safepaymentsonline.com - down the rabbit hole we go...
I have been taking a look at the site safepaymentsonline.com because a report of naughtiness was received. Here is what I found:
ICANN Registrar: TLDS, LLC DBA SRSPLUS
Domain created: 8 April 2008
NS1, 2, 3, 4.SAFEPAYMENTSONLINE.COM
IP: 220.127.116.11 (Oregon - Portland - Aps Telecom)
Registrant: Markus Simpson (further details hidden behind SRSPlus Private Registration)
Sharing IP with 29 domains: 1softwarespot.com, Adult-billing.com, Bestsoftclub.com, Billhlp.com, Billingcenteronline.com, Billinghost.net, Billingintegrator.com, Billingmill.com, Billingserviceonline.com, Billingsquad.net, Billinternet.com, Billsvc.com, Customerhlp.com, Dopaymentsonline.com, Ebillingcenter.com, Fantazybill.com, Interbills.com, Justnetbilling.net, Legalbillingsystems.com, Mainbillingcenter.com, Megafixer.com, Orderhlp.com, Paymentbit.com, Paymentbit.net, Paymentforge.com, Safepaymentsonline.com, Softwbill.com, Spankyhosting.com, Support-wizard.com, Truebillingservices.com.
Following the white rabbit...
Once again, I will take the opportunity to show my gentle readers how we can uncover the ties that bind when investigating non-reputable domains. It is becoming more and more important that we become proficient in undertaking such checks now that the bad guys are trying harder to hide who they are, what they are doing, and any history of misbehavior.
In this case, we start with the name "Markus Simpson" which is already familiar to me. We can tie "Markus Simpson" to our favorite monitored pseudonym, "Serg Moon", when we note that the WHOIS information for truebillingservices.com was changed from "Serj Moondy" to Markus Simpson" back in October of this year.
I have also come across the safepaymentsonline domain before in association with malvertizing:
We can tie some of the domains above that share IP with safepaymentsonline.com, being truebillingservices.com, softwbill.com, spankyhosting.com and others, to ultimatepayment.com (via shared IP address). This in turn leads us to bucksbill.com (which also used to share IP address). Bucksbill was notorious for charging twice as much to credit cards for fraudware/fake security software as was authorized:
Overcharging of credit cards - check out the comments:
Historical WHOIS information for safepaymentsonline.com reveals even more ties that bind. Back when the domain was first registered, the Registrant was listed as a "Kira Nigel", with an email address of firstname.lastname@example.org.
"deryderuki" is familiar to me too - sure enough, it appears in the internal research about Innovative Marketing as released by Sunbelt Software. Innovative Marketing are, of course, the subject of a lawsuit recently announced by the FTC.
"deryderuki" appears three times in the Sunbelt documentation:
bestpaymentsolution.net (Kira Nigel, email@example.com)
direct-billing.com (Jim Havbeck, firstname.lastname@example.org)
securefileshredder.com (Jim Havbeck, email@example.com)
"Jim Havbeck" draws our attention to even more names and email addresses: firstname.lastname@example.org, "Sagent Group" (email@example.com) and "Sam Akshay" (firstname.lastname@example.org).
Malvertizements and fraudware/fake security software incidents implicating Sagent Group:
A Sagent Group was forced to hand over ownership of the domain "hillenbrandindustries.com" after failing to reply to Complainant's contentions:
"Sagent Hostmaster" implicated in malvertizement hijack leading to a pornographic web site, complete with streaming media on the opening page.
Back in December 2007 I wrote about a malvertizement that was appearing on mlb.com which was different to the norm because it did not redirect victims to a fraudware/fake security software site. Instead, it redirected victims to a pornographic web site, complete with streaming media. The incident is recorded here (and I still have a copy of the advertisement in question, and a video recording of the hijack incident, in my archives):
I still use the mlb.com incident when giving presentations about malvertizements - the risk environment that a business is exposed to changes for the worse when employees are exposed to pornography (especially pornography with sound and motion).
The pornographic domain was h q tube.com (white spaces interspersed in domain name). The WHOIS for that domain is:
ICANN Registrar: TLDS, LLC DBA SRSPLUS
Domain created: 14 August 2006
NS1, 2, 3, 4.SERVERFIELD.COM (hosting 20 domains)
IP: 18.104.22.168 - Utrecht, Webazilla
Registrant: Sagent Hostmaster (email@example.com)
Now we have yet another email address, firstname.lastname@example.org. A Clusty search for that email address reveals some interesting information, including an ICQ number and allegations of what looks like small time investment fraud: