A quick search on Anisimov's street address shows plenty of cyber crime ranging from fake pharmacy/fraud domains to sites used to spread malware. Evidently, Anisimov is no stranger to cyber crime. So what does a quick google search on Ilya's phone number show (+7.8152628111 OR +78152628111)? Nothing much, we see the whois registrant details staying very consistent. Even searching Ilya's email address (freer@free-id.ru) doesn't return anything. It looks like we're going to have to analyze the whois registrant details the hard way, address analysis.Domain Name: PAGEREDNS.CC Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: NS1.PAGEREDNS.CC Name Server: NS2.PAGEREDNS.CC Name Server: NS3.PAGEREDNS.CC Status: CLIENT-XFER-PROHIBITED Updated Date: 11-jan-2011 Creation Date: 11-jan-2011 Expiration Date: 11-jan-2012Registrant Contact: Ilya Anisimov Ilya Anisimov () Fax: ul.Pronina d.26 kv.20 Kandalaksha, Murmanskaya obl 184040 RU Administrative Contact: Ilya Anisimov Ilya Anisimov (freer@free-id.ru) +7.8152628111 Fax: +7.8152628111 ul.Pronina d.26 kv.20 Kandalaksha, Murmanskaya obl 184040 RUSource: centralops.net
Let's hop over to google maps and see what we can find. Out first hint comes from google maps here. The street name Pronina (Russian: Пронина and roughly translated to English as Pronin to be accutrate) does exist. So the street address in Russian would be as follow -
26, ул. Пронина, пом. 20,Here's the problem, Google maps can't find that address even if I remove the apartment number (пом. 20). This suggests the address is non-existent. Taking this even further to show that 26 ulista (Russian for street) Pronina doesn't exists, I googled it. Nothing, nada, not a single hit found. Taking this one step further, lets see if we can find a street map or address finder for the city of Kandalaksha. What is funny is mapquest seems to work for Russia, and it can't find this address. It would be nice to have a GIS (geographical informations system) on Russia's streets publicly available, but for now google maps will have to do here. Needless to say, this address has trouble claiming existence anywhere else other than the whois registrant details on sites set up to serve malware and commit acts of fraud.
Кандалакша, Мурманская обл.,
Russia, 184040
Not entirely shocking as this is the RBN and that is their bread and butter. They will falsify whois details and be involved in domains/name servers that are involved in cyber crime. The fact that pageredns.cc is acting as a name server for the RBN and that it's whois registrant details are (at best) intentionally shady is just part of the game. So let's see how the RBN is using pageredns.cc as a domain/name server with a quick google search -
Fraud:
http://db.aa419.org/fakebanksview.php?key=56024
Link here (too long)
http://forum.419eater.com/forum/viewtopic.php?p=1665521
http://www.delphifaq.com/faq/scams/f1057.shtml?p=70
http://www.fraudwatchers.org/forums/showthread.php?p=127376
Malware:
http://amada.abuse.ch/?search=lilac-groupllc.cc
http://support.clean-mx.de/clean-mx/viruses.php?domain=throne-groupllc.cc&sort=first%20desc
http://forum.autosec4u.info/showthread.php?tid=3708 (German: possible ZeuS trojan activity)
There were plenty of other abuse links found, but point in case pageredns.cc is using intentionally falsified whois registrant information for criminal purposes. Granted, it's not easy to spot... but given the level of criminal activity on the domain/name server pageredns.cc, it merits investigation. Given the fact that it ties in with further abuse here and here (tied in with AUSTDEC.CC & OLIVAU.CC), we can safely assume that not only has Enom received falsified whois registrant information but that pageredns.cc is tied in to the same money mule recruitment gang I mentioned in my first blog post.
Enom, do yourself a favor and get rid of any domain using the same whois information used to register pageredns.cc. It will save you a lot of time and headaches.
No comments:
Post a Comment