Sunday, April 10, 2011

zonensuk.cc

Time for my last post regarding the list of nameservers I gave in my first blog post. Today we look at zonensuk.cc, another Russian Business Network (RBN) domain being used as a name server to perpetrate acts of fraud and malware dispersal. Our confirmation that this is an RBN domain/name server comes from Emerging Threat's RBN IP list. A quick google search on zonensuk.cc shows plenty of malware and fraud activity, so lets dive right in - 
Domain Name: ZONENSUK.CC
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.ZONENSUK.CC
Name Server: NS2.ZONENSUK.CC
Name Server: NS3.ZONENSUK.CC
Status: CLIENT-XFER-PROHIBITED
Status: CLIENT-DELETE-PROHIBITED
Updated Date: 08-dec-2010
Creation Date: 08-dec-2010
Expiration Date: 08-dec-2011
Registrant Contact:
   Olga Veresova
   Olga Veresova rooms@ppmail.ru
   +78123274547 fax: +78123274547
   ul.Komsomola d.13 kv.26
   Sankt-Peterburg Sankt-Peterburg 195009
   RU
Source: centralops.net
What a surprise, googling Olga's street address I see plenty of hits for fake pharmacy and sofware websites... but the shocker is google leads me right back to my very own blog spot here to the post about FOLOWDNS.CC (another domain with falsified whois information being used by the RBN for their cyber crime). Boom! This proves zonensuk.cc has intentionally falsified registrant information for criminal intent in one blow. Let's throw some more stones through this glass house though -
Domain name: trvlftnow.com
Registrant Contact:
   Vladimir Silyanov
   Vladimir Silyanov epic@ca4.ru
   +78123274547 fax: +78123274547
   ul.Rudneva d.3 k.2 kv.119
   Sankt-Peterburg Sankt-Peterburg 194291
   RU
Created: 2011-03-15
Expires: 2012-03-15
Same phone number that zonensuk.cc, however it's a way different registrant name and address. This proves falsified whois registrant information. We see the same thing here for a fake phramacy... again same phone number but entirely different whois registrant address and name. So, with intentionally falsified whois registrant information for zonensuk.cc shown above, lets show what zonensuk.cc is being used for as a name server with a quick google search -

Fraud:
Link here (too long)
Link here (too long)
http://scamfraudalert.wordpress.com/2011/01/12/avon-products-plc-journey-financial-cc/
http://ddanchev.blogspot.com/2011/01/keeping-money-mule-recruiters-on-short.html
http://www.fraudwatchers.org/forums/showthread.php?p=127376

Malware:
http://support.clean-mx.de/clean-mx/viruses.php?domain=online-solutionsllc.cc&sort=first%20desc
http://support.clean-mx.de/clean-mx/viruses.php?domain=pegasltdunion.cc&sort=email%20desc

Again, there were plenty of other hits for malware and fraud activity on zonensuk.cc, a domain being used as a name server to spread malware and fraud. BizCN, again, just delete these registrants I've been mentoning in my blog posts entirely from your registry. These customers will only bring a business like yours problems in the long run with the amounts of falsified whois registrations they shell out for criminal intent.
Posted by Fully Automatic at 10:38 PM
Labels: , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)