ALERT: Please treat content from the following domains with extreme caution

Thanks to Matt for the heads-up warning that the following domains are implicated in the facilitation of malvertizing and other nefarious behavior...

Matt warns us about...

paymentforad.com - IP 58.65.237.115
Registrar: TLDS, LLC DBA SRSPLUS
Registrant: Serj Moondy (moon.serg@gmail.com) <-- a name we recognize, yes?
Administrative, technical, billing contact: Alex Ferguson (moon.serg@gmail.com)
Domain created: 3 July 2008

extrabigad.com - was 58.65.237.114, now 69.50.131.86
Registrar: TLDS, LLC DBA SRSPLUS
Registrant: Serj Moondy (moon.serg@gmail.com)
Administrative, technical, billing contact: Alex Ferguson (moon.serg@gmail.com)
Domain created: 3 July 2008

extrafreead.com - IP 58.65.237.113
Registrar: TLDS, LLC DBA SRSPLUS
Registrant: Serj Moondy (moon.serg@gmail.com)
Administrative, technical, billing contact: Alex Ferguson (moon.serg@gmail.com)
Domain created: 3 July 2008

ads4flower.com - IP: 58.65.237.116
Registrar: TLDS, LLC DBA SRSPLUS
Registrant: Serj Moondy (moon.serg@gmail.com) <-- a name we recognize, yes?
Administrative, technical, billing contact: Alex Ferguson (moon.serg@gmail.com)
Domain created: 3 July 2008

advertpanda.com - IP: 58.65.237.117
Registrar: TLDS, LLC DBA SRSPLUS
Registrant: Serj Moondy (moon.serg@gmail.com)
Administrative, technical, billing contact: Alex Ferguson (moon.serg@gmail.com)
Domain created: 3 July 2008

If I dig a little deeper, I also find...

whoisadvert.com - IP 58.65.237.217
Registrar: TLDS, LLC DBA SRSPLUS
Registrant: Serj Moondy (moon.serg@gmail.com) <-- a name we recognize, yes?
Administrative, technical, billing contact: Alex Ferguson (moon.serg@gmail.com)
Domain created: 3 July 2008

At time of writing, moon.serg@gmail.com was associated with 111 different domains. I'm very tempted to dig up and publicize every single one of them.

Ok, so let's see what other domains we can find in that IP range that have an advertiser-ish feel to them or which are similar to past fraudware domains (as I keep saying, the bad guys are lazy - they keep using the same registrars, they put too many eggs into the one basket and sometimes feel the need to hide behind 'bulletproof' hosting):

traffomer.com - IP 58.65.237.49
Registrar: Estdomains, Inc
Creation date: 9 July 2008

BZZZZZ.ORG - IP 58.65.237.49
Registrar: Estdomains, Inc
Creation date: 18 August 2008

adminkos.net - IP: 58.65.237.49
Registrar: Estdomains, Inc
Creation date: 17 July 2008

BTW, another name that keeps on cropping up in association with "bad actor" domains is the unattractively named "fuckdns.com".

fuckdns.com - IP: 58.65.237.49
Registrar: Estdomains, Inc
Creation date: 9 July 2008

Also be careful here...

upkteam.com - IP 58.65.237.121 <--- DON'T GO THERE, there's script in the source code of the page:
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Creation date: 11 October 2007

That will do for now - the more we dig, the more we find. HostFresh in Hong Kong (58.65.237.*) has a (deservedly) bad reputation.

http://ddanchev.blogspot.com/2008_06_01_archive.html
http://ddanchev.blogspot.com/2008/02/geolocating-malicious-isps.html

Published Fri, Aug 22 2008 11:30 by sandi

Filed under: Security, safety and privacy on the Internet, Vulnerabilities, viruses and exploits

Comments

# re: ALERT: Please treat content from the following domains with extreme caution

Wednesday, September 17, 2008 3:15 PM by Greg

I received a whole bunch of requests from http://www.refereesource.com for information (phone number, address, etc). I went to Whois and discovered that the name of the registrar is the same as all the ones that are marked "ALERT: Please treat content from the following domains with extreme caution".

Thanks for the information, just thought I would let you know there was another site with their name on it.

Spyware Sucks

Blog Recent Posts

Syndication

Search

News

Blog Archive List

Tag Cloud