Let's start by diving right into the whois registrant details of dnsukrect.com -
Upon googling Mr. Boiko's street address, you will find links noting sites that have been set up for malware dispersal. No shock there, we're talking about the RBN. Googling his whole address, it won't pull up on google maps. So I highly doubt the street even exists in Stroitel Russia, meaning the whois registrant information has been falsified for illegal and fraudulent purposes. On that note, what happens when you google Boiko's phone number? Aside from being greeted by quite a few reports of fake pharmacies and malware dispersal sites, there were some more things to suggest falsified whois registrant information for criminal activity.Domain Name: DNSUKRECT.COM Registrar: NICS TELEKOMUNIKASYON TICARET LTD.STI. Whois Server: whois.nicproxy.com Referral URL: http://www.nicproxy.com Name Server: NS1.DNSUKRECT.COM Name Server: NS2.DNSUKRECT.COM Name Server: NS3.DNSUKRECT.COM Status: ok Updated Date: 27-jan-2011 Creation Date: 27-jan-2011 Expiration Date: 27-jan-2012DOMAIN: DNSUKRECT.COMowner-contact:CID-129136DNS owner-organization:Oksana Boiko owner-name:Oksana owner-lname:Boiko owner-street:ul.Pobedy d.3 kv.81 owner-city:Stroitel owner-state:Belgorodskaya oblast owner-zip:309070 owner-country:RU owner-phone:+7.4722311731 owner-fax:+7.4722311731 owner-email:code@yourisp.ruSource: centralops.net
Domain Name : DISCOUNTPHARMACYPILLS.COMNotice two things here, Mr. Boiko is now named Nataliya Guzik (sexy name Boiko) and his place of residence has changed drastically all within a year. Also he's (she?) has quite a few email addresses, in this case it was used to register a fake pharmacy (looks like Natalia started another one here too). This hands down, proves falsified whois registrant information. We're not done here though, let's look at another site "Nataliya" registered for malware dispersal 5 days after Mr. Boiko registered dnsukrect.com
Registrant: Nataliya Guzik
Nataliya Guzik (tw@free-id.ru)
ul.Pochtovaya d.76 kv.28
Belgorod Belgorodskaya oblast, 308013
RU Tel. +7.4722311731 Fax. +7.4722311731
Creation Date : 11/3/2010 7:04:54 PM
Expiration Date : 11/3/2011 7:04:54 PM
Source: http://discountpharmacypills.com.w3spy.net/
Totally different address, totally different name, all registered within the same time period, and all for the purposes of cyber criminal activity. This is hands down falsified whois registrant activity for illegal purposes.Registrant: Nataliya Guzik above@yourisp.ru +7.4722311731 Nataliya Guzik ul.Pochtovaya d.76 kv.28 Belgorod,Belgorodskaya oblast,RU 308013 Domain Name:quvujykolenuja.com Record last updated at Record created on 2011/2/28 Record expired on 2012/2/28Source: link here (too long)
So, we've already shown that the whois registrant information has been falsified for the name server dnsukrect.com. Let's show what kind of illegal activity takes place on this name server -
Phishing:
http://www.siteadvisor.com/sites/dnsukrect.com/postid?p=7305091
Fraud:
http://scamfraudalert.wordpress.com/2011/02/03/
http://scamfraudalert.wordpress.com/2011/02/21/lilac-llc-company/
http://scamfraudalert.wordpress.com/2011/02/03/gogo-group-inc-cc-gogo-teamant-com/
http://ddanchev.blogspot.com/2011/03/keeping-money-mule-recruiters-on-short.html
Malware:
http://rss.uribl.com/ns/dnsukrect_com.html
link here (too long!)
http://amada.abuse.ch/?search=renaissance-llc.cc
http://support.clean-mx.de/clean-mx/viruses?id=761523
There were plenty of other google hits for this kind of activity, I'm pretty sure if you made it this far down the post you know how to google for it. That said, again we see a registrar fail in that whois registrant information has been falsified while the slime of the internet's charred underbelly run rampant dispersing their malware and other forms of fraud. NICS TELEKOM, it's time to see if you want your name associated with this lot.
Coming soon to a blog post near you, a short story about a name server/domain named uknamo.com .
