Sergey
owner-lname: Kulakov
owner-street: ul.Marshala Kazakova d.1 k.2 kv.308
owner-city: Sankt-Peterburg
owner-state: Sankt-Peterburg
owner-zip: 198302
owner-country: RU
owner-phone: 7.8121023240
owner-fax: 7.8121023240
owner-email: gouge@maillife.ru
Source: http://whois.domaintools.com/pharmacypillssite.net

This would suggest a willfully falsified whois registrant information when it comes to the name of true owner of FOLOWDNS.CC. Then again the whole thing is falsified as this is the RBN, a group of cyber criminals whose bread and butter relies in staying off the radar when it comes to personal information. Also of consequence, google maps can't seem to find the address at all. That would suggest a falsified address. Still, translating the address into Russian we do find a street with a similar name on google maps here, proving that at least the k. 2 kv. 308 was not needed. We also find that this is a shopping center, not someone's personal place of residence. In this place, we do find the following business -

Mail of Russia, [UFPS] of Saint Petersburg I of Leningrad region,
Kirov inter-district post office, the department of the postal communication of № 198302

Address (Russian):
1, ул. Маршала Казакова, к. 1, г. Санкт-Петербург, Saint Petersburg, Russia
198302

Address (English):
1, ul of marshal Zazakov, k. 1,
Saint Petersburg, Russia 198302

FOLOWDNS.CC Registrant Address:
ul. Marshala Kazakova d.1 k.2 kv.360
Sankt-Peterburg Sankt-Peterburg 198302

So we can say this for sure: the registrant address for FOLOWDNS.CC is incorrect in format and locale, proving that the address is non-existent. Why should we believe it to be true anyway? This is a site registered to act as a name server for criminals. Their intention is to falsify whois registrant information while they commit their crimes. Hence the shotty registrant names and address.

Now if you've read my previous posts, you'll notice I google the registrant's phone number. We've sufficiently proven that the whois registrant information for FOLOWDNS.CC has been falsified in registrant name and address, but lets put some more stones through this glass house. The first one that comes up after googling +78123274547 -

Domain name: capsuletabletsdrugstore.com
Registrant Contact: Olga Veresova
Olga Veresova khaki@bigmailbox.ru
+78123274547 fax: +78123274547
ul.Komsomola d.13 kv.26
Sankt-Peterburg Sankt-Peterburg 195009 RU
Source: http://capsuletabletsdrugstore.com.w3spy.net/

Look at that, a totally new address and name used to register a fake pharmacy, yet the phone number used (+78123274547) is the same as the one used to register FOLOWDNS.CC. In fact you find more glaring examples of this falsified whois registrant details for criminal intent here, here (another new name and address for a fake pharmacy), and here.

I could go on proving the whois registrant details for FOLOWDNS.CC have been falsified with criminal intent, but lets show how the RBN is using FOLOWDNS.CC as a name server. A google search on it shows some rather heavy usage in the cyber criminal arena -

Fraud:
http://scamfraudalert.wordpress.com/2011/01/31/money-visual-llc-money-visualuk-cc/
http://scamfraudalert.wordpress.com/category/employment-alerts/scam-job-alert/page/3/
http://www.fraudwatchers.org/forums/showthread.php?p=126019
http://ddanchev.blogspot.com/2011/01/keeping-money-mule-recruiters-on-short.html
http://db.aa419.org/fakebanksview.php?key=56024

Malware:
http://forum.autosec4u.info/showthread.php?tid=3708&pid=16494#pid16494 (German)
http://amada.abuse.ch/?search=fintec-ltd.cc
http://amada.abuse.ch/?search=lilac-groupllc.cc
http://support.clean-mx.de/clean-mx/viruses.php?domain=throne-groupllc.cc&sort=first%20desc

BIZCN.COM,this is strike number two for you, as I already showed you registering another RBN domain being used for a name server here (whois info was falsified on that one as well). How FOLOWDNS.CC got past any checks for falsified whois registrant with BizCN in conjunction with all of the cyber criminal activity this domain is taking place in by acting as a name server for the RBN is beyond me. Trust me when I say this BizCN, you don't even want your name associated with this lot.