Larisa Kornyakova, a quick google search on his/her registrant street address returns nothing but fake pharmacy/software sites and malware hits. How much would you bet the registrant address is falsified? Proving so, let's google Larisa's phone number (+7.4957284001 OR +74957284001). Sifting through the results, this was easy enough -Domain Name: OLIVAU.CC Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: NS1.OLIVAU.CC Name Server: NS2.OLIVAU.CC Name Server: NS3.OLIVAU.CC Status: CLIENT-XFER-PROHIBITED Updated Date: 20-feb-2011 Creation Date: 17-dec-2010 Expiration Date: 17-dec-2011 Registrant Contact: Larisa Kornyakova Larisa Kornyakova () Fax: pr-kt Kosmonavtov d.1B kv.80 Korolev, Moskovskaya oblast 141075 RU Administrative Contact: Larisa Kornyakova Larisa Kornyakova (bop@cheapbox.ru) +7.4957284001 Fax: +7.4957284001 pr-kt Kosmonavtov d.1B kv.80 Korolev, Moskovskaya oblast 141075 RUSource: centralops.net
Domain name: pillsmedspharmacypractitioners.comWe have a fake pharmacy site, created in December of 2010 (just like OLIVAU.CC), using the same registrant phone number as OLIVAU.CC. Notice we have a totally different registrant name and address though than OLIVAU.CC! This is hands down, intentionally falsified whois registrant information for criminal purposes (why else would the RBN do this if not for criminal reasons). Vladimir is also found here registering another site (coo0lnet.net) in September of 2010 (e.g. 2 months before OLIVAU.CC was registered) with the same registrant details he used on pillsmedspharmacypractitioners.com . Funny thing about coo0lnet.net, it's listed by McAfee site advisor as a website used to disperse malware. In fact, you can see more of Vladimir using the same phone number OLIVAU.CC used in registrant details here, here, here, here, and here for other domains used in fraud or to spread malware.
Registrant Contact: Vladimir Dudnik
Vladimir Dudnik belch@ca4.ru
+74957284001 fax: +74957284001
ul.Lenina d.99a kv.45
Kolomna Moskovskaya obl 140411 RU
Created: 2010-12-14 Expires: 2011-12-14
Source: http://pillsmedspharmacypractitioners.com.w3spy.net/
Still think this doesn't prove falsified whois registrant information on OLIVAU.CC? Well we aim to please, serve, and prove here. Moving on to sample #2 -
Domain Name: JAPANHOMESTORE.COMLook at that! It's the same phone number used to register OLIVAU.CC (by Larisa Kornyakova) and all of Vladimir Dudnik's domains... and they're all registered during the year of 2010! That time line has trouble supporting the fact that the registrant information is legitimate, as we now have 3 different names for one phone number and 3 different addresses! So what was the domain JAPANHOMESTORE.COM? It's just a website used to spam and scam. Looks like Alexander Zolotov isn't anyone you would want to do business with. In fact, you can see some of Alex's other site's whois details here (fake pharmacy), here (fake phramacy), here (scam), and here (another fake phramacy).
Registrant:
Alexander Zolotov
Alexander Zolotov (ft@bigmailbox.ru)
ul. Akademika Anohina d.13 kv.244
Moskva
Moskva,119571
RU
Tel. +7.4957284001
Fax. +7.4957284001
Creation Date: 10-Feb-2010
Expiration Date: 10-Feb-2011
Source: http://www.who.is/whois/japanhomestore.com/
With all of the above stated, it has been shown the whois registrant details on OLIVAU.CC have been falsified intentionally and with criminal intent. So lets show how the domain OLIVAU.CC is being used as a name server for more cyber crime with a quick google search -
Fraud:
http://scamfraudalert.wordpress.com/2011/01/31/money-visual-llc-money-visualuk-cc/
http://scamfraudalert.wordpress.com/2011/01/14/high-tech-world-ltd/
http://scamfraudalert.wordpress.com/2011/01/12/avon-products-plc-journey-financial-cc/
http://ddanchev.blogspot.com/2011/01/keeping-money-mule-recruiters-on-short.html
http://www.delphifaq.com/faq/scams/f1057.shtml?p=68
Malware:
Web Cache link (from clean-mx.de)
http://amada.abuse.ch/?search=duncroft-group-inc.cc
http://amada.abuse.ch/?search=gogo-group-inc.cc
Web Cache link (from clean-mx.de)
There were plenty of other hits on google for the cyber crime OLIVAU.CC is helping to promote as a domain/name server for the Russian Business Network. No need to list them all, but for the last little bit I will talk about this. Enom, being the registrar of this site, did a major "fail" here when it comes to checking whois registrant information. It always amazes me how activity on a domain live OLIVAU.CC can go on for so long without anyone in the registrar industry even hearing about it.
Enom, that's strike two for you on my blog spot. The first strike was AUSTDEC.CC, you can read more about it here. In fact you may want to read my first blog post and take note of the name server section I mentioned at the very bottom of that post. I'll be going through each domain I mentioned as acting as a name server in that post. Save your abuse staff the time and see if any more of those domains I listed are apart of your registry. You may even think about deleting the same Larisa Kornyakova/Vladimir Dudnik/Alexander Zolotov I mentioned in this post from your registry entirely. It would save you one big headache.
No comments:
Post a Comment