A stolen identity from the real Waller
Truck Co is just the latest in a long line of criminal fraud
aliases from the same money laundering mule/phishing criminals, who are
also using a
website
stolen from the genuine American Waller Truck Company. Basically all
the
criminal has done is take the stolen Waller Truck Company site, alter
some text, (e.g. the location), and insert a money mule fraud job.
The genuine Waller Truck Company have
nothing whatsoever to do with this
fraud. Their genuine
website is here
and
the criminal's bogus website is currently here. The genuine
Waller Truck Company have posted a warning of this criminal's
activities on their contact
details page.
The
bogus Waller Truck Co. website
is generally zombie botnet hosted and the spam is zombie botnet
distributed. Some
of the criminal's current domain registrations are provided by the
internet domain registrar Nic.ac of Christchurch, Dorset, UK
who
has failed to respond to a single abuse report concerning these
criminals even though their activities are clearly precluded in the
Nic.ac 'Domain
Rules'.
This registrar also registered fraud domains for the Cronos Investment
fraudster and the Draper Investment fraudster before them and also
ignored abuse reports relating to those criminals. They are fully aware
of this criminality but, as they put it, "do not get involved".
Current
Zombie Botnet Host(s)
The
ethical majority of service providers, (all credit to them), act within
1-24 hours of being informed of the
criminal abuse of their system, (the
best in less than 1 hour), but there are unfortunately a
few that do not, for one reason or another.
Waller Truck Co :
Evidence
of Criminal Fraud
i) The Waller Truck Co.
criminal fraudsters
have stolen the website of the genuineWaller
Truck Company
as detailed above - this fraud is exactly the same as his original
Harvey Investment, Draper Investment, Cronos Investment frauds
etc with a new company as the victim.
ii)The genuine Waller Truck
Company have posted a warning of this criminal's activities on their contact details
page.
iii) The bogus Waller
Truck Co. website is zombie botnet hosted as demonstrated by the DNS
data below.
iv) The genuine
Waller Truck Co. location is in Excelsior Springs, MO, USA. The
criminals have a bogus address in Canberra Australia on their stolen
website. This address does not appear in a Google search.
v) The
criminal's site is spamvertising the following 'Regional
Sales Manager' money mule job under the Company - Job
Opportunities menu tab which does not appear on the genuine site: 1. Regional
Sales Manager
Status:
Part-time Job description:
Work
as a member of a group, helping to enlarge a base of customers in
countries all over the world and liaise with head office on a daily
basis;
Deliver high standards of
customer service ensuring high delivery speed and quality of orders;
Manage
a part of a sales cycle – ensure fast remittance of payments
through your bank account and then - through world wide Western Union
system and calculate fees at each step;
Create and maintain
positive relationships with
existing clients that result in new customers, lead to and maximise
opportunities for expansions and renewals to enhance revenue stream. Employees should be able to perform:
Excellent spoken English
& communication skills (oral and written).
Professional approach on
the phone conversations
PC literate: Microsoft
Outlook and Word as a minimum
Proven ability to
communicate effectively at all levels in a relaxed confident manner.
Extroverted and outgoing,
with a positive outlook.
Significant attention to
detail.
Excellent organisational
skills.
Customer focused.
Focused on own personal
goals, integrating the achievement of company objectives.
Ability to
work unsupervised No previous sale or accounting experience is
necessary, though it will be valued. Your Personal
situation must allow you to travel around your place 1-2
hours a day on company assignments( that would be particularly trips to
the bank and Western Union branches)
vi) If you
click on "Apply for this position" on the above page you eventually get
to an application
form page
which has a fake .gif Verisign certificate, ('Verify' doesn't work - it
just takes you to the Verisign non-SSL info. page). The application
form requests all your bank details.
vii) The Waller Truck Co. criminal
uses lots of recently registered domains, with newly
registered
ones appearing all the time as the spamvertized ones are suspended by
responsible registrars.
viii) All
domains have
totally different bogus whois data although they are used for
the same fraud website.
ix) The Waller
Truck Co. spam contains forged header information and the
usual bayesian
filter avoidance code that irrefutably link it to the Cronos
Investment, Draper
Investment, Harvey
Investment, Adamant Global, Sydney Car Centre and all this criminal's
many other aliases along with the 'rockphish' phishing criminals.
x) The
criminals prolific spam is zombie botnet distributed as is easily
demonstrated by the source IPs.
xi) The
criminal's spams are all signed by different random names - they appear
to have an infinite number of fake 'employees'.
The above
evidence clearly demonstrates beyond any doubt that this
stolen Waller Truck Co. website has been set up by money laundering
and phishing
criminals purely for
the
purpose of spamvertising an illegal money laundering 'mule' job and is
undoubtedly just a stolen copy of the genuine Waller Truck Co. site and is directly related
to Cronos Investment, Draper Investment, Harvey Investment, Adamant
Global, Sydney Car
Centre and the rest of the money
laundering/phishing criminal fraudsters' aliases
documented here. If you are an abuse team that has received an abuse
report regarding these fraudsters, please
consider immediate
termination of their services in view of the absolutely undeniable
evidence of
site theft, copyright offences, criminal money laundering activity
and
spamming -
please don't delay - these criminals will not
respond to any communication from you, (all their whois data is false),
but will simply take advantage of any attempt
at communication as a delaying tactic to allow them time to carry on
their criminal activity and prepare
their
next network.
Do
not
be misled -
these are professional criminals
with a long history
of fraud as detailed on the General Information page and are the same
criminals as the 'rockphish' phishing fraudsters, so if a host or
registrar shelters these crooks then they are also sheltering them and
aiding and abetting their criminal 'phishing' fraud activities.
Waller Truck
Co. Fraudsters -
current hosting details.
Current Main Domains, Hosts
and Registrars
Domain
watrco.ac
Registrar
Nic.ac
Host IP Network /Botnet Nameserver Host
Host
IP/Botnet Nameserver
IP
See table below for the full
list of known active & suspended main domains used by
this
criminal.
Current Zombie Botnet Nameserver
Domains
and
Registrars
regtoo.com
- REGISTER.COM,
INC. iprintworld.com - IA
Registry/Spiritdomains
Parked Parked Parked DNS Error Domain Unavailable DNS Looped Parked DNS Error Active DNS Error Parked Parked DNS Error DNS Error Suspended Suspended Suspended Suspended Suspended Suspended Suspended DNS Error DNS Looped DNS Error Suspended Suspended Suspended Suspended DNS Error Suspended Suspended Suspended Suspended Suspended Suspended Suspended DNS Error Suspended DNS Error DNS Error DNS Error Suspended Suspended Suspended Suspended DNS Error DNS Error Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Unhosted Unhosted Unhosted Suspended Suspended Suspended Unhosted Unhosted Unhosted Suspended Parked Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Active Active
Parked Parked Active Parked Active Suspended Suspended Active Active Active Active
Registrar
REGISTER.COM, INC.
REGISTER.COM, INC.
Nic.ac
Nic.ac
Nic.ac
REGISTER.COM,
INC.
Nic.ac
Nic.ac
Nic.ac
Nic.ac
Nic.ac
REGISTER.COM, INC.
Nic.ac
Nic.ac
Nic.nu
Nic.nu
Nic.nu www.la www.la domains.ph
domains.ph
domain.kg domain.kg domain.kg www.la
www.la domains.ph domains.ph domain.kg www.la www.la www.la
domains.ph
IA Registry/Spiritdomains
www.la IA Registry/Spiritdomains domain.kg
domains.ph domain.kg domain.kg domain.kg
IA Registry/Spiritdomains Nic.gs Nic.gs Nic.gs domains.ph domains.ph www.la www.la www.la www.la www.la www.la www.la domains.ph domains.ph IA Registry/Spiritdomains IA Registry/Spiritdomains domains.ph
Nic.tl Nic.tl domain.kg domain.kg domain.kg IA Registry/Spiritdomains COMPUTER SERVICES LANGENBACH
GMBH (JOKER.COM)
IA Registry/Spiritdomains IA Registry/Spiritdomains IA Registry/Spiritdomains IA Registry/Spiritdomains IA Registry/Spiritdomains
Nic.tl Nic.tl IA Registry/Spiritdomains IA Registry/Spiritdomains IA Registry/Spiritdomains IA Registry/Spiritdomains IA Registry/Spiritdomains IA Registry/Spiritdomains
REGISTER.COM,
INC.
IA
Registry/Spiritdomains
TODAYNIC.COM, INC
REGISTER.COM, INC.
IA
Registry/Spiritdomains
IA Registry/Spiritdomains
Estdomains
REGISTER.COM, INC.
REGISTER.COM, INC.
REGISTER.COM, INC.
IA Registry/Spiritdomains
Please notify me of any errors or domains not listed here.
Notes
for Registrars
i) The Waller Truck Co. criminal uses his own nameserver
domains
to control his zombie botnets or provide his DNS. By definition there
can be no legitimate
domains using his dedicated botnet nameservers & his
conventional nameserver domains are always very recently registered.
This
provides an ideal database search option for you to identify and delete
all of this criminal's fraud domains without
any risk of hurting an innocent domain. Current criminal's botnet
nameservers - ns1.regtoo.com
and ns1.iprintworld.com
ii) All of the criminal's domains have different false
whois registration data.
iii) The criminal will not respond to your challenge but will use the
notice to prepare a new network -
immediate suspension is preferred, please.The
Spam Headers
Return-Path: <ndvlwgdq@norika-fujiwara.com>
Received: from mwinf3106.me.freeserve.com (mwinf3106.me.freeserve.com)
by mwinb3406 (SMTP Server) with LMTP;
Tue, 27 Nov 2007 11:56:35 +0100
X-Sieve: Server Sieve 2.2
Envelope-to: xxxxxxx@xxxxxxxxx
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf3106.me.freeserve.com (SMTP
Server) with ESMTP id xxxxxxxxxxxxx
for <xxxxxxx@xxxxxxxxx>;
Tue, 27 Nov 2007 11:56:35 +0100 (CET) Received:
from e181068023.adsl.alicedsl.de (e181068023.adsl.alicedsl.de
[85.181.68.23])
by mwinf3106.me.freeserve.com (SMTP Server) with SMTP id xxxxxxxxxxxxx
for <xxxxxxx@xxxxxxxxx>; Tue, 27 Nov 2007 11:56:34 +0100
(CET) X-ME-UUID:
xxxxxxxxx@xxxxxxxxxxxxxxx Received:
from buydomains.com (EHLO pimpedhost.com.danga.com [108.45.115.102])
by logansvideos.com with SMTP id 9OICZN9FWY
for <xxxxxxx@xxxxxxxxx>; Tue, 27 Nov 2007 02:56:42 -0800 Received:
from purinmail.com [12.165.104.127]
by d21c.com with SMTP id A9W5DELW09
for <xxxxxxx@xxxxxxxxx>; Tue, 27 Nov 2007 13:47:42 +0300
From: "Waller Truck Co" <ndvlwgdq@norika-fujiwara.com>
To: "Bob" <xxxxxxx@xxxxxxxxx>
X-MSMail-Priority: 3 (Normal)
Subject: vacant position in the waller Truck Co.
User-Agent: MIME-tools 5.503 (Entity 5.501)
X-Mailer: MIME-tools 5.503 (Entity 5.501)
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--8JDQ.BSQ_AJ8WZ"
Message-Id: <xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 27 Nov 2007 11:56:34 +0100 (CET)
Recipient
& message id munged.
The
first thing to notice is the spam source IP. Reading
from the bottom upwards, (following the routing as is the norm when
parsing headers), the
first two of the received
lines (red)
can be rejected as unsafe, almost certainly forged. The
actual trusted source IP that cannot be forged is the one
received by the recipients email provider (Freeserve) and that is in
this line (green):
Received:
from e181068023.adsl.alicedsl.de (e181068023.adsl.alicedsl.de
[85.181.68.23])
In
this received line the source IP address is 85.181.68.23 the reverse
DNS (RDNS) for which correctly indicates e181068023.adsl.alicedsl.de which confirms that the source
address is genuine.
In
the above RDNS sender identity note the letters adsl. These stand
for Asymmetric
Digital Subscriber Line
and tell you for sure that the spam has come from an end user's
computer on an ADSL network in Germany, (from the whois data for the IP
address). "Well", you say, "there's your criminal". Unfortunately not -
he or she may be guilty of criminal stupidity by not having a firewall
or clicking on the latest nude pictures of Britney Spears, but
unfortunately probably not criminal fraud - he/she is just one of tens
of thousands of 'zombies' - computers that have been infected with a
zombie virus or worm. What it does tell you for certain is that the
Waller Truck Co. spammer uses a zombie botnet to distribute his spam in
exactly the same way as Sydney Car Centre, Harvey Invest, Draper
Invest, Cronos Invest, Adamant Global and all the rest of these
criminals.
Lastly,
ndvlwgdq@norika-fujiwara.com is
not "Waller Truck Co."
& the spam has not come from that address -
this is just another forged email
address.
Incidentally, never 'bounce' spam back to the 'sender' as it only
bounces back to a forged address which, if real, will only belong to an
innocent third party who will understandably be a little peeved with
you and if you do it a lot you could get your ISP's SMTP IP range
blacklisted and they will be even more upset with you & could
justifiably close your account. The
Spam Content
The Waller
Truck Co. spam headers contain many
different forged/bogus 'From' &
'Return Path' addresses & various forged 'Receive' lines. The
subject lines vary & all indicate that there is a job
opportunity to be had. There is - an illegal job as a money laundering
'mule' or transfer fraud victim, i.e. accepting stolen or counterfeit
proceeds into your account and forwarding it on via Western Union or
Moneygram for a percentage cut. Needless to say it is these mules that
will probably feel the full weight of the law while the remote money
launderers are safe. The bogus or stolen funds in the mules account may
well also be recovered, leaving them with large losses.
This is the content of an actual Waller Truck Co.
scam spam:
Since its establishment in
1959, Waller Truck Co., Inc. has centered its family-owned trucking
business on : QUALITY, FAIRNESS, HONESTY and UNCOMPROMISING CUSTOMER
SERVICE.
Waller
Truck Co. is the largest provider of outsourced workplaces for
individuals all over the world. The company provides more than 100,000
clients with flexible and cost-effective range of goods and services
using help of regional associates at prestigious locations in business
hubs and capital cities around the globe.
The only
way that we can ensure our customers receive the highest standard of
quality and service is to hire individuals who share our vision,
dedication and entrepreneurial spirit. Due to our rapid expansion, we
are seeking Regional Sales Managers in the UK.
If you love hard work but hate routine, if you are adventurous but
responsible, if you have great communications skills, are interested in
international sales and like a challenge, this job is for you.
Vacancy
offered is a part-time or second employment. You'll be supposed to work
from home, but at the same time Your Personal situation must allow you
to travel around your place 1-2 hours a day on company assignments
(that would be particularly trips to the bank and Western Union
branches).
While implementing Company's assignments You shall be working as a
member of a group, helping to enlarge a base of our customers in
countries all over the world and liaise with head office on a daily
basis. You'll be responsible for delivering high standards of customer
service ensuring high delivery speed and quality of orders. That would
particularly be done through managing a part of a sales cycle -
ensuring fast remittance of payments through your bank account and then
- through world wide Western Union system and calculating fees at each
step.
To sum up - Your mission in the company would be to create and maintain
positive relationships with existing clients that result in new
customers, lead to and maximize opportunities for expansions and
renewals to enhance revenue stream.
To become
a Regional Sales Manager You should be able to perform: excellent
spoken English & communication skills, significant attention to
detail, excellent organizational skills and ability to work
unsupervised. You shall be extroverted and outgoing, with a positive
outlook, customer focused and focused on own personal goals,
integrating the achievement of company objectives.
Having joined in our team, You'll enjoy a wide range of benefits we can
offer! For example, a base salary with generous commissions (10% out of
each payment you've dealt with) and expenses, as well as flexible
timetable, that will allow you to chose the most suitable time to deal
with company assignments.
If You are interested in a position offered and for the rewards you
want, when you want them visit
our website to apply.
We are
waiting you hearing from you asap.
Any questions are welcome.
Yours sincerely, Susanne Park
Note
the usual Bayesian filter
avoidance 'code', commonly used by these criminals and the 'rockphish'
scammers alike.
The Zombie Botnet
How I am searching:
Searching for wtrc.cc A record at h.root-servers.net [128.63.2.53]: Got
referral to c3.nstld.com. (zone: cc.)
Searching for wtrc.cc A record at c3.nstld.com. [192.26.92.32]: Got
referral to NS2.BOX-PR.COM. (zone: wtrc.cc.)
Searching for wtrc.cc A record at NS2.BOX-PR.COM. [24.55.193.11]: Timed
out. Trying again.
Searching for wtrc.cc A record at NS1.BOX-PR.COM. [72.36.142.251]:
Reports wtrc.cc. Response:
The data shows a standard zombie botnet where the
nameserver ns1.box-pr.com hosted by Layered Technologies,
Inc., on
IP 72.36.142.251 is acting as a zombie botnet controller
'herding'
the rotating zombies, (as determined by RDNS), in the 'A' records list
which are hosting the fraud site (as determined by TRACERT). These
criminals are
experienced liars, thieves and professional confidence
tricksters. Do not be
fooled - do
not believe them. The evidence of criminal fraud is undeniable.
I'd
like to thank the many honest & ethical hosts who have
disconnected
these fraudsters within an hour of receiving an abuse report, (several
in c. 20 minutes). However, the zombie botnet controlling nameservers
seem to be occasionally hosted by Colocation/VPS service providers who
do not respond to criminal fraud abuse reports. The honest &
ethical SPs will respond with an immediate, (preferably not 24 hours or
48 hours & certainly not never...), disconnection on receipt of
a
criminal abuse
report,
having considered the evidence below & investigated, but more
and
more
frequently service providers stall or simply ignore abuse reports.
This latter minority of uncaring & unethical hosts are aiding
and
abetting criminal fraud
and
the victims suffer because of it. Blocking
The spam
I
have had quite a few queries about how to block the criminal's spam in
Outlook Express. Fortunately they are easily detected using the OE
'Mail Rules' (Tools - Message Rules - Mail).
Rules based on the
From, To etc addresses will never work as the header data is all
forged. The message body remains constant, however & that can
be
used to detect them.
Use the rule "Where the message body
contains specific words" and use "Waller Truck Co."
as
the search item then choose 'delete' (or whatever action you prefer) as
the action then that will definitely detect every single one of these
spams.
If
you find this site helpful then please feel free to link to it on your
website by inserting the following HTML code, (opens site in new
window): <a
href="http://www.bobbear.co.uk" target="_blank">Money
Laundering Fraud Websites</a>Fraud
BlogInitial
entry 27th. November 2007
Domains wtrc.cc and watrc.cc received in spams. Later
-
Domains wtrc.cc and watrc.cc
&
box-pr.com all parked by Register.com so unless the criminal has other
domains that I'm not aware of, he is off-line. Please let me
know
if you know of any
resolving domains for this criminal. Unfortunately the quick suspension
of the Register.com domains prevented Layeredtech seeing the zombie
botnet, but they'll be back.... 28th.
November 2007 ...and so they are -
three new domains received in spam
this morning - both on the Layeredtech hosted zombie botnet using a new
nameserver domain, (newlookgame.com - IA
Registry/Spiritdomains):
The data shows a standard zombie botnet where the
nameserver ns1.newlookgame.com hosted by Layered Technologies, Inc., on
IP 72.36.142.251 is acting as a zombie botnet controller
'herding'
the rotating zombies, (as determined by RDNS), in the 'A' records list
which are hosting the fraud site (as determined by TRACERT).
The latest domains are registered with the registrar Nic.ac which has a
history of registering domains for the Draper Investment fraudster, the
Cronos Investment fraudster criminals and ignoring every single abuse
report.
Later
-
Layeredtech have disconnected the criminals nameserver
ns1.newlookgame.com [72.36.142.251] and the criminal has now set up a
new
botnet hosted by a UK company called No Wires Ltd of Nether Poppleton,
YORK on IP 193.33.179.162:
The data shows a standard zombie botnet where the
nameserver ns1.newlookgame.com hosted by No Wires Ltd of Nether Poppleton,
YORK, UK, on
IP 193.33.179.162 is acting as a zombie botnet controller 'herding'
the rotating zombies, (as evidenced by RDNS data), in the 'A' records
list
which are hosting the fraud site (as evidenced by TRACERT data), using
the listed domains. 29th. November 2007
New domain reported
by site contact - wallc.ac once again on the No Wires Ltd zombie botnet.
Later - new domain reported (trwa.ac)
on new network:
Looking up at the 2 trwa.ac. parent servers:
Server
Response
ns1.nsters.com
[200.72.139.67]
81.1.255.134
ns3.nsters.com
[202.74.32.13]
Timeout
The host on this one
is :
netname:
ZSTTK-NET
descr:
JSC "Zap-Sib TransTeleCom" Once again
this site thief, criminal fraudster and spammer
is registering his criminal domains with the Registrar Nic.ac, (aka nic.io, nic.sh,
nic.tm, UWhois.com, the Internet Computer Bureau and 'InOne' , a
'one-stop' networking business. Unfortunately
this company has failed to respond to any abuse
reports submitted.30th. November 2007
Another new domain received in this morning's spam - watrco.ac once
again registered with the criminal registrar Nic.ac on another 'new'
network:
Looking up at the 2 trwa.ac.
parent servers:
Server
Response
ns1.nsters.com
[200.72.139.67]
81.10.22.174
ns3.nsters.com
[202.74.32.13]
Timeout
The
host on this one is :
IP:
81.10.22.174
netname:
TEData-ADSL-Pool
descr: TE
Data ADSL Pool
RDNS: host-81.10.22.174.tedata.net
Which
is quite interesting - that data (ADSL) tells
me that the crook is now using individual zombied machines (81.10.22.174) as his site
host and the real villain in the piece is the zombie controller ns1.nsters.com
[200.72.139.67] which by definition is using a criminal registered
nameserver domain, (nsters.com - Todaynic), hosted
by:
The data shows a standard zombie botnet where the
nameserver ns1.newlookgame.com hosted by INTERNETONDEMAND-LTD,
on
IP 83.142.48.60 is acting as a zombie botnet controller 'herding'
the rotating zombies, (as evidenced by RDNS data), in the 'A' records
list
which are hosting the fraud site (as evidenced by TRACERT data), using
the listed domains.
Later
- New domains received in spam - watrco.ac
& waecom.ac,
trwa.ac and new domain wlertr.ac
notified to me by site contact.
Looking up at the 2 watrco.ac. parent servers:
Server
Response
ns1.nsters.com
[200.72.139.67]
81.3.139.250
ns3.nsters.com
[202.74.32.13]
Timeout
The host on this one (IP: 81.3.139.250) is :
org:
ORG-ZP1-RIPE 81.3.139.250
netname:
RU-PETERSTAR-20020419
descr:
ZAO PeterStar
Later - new domain notified by site
contact - wallt.ac on the INTERNETONDEMAND-LTD zombie botnet. Later
- New domain noticed in the wild - wallco.ccon the INTERNETONDEMAND-LTD zombie botnet. 1st. December 2007
Another month and the registrar Nic.ac is still making money from
spammers and criminal fraudsters - new .ac domain received in spam this
morning - waecom.ac on the ZAO PeterStar network above.
The criminal has ten known active domains at the moment, nine of them
registered with nic.ac - he simply doesn't need another registrar when
he's found one that appears to be quite happy to aid and abet his
criminal activities by ignoring all abuse reports. 4th. December
2007 The criminal has a new
nameserver domain, but the same host in INTERNETONDEMAND-LTD
Looking up at the 2 walltr.ac, walltrco.ac, walltco.ac, wallt.ac , & wallc.ac parent servers:
The data shows a standard zombie botnet where the
nameserver ns1.vip73.com hosted by
INTERNETONDEMAND-LTD of Unit 18 Liversedge West
Yorkshire, on
IP 83.142.48.60 is acting as a zombie botnet controller 'herding'
the rotating zombies, (as evidenced by RDNS data), in the 'A' records
list
which are hosting the fraud site (as evidenced by TRACERT data), using
the listed domains. 6th. December
2007 Another .ac domain received in
spam - wtrco.ac.
I'm not going to waste my time reporting it - the owner of Nic.ac, Paul M Kane,
is apparently happy to continue to make money out of criminal
fraudsters and spammers with seemingly no regard for the victims of
this criminal fraudster.
The IP
81.16.94.132 belongs
to Novgorod ADSL Network so it looks like another single zombie as it
has an RDNS of xdsl-94-ppp132.tts.nov.ru. It's being controlled by the
controller ns1.nsters.com on 200.72.139.67 which is an ENTEL CHILE S.A.
IP who ignore abuse reports so it's a complete waste of time
reporting to them. The same seems to be true for INTERNETONDEMAND-LTD
of Unit 18 Liversedge West Yorkshire who have also ignored
all abuse
reports so far. The criminal has chosen his suppliers wisely,
especially
with the UK registrar Nic.ac who has a full house of the criminals
active domains, (the first time I've known that happen - a shameful
record, I think).
I am ashamed to say that it is both a UK registrar
and a UK ISP that are the main sponsors of these criminals at the
moment and I apologise to their victims. 8th. December 2007
The zombie botnet host IP 83.142.48.60 appears to be dead this morning,
so perhaps someone finally got through
to INTERNETONDEMAND-LTD. Needless
to say, all of the criminal's .ac domain registrations are still active. 9th. December 2007
It looks as though INTERNETONDEMAND-LTD.are
still hosting this criminal fraudster - it's just the nameserver domain
vip73.com
that has been parked by Register.com. Thanks guys for being one of the
few ethical bright spots in the current list of this criminal's
suppliers. The criminal's zombie botnet
is now back up using the newly registered nameserver domain imaxq.com
(Spiritdomains - 03-dec-2007).
The data shows a standard zombie botnet where the
nameserver ns1.imaxq.com hosted by
INTERNETONDEMAND-LTD of Unit 18 Liversedge West
Yorkshire, on
IP 83.142.48.60 is acting as a zombie botnet controller 'herding'
the rotating zombies, (as evidenced by IP RDNS data), in the 'A'
records list
which are hosting the fraud site (as evidenced by domain TRACERT data),
using the listed domains.
The domains wtrco.ac,
watrco.ac,
waecom.ac, trwa.ac & wlertr.ac are all timing out ATM which
is a little odd as the ENTEL CHILE S.A./Novgorod ADSL network appears to be intact
from the DNS inf.
Spam received using domain walltrco.ac - he's got plenty of
choice from his .ac domains... 11th. December
2007 The criminal's .ac domains are
all still all resolving despite numerous notifications
of the abuse to Nic.ac. It has been determined by a
challenge-response method that Nic.ac undoubtedly do receive the
communications addressed to them so there is no doubt that they are
fully aware of these criminals and their activity but continue to
provide them with .ac domains as they previously did for the Cronos
Investment and Draper Investment money laundering & phishing
criminals before them and continue to ignore all requests for
suspension. It should be borne in mind that the evidence from the
zombie botnet distributed spam suggests that these criminals are also
the 'rockphish' phishing criminals.
The zombie botnet
controller ns1.imaxq.com [83.142.48.60] is still operating courtesy of
INTERNETONDEMAND-LTD
and no response has been received from the company, but hopefully there
should be some response soon as some very welcome help has been kindly
offered from the side of UK law enforcement to
resolve this issue.
Confirmation
of Nic.ac's position on abuse has been received from them by a friend.
To sum up they have no enforced Acceptable Use Policy or Abuse Policy
of their own - to use their own words: "we do not get involved at all".
Their abuse policy is administered solely by WIPO, and appears to be
limited to intellectual property issues only, and in any event a
complaint to WIPO under the procedure regarding a .ac domain has to be
accompanied by a $500 initial fee, which is obviously effectively going
to prohibit the normal reporting of fraud, spam etc domains.
12th. December
2007
The INTERNETONDEMAND-LTD
IP has now been shut down and the criminal has moved his botnet to 66.79.171.146
Searching for walltr.ac A record at m.root-servers.net [202.12.27.33]:
Got referral to NS3.ICB.CO.UK. (zone: ac.)
Searching for walltr.ac A record at NS3.ICB.CO.UK.
[217.199.188.61]: Got referral to NS1.IMAXQ.COM. (zone: walltr.ac.)
Searching for walltr.ac A record at NS1.IMAXQ.COM. [66.79.171.146]:
Reports walltr.ac. Response:
Domain
Type
Class
TTL
Answer
walltr.ac.
A
IN
1800
89.34.222.4
walltr.ac.
A
IN
1800
89.136.176.120
walltr.ac.
A
IN
1800
75.181.12.180
walltr.ac.
A
IN
1800
86.105.153.174
walltr.ac.
A
IN
1800
86.107.101.225
walltr.ac.
NS
IN
1800
ns2.imaxq.com.
walltr.ac.
NS
IN
1800
ns1.imaxq.com.
ns1.imaxq.com.
A
IN
1800
66.79.171.146
ns2.imaxq.com.
A
IN
1800
20.31.85.15
Looking up at the 2 walltr.ac. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The IP belongs to Managed
Solutions Group, Inc. of Fremont CA
The data
shows a standard zombie botnet where the
nameserver ns1.imaxq.com hosted byManaged Solutions Group,
Inc. of Fremont CA on
IP
66.79.171.146 is acting as a zombie botnet
controller 'herding'
the rotating zombies, (as evidenced by IP RDNS data), in the 'A'
records list
which are hosting the fraud site (as evidenced by domain TRACERT data),
using the listed domains. The nameserver domain imaxq.com has been registered
by the criminals with SPIRITDOMAINS/IAREGISTRY13th. December
2007 The above
Managed
Solutions Group, Inc. zombie botnet is still functional,
hosting domains walltr.ac, walltrco.ac, walltco.ac &wallc.ac For some reason he's split off
domain wallt.ac
on to its own network, although it's showing a Nownet login/parking
page at the moment:
Looking up at the 2 wallt.ac
parent servers:
Server
Response
ns7.01isp.com
[218.16.121.3]
61.238.149.50
ns8.01isp.net
[203.169.164.16]
61.238.149.50
The IP 61.238.149.50 belongs to City Telecom (H.K.) Ltd. The five
domains wtrco.ac,waecom.ac, trwa.ac & wlertr.ac are
now on a new network as follows:
Looking up at the 2 wlertr.ac. parent servers:
Server
Response
ns1.yesnsok.com [200.72.139.67]
202.103.49.198
ns5.yesnsok.com [0.0.0.0]
Timeout
The
IP 202.103.49.198 belongs to The Dongpu Information
Technology
Company, in ShiYan city Hubei Province. The nameserver IP 200.72.139.67
is the usual ENTEL CHILE S.A. IP - they have not responded to abuse
reports. 15th. December
2007
New domains reported to me by site contact: waco.nu and waltr.nu Looks
like the criminal is branching out to Niue domains. For these
two
domains he's using his old Cronos botnet, albeit on a new IP:
Searching for waco.nu A record at c.root-servers.net [192.33.4.12]: Got
referral to NS0.TELIA.NIC.nu. (zone: nu.)
Searching for waco.nu A record at NS0.TELIA.NIC.nu. [212.181.91.4]:
Got referral to ns1.thelastwall.com. (zone: waco.nu.)
Searching for waco.nu A record at ns1.thelastwall.com. [65.38.67.41]:
Reports waco.nu. Response:
Domain
Type
Class
TTL
Answer
waco.nu.
A
IN
1800
78.88.96.150
waco.nu.
A
IN
1800
78.96.20.179
waco.nu.
A
IN
1800
79.176.233.30
waco.nu.
A
IN
1800
85.204.210.35
waco.nu.
A
IN
1800
89.137.159.82
waco.nu.
NS
IN
1800
ns2.thelastwall.com.
waco.nu.
NS
IN
1800
ns1.thelastwall.com.
ns1.thelastwall.com.
A
IN
1800
65.38.67.41
ns2.thelastwall.com.
A
IN
1800
67.82.17.59
Looking up at the 2 waco.nu. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard zombie botnet where the nameserver
ns1.thelastwall.com hosted by Globale
Internet InfoAccess of Mont-Royal, Canada, on IP 65.38.67.41
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as evidenced by IP RDNS data), in the 'A' records list which are
hosting the fraud site (as evidenced by domain TRACERT data), using the
listed domains. The five
domains wtrco.ac, watrco.ac,
waecom.ac, trwa.ac & wlertr.ac are
now on a new network as follows:
Looking up at the 2 wlertr.ac. parent servers:
Server
Response
ns1.yesnsok.com
[200.72.139.67]
81.16.94.132
ns5.yesnsok.com
[85.11.183.83]
[Reports no A record
(NXDOMAIN)]
The
IP 81.16.94.132 belongs to The Novgorod ADSL Network. The nameserver IP
200.72.139.67
is the usual ENTEL CHILE S.A. IP - they have not responded to abuse
reports. 16th. December
2007
Two new domains notified to me by a site contact - walc.nu and wal.la,
(both on the Globale
Internet InfoAccess zombie
botnet),
so the criminal is branching out to .la domains. At $200 a punt, he's
not ordering these for the beauty of the city... Still, when you're
using stolen funds to buy them, the cost doesn't matter, I guess... 17th. December
2007
New .la domain notified to me by site contact - wtr.la Globale
Internet InfoAccess must have taken action asthere is a new botnet host -
(74.62.155.11). Network details:
DNS Data for wal.ph,
wa.kg,
wal.kg,
wtrc.la,
walc.la
How I am searching:
Searching for wa.kg A record at l.root-servers.net [199.7.83.42]: Got
referral to ns.kg. (zone: kg.)
Searching for wa.kg A record at ns.kg. [195.38.160.36]: Got referral to
NS2.THELASTWALL.COM. (zone: wa.kg.)
Searching for wa.kg A record at NS2.THELASTWALL.COM. [67.82.17.59]:
Timed out. Trying again.
Searching for wa.kg A record at NS1.THELASTWALL.COM. [74.62.155.11]:
Reports wa.kg. Response:
Domain
Type
Class
TTL
Answer
wa.kg.
A
IN
1800
77.81.74.80
wa.kg.
A
IN
1800
80.98.118.108
wa.kg.
A
IN
1800
80.98.250.13
wa.kg.
A
IN
1800
82.30.9.238
wa.kg.
A
IN
1800
82.36.215.196
wa.kg.
A
IN
1800
85.66.49.199
wa.kg.
A
IN
1800
85.66.183.180
wa.kg.
NS
IN
1800
ns2.thelastwall.com.
wa.kg.
NS
IN
1800
ns1.thelastwall.com.
ns1.thelastwall.com.
A
IN
1800
74.62.155.11
ns2.thelastwall.com.
A
IN
1800
67.82.17.59
Looking up at the 2 wa.kg. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard zombie botnet where the nameserver ns1.thelastwall.com
hosted by Road Runner
HoldCo LLC,
on IP 74.62.155.11
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as evidenced by IP RDNS data), in the 'A' records list which are
hosting the fraud site (as evidenced by domain TRACERT data), using the
listed domains.
The new host for
nameserver ns1.thelastwall.com
[74.62.155.11] is Road
Runner who unfortunately never understand the problem -
this is the same zombie botnet host IP used for this criminal's Cronos
scam.
The Domain watrco.ac
is now on the following network: Looking up at the 2 watrco.ac. parent
servers:
Server
Response
ns1.nsters.com [200.72.139.67]
202.103.49.198
ns3.nsters.com [200.111.60.84]
[Reports no A
record (NXDOMAIN)]
The IP 202.103.49.198 belongs to The Dongpu Information
Technology Company in ShiYan city Hubei Province. The
nameserver
IP 200.72.139.67
is the usual ENTEL CHILE S.A. IP - they have not responded to abuse
reports.
Nic.ac are still knowingly sheltering all of this criminal fraudters
.ac domains.
17th. December
2007
All of the criminal's .nu and .la domains have been
suspended thanks to ethical action by www.la and nic.nu. Unfortunately, Nic.ac are
still knowingly sheltering all of this criminal fraudsters .ac domains.
The Domain watrco.ac
is now on the following network: Looking up at the 2 watrco.ac. parent
servers:
Server
Response
ns1.nsters.com
[200.72.139.67]
60.209.122.34
ns3.nsters.com
[200.111.60.84]
60.209.122.34
The IP 60.209.122.34
belongs to CNCGROUP Shandong province network
The nameserver
IP 200.72.139.67
is the usual ENTEL CHILE S.A. IP - they have not responded to abuse
reports.
Unfortunately,
Nic.ac are still knowingly sheltering all of this criminal fraudsters
.ac domains except wallt.ac which has a peculiar "awaiting payment
authorisation" in the whois data - hopefully the registrar Nic.ac has
had a chargeback due to the the crook using stolen funds.
No
response from Managed Solutions Group, Inc. of Fremont CA regarding the
zombie botnet they are hosting on 66.79.171.146. I hope we haven't
another unethical host here.
Roadrunner
haven't actually done anything to take their botnet down on 74.62.155.11, the
registrars have just suspended the domains using it - it will
undoubtedly be back up shortly with new domains.....19th. December
2007
...and here they are - new domains reported by site contacts - wallertruckco.ph
hosted on the Managed Solutions Group, Inc.
zombie botnet) and wal.ph wa.kg wal.kg wtrc.la walc.la
all hosted on the RoadRunner
zombie botnet. DNS data for both botnets shown above. 22nd. December
2007
The domains wtrc.la
and walc.la
have both been disabled by LA
Names Corporation - well done to them for a fast
and ethical response, (also thanks to Nic.nu). If Nic.ac
was as honest
& ethical then all the criminal's .ac domains would
not still be active.
While
we are talking about unethical and/or dishonest service providers it's
worth noting that the criminal's two zombie botnets are both still
operational despite many acknowledged abuse reports. The fact that the RoadRunner
botnet is still operational is probably more down to ignorance and
incompetence rather than outright criminality, but the end result is
the same, i.e. these criminals and their zombie botnet continue to get
hosted by RoadRunner.
It was first reported to them by me on 17th. December and
after a few exchanges with the RoadRunner
abuse team it quickly became evident that the above botnet DNS data might as
well have been tabulated in Klingon for all they understood it.
The 'Managed
Solutions Group, Inc.' botnet is perhaps a different
kettle of rather smelly fish.
Although Managed
Solutions Group, Inc.
of Fremont CA appear in the IP whois data as the organisation
responsible for the IP, several abuse reports on this botnet to the
whois listed address
abuse@managedsg-inc.com produced no response. Only after copying the
abuse report to the assessed major upstream network provider,
Cogentco.com, was a reply received from coreisp.nl who informed me that: "DedicatedBox.net on the network
of CoreISP.nl Corporation is actually responsible for hosting this
server", so it would appear that the whois data for the
IP 66.79.171.146 is rather misleading
to say the least. In fact 'Managed
Solutions Group, Inc.' appears to be simply a
'shield' company - note that 'Managed
Solutions Group, Inc.'
does not have a website that I can find and Google searches
on their domain(s) and company name produce a whole shed-load of scam
& spam abuse. However, it
would appear that for Managed
Solutions Group, Inc.
read DedicatedBox.net/coreisp.nl, especially as on that website
the listed datacenter location and office locations respectively for DedicatedBox.net are San
Jose, California, US. and Fremont, California, US and where does the
whois data say Managed
Solutions Group, Inc.
live? You guessed it - Fremont,
California, US. Anyway, all that aside, correspondence with coreisp.nl, (abuse@coreisp.nl), has
sadly proved fruitless and the Walla Truck zombie botnet controlled by ns1.imaxq.com
remains active on IP address 66.79.171.146 although coreisp.nl are fully
aware of the criminality that they are hosting which is not surprising
as the domains coreisp.nl
andDedicatedBox.net are
registered to the same person.
So,
if you are receiving the Walla Truck criminal fraud spam involving any
of the domains
wallertruckco.ph, wallc.ac,
walltrco.ac, walltr.ac, walltco.ac
and/or
nameserver ns1.imaxq.com on IP 66.79.171.146 you need to report the abuse
to abuse[at]coreisp.nland
copy the report to abuse[at]cogentco.com. The same goes
for any abuse involving a 'Managed
Solutions Group, Inc.' listed IP address.
If, however, you are
receiving the Walla Truck criminal fraud spam involving any of the
domains
wal.ph,
wa.kg,
wal.kg
and/or nameserver ns1.thelastwall.com on IP 74.62.155.11 then
you need to report the abuse to abuse[at]rr.com and
copy the report to abuse[at]level3.com who might hopefully
take it upon themselves to knock some sense into RoadRunner. 24th. December
2007 The criminal's two zombie
botnets are still active, knowingly hosted by RoadRunner and coreisp.nl. All the
criminal's long-term .ac domains are still active, courtesy of Nic.ac
and the criminals .ph and .kg domains are also still active. The
criminal has chosen his accessories wisely for a Happy and profitable
Christmas of fraud. Thanks are due to LA Names Corporation
and Nic.nu
for being an oasis of decency and honesty by suspending the criminal's
.la and .nu domains. 26th. December
2007
The criminal had
brought his domains trwa.ac,
waecom.ac and wtrco.ac back into service on a new network
using
nameservers ns1.seensonline.com and ns2.seensonline.com. Unfortunately
for them, Estdomains have almost immediately suspended the criminal's
domain seensonline.com
- well done, guys. Not surprising really, as it's been used for a whole
nest of this criminal's other phishing sites by the look of it. 28th. December
2007
The Domain watrco.ac
is currently on the following network: Looking
up at the 2 watrco.ac. parent servers:
Server
Response
ns3.nsters.com [200.111.60.84]
81.16.94.132
ns1.nsters.com [200.72.139.67]
81.16.94.132
The
IP 81.16.94.132 belongs to the Novgorod ADSL Network once again
&
looks to me like a criminal owned end user machine or zombie. The
nameserver
IPs 200.72.139.67 and 200.111.60.84 are the usual ENTEL CHILE
S.A.
IPs - they have not responded to abuse
reports.
Coreisp.nl and Roadrunner are still hosting this
criminal spammer's two zombie botnets and Nic.ac
are still the willing main provider of this criminal's fraud domains.
All the service providers are fully aware of the criminality they are
facilitating, yet choose to carry on providing the criminal with the
means to perpetrate his criminal fraud.
Later -
Now the domain watrco.ac is on the following network:
Looking
up at the 2 watrco.ac. parent servers:
Server
Response
ns1.nsters.com
[200.72.139.67]
85.105.182.6
ns3.nsters.com
[200.111.60.84]
85.105.182.6
The IP 85.105.182.6 is a
Turktelecom ADSL IP, i.e. another end user/zombie without doubt, (RDNS=
dsl.static.85-105-46598.ttnet.net.tr).
Note the RDNS & dsl info. which betrays the end user status, (Digital Subscriber Line).
It
is self-evident that the criminal is just plugging single zombies into
a 'botnet' controlled by ns1.nsters.com
and ns3.nsters.com
- whether these end user machines are criminally owned machines or
simply
hijacked PCs is unknown.
The
nameserver
IPs 200.72.139.67 and 200.111.60.84 are the usual ENTEL CHILE S.A.
nameserver IPs - they have not responded to abuse
reports. The nameserver domain nsters.com, (registered with TODAYNIC.COM, INC), is also undoubtedly
criminally
owned
as it is used in
association with hosting zombies and has been recorded as having been
used for 'phishing' domains, apart from also having been used for the
Cronos Investment fraudster's networks.
New domain received in spam - wlt.ph (Hosted on the RoadRunner
zombie botnet). 29th. December
2007
New domain received in spam - walc.ph - (Hosted on the DedicatedBox.net/coreisp.nl
hosted zombie botnet).
New domain reported by site contact - wll.kg (Hosted on the RoadRunner hosted
zombie botnet).
New domain reported
by site contact - wc.la
-
(Hosted on the DedicatedBox.net/coreisp.nl
hosted zombie botnet). 1st. January 2008
Well, another year and this criminal's accomplices, i.e. Nic.ac, RoadRunner, CoreIsp.nl
and others are still knowingly & willingly providing the
services
that allow him to continue spamming and perpetrating his criminal
fraud. No new years resolutions of honesty and decency for them, I
guess. The one beacon of honesty is www.la who don't aid and abet
criminality - thanks from me and the victims of this money laundering
criminal.
New domain notifed by site contact - watr.la (Hosted on the CoreIsp
zombie botnet). 5th. January 2008
New domain notified to me by site contact - wll.la(Hosted
on the RoadRunner zombie botnet). 6th. January 2008
Both the criminal's zombie botnets are still intact (Roadrunner and CoreIsp.nl).
The owner of Coreisp.nl is aware of the problem but has taken no
action. Roadrunner have also been informed of the problem &
also
seem happy to continue to host this criminal fraudster, so if you are
receiving spam from these crooks or have lost money to them then at
least you know who is knowingly providing the criminals with the means
to commit their fraud. 8th. January 2008
It looks as though the Managed Solutions Group/DedicatedBox.net/coreisp.nl
zombie botnet has finally been disconnected - it shouldn't have taken
this long. Domains.ph and www.la have been doing a superb job of
suspending this criminal's .ph and .la registrations, (especially
www.la) so full marks and many thanks to the both of them for acting so
responsibly. Nic.ac
have not
responded to any request for suspension, (either direct or to WIPO),
but some of the .ac domains are parked, ostensibly for re-sale, so I
would guess, (& it is just a guess - I'm open to
correction...),
that Nic.ac
have had payment
problems, (i.e. perhaps some of the criminal's stolen cheques have
bounced).
They've certainly been aware of the criminal activity from the word go
and haven't acted on reports of that & many .ac domains still
have
active registrations. The Roadrunner
zombie botnet is still intact, (the RoadRunner
abuse team just responds to requests for disconnection with silly
requests for irrelevant information - the problem is obviously not in
their script), but the only known working domain on it at the moment is
wll.kg. The only
other known working domain for this criminal is
watrco.ac which is still active on the Turktelecom IP 85.105.182.6. Let me know of any other
working domains for this crook.
I
think the criminal may be losing interest in this scam. He's had a
pretty easy ride on this one so far, largely due to the unethical
behaviour of some of the service providers as previously occasionally
mentioned.....
Later:
Perhaps the crook hasn't lost his interest in this scam after
all
- he's already set up a new botnet to replace the CoreIsp.nl one:
How I am searching:
Searching for wtr.kg A record at d.root-servers.net [128.8.10.90]: Got
referral to NS-KG.RIPE.NET. (zone: kg.)
Searching for wtr.kg A record at NS-KG.RIPE.NET. [193.0.12.119]: Got
referral to NS2.IMAXQ.COM. (zone: wtr.kg.)
Searching for wtr.kg A record at NS2.IMAXQ.COM. [20.31.85.15]: Timed
out..
Searching for wtr.kg A record at NS1.IMAXQ.COM. [206.71.145.95]:
Reports wtr.kg. Response:
The data
shows a standard zombie botnet where the nameserver ns1.imaxq.com
hosted by Convergent Network Services of Hicksville NY on IP
206.71.145.95 is acting as a zombie botnet controller 'herding' the
rotating zombies, (as evidenced by IP RDNS data), in the 'A' records
list which are hosting the criminal's fraud website (as evidenced by
domain TRACERT data), using the domainswtr.kg.&
walltr.ac. The nameserver domain imaxq.com has been registered
by the criminals with SPIRITDOMAINS/IAREGISTRY
Later - He's back alright -
spamming me using both the Ironcolo.com/Convergent Network Services
and RoadRunner
botnets as defined above to host domains wa.kg and walltr.ac 10th. January 2008 IARegistry/Spiritdomains
have suspended the crooks nameserver domain thelastwall.com so
he's now slotted in a new one, (tthroot.com - a
previously refunded domain now registered with Register.com on 13-Dec-2007), to the RoadRunner hosted
zombie botnet. Details:
DNS Data for wa.kg,
wll.kg
, wac.ph,
wcc.ph,
wlt.kg
How I am searching:
Searching for wll.kg A record at i.root-servers.net [192.36.148.17]:
Got referral to NS.kg. (zone: kg.)
Searching for wll.kg A record at NS.kg. [195.38.160.36]: Got referral
to NS2.TTHROOT.COM. (zone: wll.kg.)
Searching for wll.kg A record at NS2.TTHROOT.COM. [24.80.95.10]: Timed
out. Trying again.
Searching for wll.kg A record at NS1.TTHROOT.COM. [74.62.155.11]:
Reports wll.kg. Response:
Domain
Type
Class
TTL
Answer
wll.kg.
A
IN
1800
80.133.65.233
wll.kg.
A
IN
1800
84.108.54.36
wll.kg.
A
IN
1800
84.109.154.72
wll.kg.
A
IN
1800
86.122.254.124
wll.kg.
A
IN
1800
89.139.178.198
wll.kg.
A
IN
1800
71.228.246.37
wll.kg.
A
IN
1800
78.96.168.64
wll.kg.
NS
IN
1800
ns1.tthroot.com.
wll.kg.
NS
IN
1800
ns2.tthroot.com.
ns1.tthroot.com.
A
IN
1800
74.62.155.11
ns2.tthroot.com.
A
IN
1800
24.80.95.10
Looking up at the 2 wll.kg. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a
standard zombie botnet where the nameserver ns1.tthroot.com
[74.62.155.11]
hosted by Road Runner
HoldCo LLC, on IP 74.62.155.11
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as evidenced by IP RDNS data), in the 'A' records list which are
hosting the fraud site (as evidenced by domain TRACERT data), using the
listed domains.
The host for nameserver ns1.tthroot.com
[74.62.155.11] is Road Runner
who unfortunately never understand the problem & just respond
to
abuse reports with silly requests for irrelevant data - this situation
is apparently not in their script.
As
expected, there has been no response to an abuse complaint to
Convergent Network Services regarding the hosting of the zombie botnet
on 206.71.145.95. 11th. January 2008
Ironcolo.com/Convergent Network
Services are once again ignoring all abuse reports
regarding their criminal clients, (as they did when they hosted
botnets for the Aegis Capital Group
fraud, the Sydney Car Centre fraud and
the Harvey Investment fraudsters). They also have no abuse
reporting address of abuse@convergentns.net,
(as they
are required to do by RFC's). That address bounces with a 'user unknown' error
and the whois data listed contact address of non@convergentns.net also
bounces with this uninformative message: 550 5.1.1
/var/cnsnoc: line 3: mstroh... User unknown. 12th. January 2008 Two new domains received in Walla Truck spams - wtrk.org,
(IA Registry/Spiritdomains),
and wltc.la (www.la). Both of them are
hosted on the IronColo.com/Convergent Network Services zombie botnet,
(DNS data above). ***Latest News*** 13th. January 2008 New domains seen in the wild - wtrco.com
(IA Registry/Spiritdomains) - on the IronColo.com/Convergent
Network Services zombie botnet and wlt.kg (domain.kg) - on the
RoadRunner zombie botnet, (DNS data above for both).
The IP 81.16.131.40 belongs to the 'Complex
Telmatic Systems' Siberia network - a Russian internet
service provider.
The
nameserver IPs 200.72.139.67 and 200.111.60.84 are the usual ENTEL
CHILE S.A. nameserver IPs - they have not responded to abuse reports.
The nameserver domain nsters.com, (registered with TODAYNIC.COM, INC),
is also undoubtedly criminally owned as it is used in association with
hosting zombies and has been recorded as having been used for hundreds
of
'rockphish' phishing domains, apart from also having been used
for
the Cronos Investment fraudster's networks. The nameserver
ns1.nsters.com proves these crooks and the 'rockphish' scammers are one
and the same so any crooked service provider who supports this criminal
is also supporting the rockphish criminals. 14th. January 2008
No information or response has been received from IronColo.com/Convergent
Network Services, but for whatever reason the criminal's botnet that
has been hosted by them since Jan. 8th. has now been moved to a
Cogentco.com IP - 38.101.159.50 as per the following DNS details:
Searching for wtr.kg A record at f.root-servers.net [192.5.5.241]: Got
referral to NS-KG.RIPE.NET. (zone: kg.)
Searching for wtr.kg A record at NS-KG.RIPE.NET. [193.0.12.119]: Got
referral to NS2.IMAXQ.COM. (zone: wtr.kg.)
Searching for wtr.kg A record at NS2.IMAXQ.COM. [20.31.85.15]: Timed
out. Trying again.
Searching for wtr.kg A record at NS1.IMAXQ.COM. [38.101.159.50]:
Reports wtr.kg. Response:
The data
shows a standard zombie botnet where the nameserver ns1.imaxq.com
hosted by bigvps.com, (a
brand of colo4jax, LLC), as a reseller of Cogentco.com (Performance
Systems International Inc.) on IP 38.101.159.50 is
acting as a zombie botnet controller 'herding' the
rotating zombies, (as evidenced by IP RDNS data), in the 'A' records
list which are hosting the criminal's phishing and fraud website, (as
evidenced by
domain TRACERT data), using the domainswtr.kg, wtrk.org,
wtrco.com &walltr.ac. The nameserver domain imaxq.com has been
registered by the criminals with SPIRITDOMAINS/IAREGISTRY. 15th. January 2008
The above botnet has been shut down by Cogentco.com and the criminal is
in the process of setting up on the new IP 194.150.121.96 as
follows:
Searching for wtr.kg A record at l.root-servers.net [199.7.83.42]: Got
referral to ns.kg. (zone: kg.)
Searching for wtr.kg A record at ns.kg. [195.38.160.36]: Got referral
to NS1.IMAXQ.COM. (zone: wtr.kg.)
Searching for wtr.kg A record at NS1.IMAXQ.COM. [194.150.121.96]:
Reports wtr.kg. Response:
The data
shows a standard zombie botnet where the nameserver ns1.imaxq.com
hosted by Othello
Technology Systems Ltd, (ip96-vps2.tidyhosts.com),
on IP 194.150.121.96
is acting as a zombie botnet controller 'herding' the
rotating zombies, (as evidenced by IP RDNS data), in the 'A' records
list which are hosting the criminal's phishing and fraud website, (as
evidenced by
domain TRACERT data), using the domains wtr.kg, wtrk.org, wtrco.com & walltr.ac . The nameserver domain imaxq.com has been registered by the
criminals with SPIRITDOMAINS/IAREGISTRY. ***Latest News*** 16th. January 2008
The above botnet has been shut down by Othello Technology Systems Ltd,
(TidyHosts.com) and the criminal has set up on the new IP 193.33.179.165 as
follows:
Searching for wtr.kg A record at c.root-servers.net [192.33.4.12]: Got
referral to NS.kg. (zone: kg.)
Searching for wtr.kg A record at NS.kg. [195.38.160.36]: Got referral
to NS1.IMAXQ.COM. (zone: wtr.kg.)
Searching for wtr.kg A record at NS1.IMAXQ.COM. [193.33.179.165]:
Reports wtr.kg. Response:
The data
shows a standard zombie botnet where the nameserver ns1.imaxq.com
hosted by No Wires
Ltd/Crystal VPS,
on IP 193.33.179.165
is acting as a zombie botnet controller 'herding' the
rotating zombies, (as evidenced by IP RDNS data), in the 'A' records
list which are hosting the criminal's phishing and fraud website, (as
evidenced by
domain TRACERT data), using the domains wtr.kg, wtrk.org, wtrco.com & walltr.ac . The nameserver domain imaxq.com has been registered by the
criminals with SPIRITDOMAINS/IAREGISTRY. ***Latest News*** 17th. January 2008
New domain received in spam - wcc.ph
hosted on the RoadRunner botnet. The above No Wires Ltd/Crystal VPS
botnet appears to have been shutdown and the criminal has now moved
his botnet to 216.194.127.239,
details follow:
How I am searching:
Searching for wtr.kg A record at a.root-servers.net [198.41.0.4]: Got
referral to NS-KG.RIPE.NET. (zone: kg.)
Searching for wtr.kg A record at NS-KG.RIPE.NET. [193.0.12.119]: Got
referral to NS2.IMAXQ.COM. (zone: wtr.kg.)
Searching for wtr.kg A record at NS2.IMAXQ.COM.Timed out. Trying again.
Searching for wtr.kg A record at NS1.IMAXQ.COM. [216.194.127.239]:
Reports wtr.kg.
Response:
Domain
Type
Class
TTL
Answer
wtr.kg.
A
IN
1800
89.40.5.124
wtr.kg.
A
IN
1800
71.228.246.37
wtr.kg.
A
IN
1800
79.112.30.66
wtr.kg.
A
IN
1800
85.66.49.199
wtr.kg.
A
IN
1800
85.120.187.168
wtr.kg.
A
IN
1800
86.120.138.161
wtr.kg.
A
IN
1800
89.32.140.225
wtr.kg.
NS
IN
1800
ns1.imaxq.com.
wtr.kg.
NS
IN
1800
ns2.imaxq.com.
ns1.imaxq.com.
A
IN
1800
216.194.127.239
ns2.imaxq.com.
A
IN
1800
20.31.85.15
Looking up at the 2 wtr.kg. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard zombie botnet where the nameserver ns1.imaxq.com
hosted by Tier Four of
Orem, Utah,
on IP 216.194.127.239
is acting as a zombie botnet controller 'herding' the
rotating zombies, (as evidenced by IP RDNS data), in the 'A' records
list which are hosting the criminal's phishing and fraud website, (as
evidenced by
domain TRACERT data), using the domains wtr.kg, wtrk.org, wtrco.com & walltr.ac . The nameserver domain imaxq.com has been registered by the
criminals with SPIRITDOMAINS/IAREGISTRY.
The botnet host IP 216.194.127.239
belongs to a company called Tier
Four of Orem, Utah who are unknown to me. ***Latest News*** 18th. January 2008
Once again their botnet has been closed down by Tier Four and
they've moved to yet another supplier, Globale Internet InfoAccess:
How I am searching:
Searching for wtr.kg A record at c.root-servers.net [192.33.4.12]: Got
referral to NS-KG.RIPE.NET. (zone: kg.)
Searching for wtr.kg A record at NS-KG.RIPE.NET. [193.0.12.119]: Got
referral to NS2.IMAXQ.COM. (zone: wtr.kg.)
Searching for wtr.kg A record at NS2.IMAXQ.COM. [20.31.85.15]: Timed
out. Trying again.
Searching for wtr.kg A record at NS1.IMAXQ.COM. [65.38.67.31]: Reports
wtr.kg. Response:
Domain
Type
Class
TTL
Answer
wtr.kg.
A
IN
1800
84.108.220.134
wtr.kg.
A
IN
1800
85.121.0.102
wtr.kg.
A
IN
1800
86.120.138.161
wtr.kg.
A
IN
1800
86.126.13.71
wtr.kg.
A
IN
1800
89.32.51.227
wtr.kg.
A
IN
1800
89.40.108.53
wtr.kg.
A
IN
1800
83.103.171.12
wtr.kg.
NS
IN
1800
ns1.imaxq.com.
wtr.kg.
NS
IN
1800
ns2.imaxq.com.
ns1.imaxq.com.
A
IN
1800
65.38.67.31
ns2.imaxq.com.
A
IN
1800
20.31.85.15
Looking up at the 2 wtr.kg. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard zombie botnet where the nameserver ns1.imaxq.com
hosted by Globale
Internet InfoAccess,
on IP 65.38.67.31
is acting as a zombie botnet controller 'herding' the
rotating zombies, (as evidenced by IP RDNS data), in the 'A' records
list which are hosting the criminal's phishing and fraud website, (as
evidenced by
domain TRACERT data), using the domains wtr.kg, wtrk.org, wtrco.com & walltr.ac . The nameserver domain
imaxq.com has been registered by the criminals with SPIRITDOMAINS/IAREGISTRY. ***Latest News*** 19th. January 2008
Both of the criminal's botnets are down this morning. The light finally
appears to have dawned on Roadrunner,
but it shouldn't have taken since December 17th. for it to do so. If
ever an abuse team needed more training & better procedures
it's
that one - if you do a site search for Roadrunner
you will see that they also hosted the Cronos Investment fraudsters and
DeMarck Pharmaceuticals and, sadly for the victims, were equally
clueless on those occasions too....
The only network now still open is the one hosting the Nic.ac domain watrco.ac as follows:
The IP 81.16.131.40 belongs to the 'Complex
Telmatic Systems' Siberia network - a Russian internet
service provider.
The
nameserver IPs 200.72.139.67 and 200.111.60.84 are the usual ENTEL
CHILE S.A. nameserver IPs - they have not responded to abuse reports.
The nameserver domain nsters.com, (registered with TODAYNIC.COM, INC),
is also undoubtedly criminally owned as it is used in association with
hosting zombies and has been recorded as having been used for hundreds
of
'rockphish' phishing domains, apart from also having been used
for
the Cronos Investment fraudster's networks. The nameserver
ns1.nsters.com proves these crooks and the 'rockphish' scammers are one
and the same so any crooked service provider who supports this criminal
is also supporting the rockphish criminals. Nic.ac do not respond to
abuse reports re. any of the .ac domains.
Later
- The criminal has moved his Roadrunner
zombie botnet onto the Globale Internet InfoAccess IP 65.38.67.31 as
follows: DNS Data for wa.kg, wll.kg & wlt.kg
How I am searching:
Searching for wlt.kg A record at a.root-servers.net [198.41.0.4]: Got
referral to NS.kg. (zone: kg.)
Searching for wlt.kg A record at NS.kg. [195.38.160.36]: Got referral
to NS1.TTHROOT.COM. (zone: wlt.kg.)
Searching for wlt.kg A record at NS1.TTHROOT.COM. [65.38.67.31]:
Reports wlt.kg.
Response:
Domain
Type
Class
TTL
Answer
wlt.kg.
A
IN
1800
195.64.185.239
wlt.kg.
A
IN
1800
210.6.255.41
wlt.kg.
A
IN
1800
77.81.227.89
wlt.kg.
A
IN
1800
79.114.80.214
wlt.kg.
A
IN
1800
85.186.115.206
wlt.kg.
A
IN
1800
89.18.18.9
wlt.kg.
A
IN
1800
89.40.108.53
wlt.kg.
NS
IN
1800
ns1.tthroot.com.
wlt.kg.
NS
IN
1800
ns2.tthroot.com.
ns1.tthroot.com.
A
IN
1800
65.38.67.31
ns2.tthroot.com.
A
IN
1800
24.80.95.10
Looking up at the 2 wlt.kg. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard zombie botnet where the nameserver ns1.tthroot.com [65.38.67.31] hosted
by Globale Internet InfoAccess, on IP 65.38.67.31
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as evidenced by IP RDNS data), in the 'A' records list which are
hosting the fraud site (as evidenced by domain TRACERT data), using the
listed domains. ***Latest News*** 21st. January 2008 The
Waller truck fraudster has apparently lost control of his imaxq.com
nameservers
and the DNS data is invalid so he has started up a second zombie botnet
on the Globale Internet InfoAccess IP 65.38.67.31 in addition to the
existing one using domains wlk.kg, wtc.kg and possibly
others, (please let me know of any):
Searching for wlk.kg A record at l.root-servers.net [199.7.83.42]: Got
referral to ns.kg. (zone: kg.)
Searching for wlk.kg A record at ns.kg. [195.38.160.36]: Got referral
to NS2.GLORIALE.COM. (zone: wlk.kg.)
Searching for wlk.kg A record at NS2.GLORIALE.COM. [67.14.18.25]: Timed
out. Trying again.
Searching for wlk.kg A record at NS1.GLORIALE.COM. [65.38.67.31]:
Reports wlk.kg.Response:
Domain
Type
Class
TTL
Answer
wlk.kg.
A
IN
1800
89.39.109.72
wlk.kg.
A
IN
1800
89.42.124.117
wlk.kg.
A
IN
1800
86.125.248.54
wlk.kg.
A
IN
1800
86.127.213.218
wlk.kg.
A
IN
1800
87.206.162.115
wlk.kg.
A
IN
1800
89.35.77.104
wlk.kg.
A
IN
1800
89.38.13.104
wlk.kg.
NS
IN
1800
ns2.gloriale.com.
wlk.kg.
NS
IN
1800
ns1.gloriale.com.
ns1.gloriale.com.
A
IN
1800
65.38.67.31
ns2.gloriale.com.
A
IN
1800
67.14.18.25
Looking up at the
2 wlk.kg, wtc.kg. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard zombie botnet where the nameserver ns1.gloriale.com [65.38.67.31] hosted
by Globale Internet InfoAccess, on IP 65.38.67.31
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as evidenced by IP RDNS data), in the 'A' records list which are
hosting the fraud site (as evidenced by domain TRACERT data), using the
listed domains. ***Latest News*** 26th. January 2008 New
domain received in spam - wco.kg hosted on a new botnet on IP
38.106.98.194 hosted by Performance
Systems International. DNS data follows:
Searching for wco.kg A record at d.root-servers.net [128.8.10.90]: Got
referral to NS.kg. (zone: kg.)
Searching for wco.kg A record at NS.kg. [195.38.160.36]: Timed out.
Trying again.
Searching for wco.kg A record at NS-KG.RIPE.NET. [193.0.12.119]: Got
referral to NS2.GLORIALE.COM. (zone: wco.kg.)
Searching for wco.kg A record at NS2.GLORIALE.COM. [67.14.18.25]: Timed
out. Trying again.
Searching for wco.kg A record at NS1.GLORIALE.COM. [38.106.98.194]:
Reports wco.kg. Response:
Domain
Type
Class
TTL
Answer
wco.kg.
A
IN
1800
86.121.1.98
wco.kg.
A
IN
1800
86.122.171.65
wco.kg.
A
IN
1800
86.124.85.192
wco.kg.
A
IN
1800
89.137.200.165
wco.kg.
A
IN
1800
89.178.41.237
wco.kg.
A
IN
1800
84.108.78.24
wco.kg.
A
IN
1800
86.105.14.118
wco.kg.
NS
IN
1800
ns1.gloriale.com.
wco.kg.
NS
IN
1800
ns2.gloriale.com.
ns1.gloriale.com.
A
IN
1800
38.106.98.194
ns2.gloriale.com.
A
IN
1800
67.14.18.25
Looking up at the 2 wco.kg. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard zombie botnet where the nameserver ns1.gloriale.com
[38.106.98.194] hosted by Performance Systems International
(CogentCo), on IP 38.106.98.194
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as evidenced by IP RDNS data), in the 'A' records list which are
hosting the fraud site (as evidenced by domain TRACERT data), using the
listed domains.
The Globale Internet InfoAccessbotnet
on IP 65.38.67.31
finally seems to have been disconnected. Despite being reported to
Nic.ac many times, the last known hosted domain of theirs, (watrco.ac), remains in use. ***Latest News*** 27th. January 2008
The criminal has now moved his SECOND botnet onto another Performance Systems International
(CogentCo) zombie botnet as per the DNS details below:
Searching for wa.kg A record at d.root-servers.net [128.8.10.90]: Got
referral to NS.kg. (zone: kg.)
Searching for wa.kg A record at NS.kg. [195.38.160.36]: Got referral to
NS1.TTHROOT.COM. (zone: wa.kg.)
Searching for wa.kg A record at NS1.TTHROOT.COM. [38.106.98.194]:
Reports wa.kg. Response:
Domain
Type
Class
TTL
Answer
wa.kg.
A
IN
1800
79.112.200.191
wa.kg.
A
IN
1800
82.79.233.43
wa.kg.
A
IN
1800
84.94.12.39
wa.kg.
A
IN
1800
86.123.50.10
wa.kg.
A
IN
1800
89.33.220.138
wa.kg.
A
IN
1800
89.136.62.4
wa.kg.
A
IN
1800
79.112.93.121
wa.kg.
NS
IN
1800
ns2.tthroot.com.
wa.kg.
NS
IN
1800
ns1.tthroot.com.
ns1.tthroot.com.
A
IN
1800
38.106.98.194
ns2.tthroot.com.
A
IN
1800
24.80.95.10
Looking up at the 2 wa.kg. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard zombie botnet where the nameserver
ns1.tthroot.com [38.106.98.194] hosted by Performance Systems International
(CogentCo), on IP 38.106.98.194
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as evidenced by IP RDNS data), in the 'A' records list which are
hosting the fraud site (as evidenced by domain TRACERT data), using the
listed domains.
This
makes two botnets that the criminal is currently operating on this
Cogentco IP. No response to my abuse report sent yesterday. ***Latest News*** 28th. January 2008 New
domain notified to me by site visitor - waltrc.com (IA
Registry/Spiritdomains). Both Cogentco.com zombie botnets are still in
use. All abuse reports to Cogentco have been ignored as have the
reports to domain.kg. ***Latest News*** 29th. January 2008 The
CogentCo botnets appear to have been shut down at last - a rather slow
action and no response, unfortunately. The criminal has now moved both
botnets to a Net Access Corporation IP, (64.21.48.162). DNS details
follow:
DNS Data for wco.kg,
wlk.kg, wtc.kg
How I am searching:
Searching for wco.kg A record at b.root-servers.net [192.228.79.201]:
Got referral to NS.kg. (zone: kg.)
Searching for wco.kg A record at NS.kg. [195.38.160.36]: Got referral
to NS1.GLORIALE.COM. (zone: wco.kg.)
Searching for wco.kg A record at NS1.GLORIALE.COM. [64.21.48.162]:
Reports wco.kg. Response:
Domain
Type
Class
TTL
Answer
wco.kg.
A
IN
1800
77.41.50.204
wco.kg.
A
IN
1800
77.125.14.230
wco.kg.
A
IN
1800
84.109.89.72
wco.kg.
A
IN
1800
86.124.85.192
wco.kg.
A
IN
1800
89.40.110.152
wco.kg.
A
IN
1800
89.137.85.163
wco.kg.
A
IN
1800
89.178.45.86
wco.kg.
NS
IN
1800
ns1.gloriale.com.
wco.kg.
NS
IN
1800
ns2.gloriale.com.
ns1.gloriale.com.
A
IN
1800
64.21.48.162
ns2.gloriale.com.
A
IN
1800
67.14.18.25
Looking up at the 2 wco.kg. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard zombie botnet where the
nameserver ns1.gloriale.com [64.21.48.162] hosted by Net
Access
Corporation on IP 64.21.48.162 is acting as a zombie botnet controller
'herding' the rotating zombies, (as evidenced by IP RDNS data), in the
'A' records list which are hosting the fraud site (as evidenced by
domain TRACERT data), using the listed domains. DNS Data for: waltrc.com,
wlt.kg,
wll.kg,
wa.kg
How I am searching:
Searching for waltrc.com A record at c.root-servers.net
[192.33.4.12]: Got referral to H.GTLD-SERVERS.NET. (zone: com.)
Searching for waltrc.com A record at H.GTLD-SERVERS.NET.
[192.54.112.30]: Got referral to ns2.tthroot.com. (zone: waltrc.com.)
Searching for waltrc.com A record at ns2.tthroot.com. [24.80.95.10]:
Timed out. Trying again.
Searching for waltrc.com A record at ns1.tthroot.com. [64.21.48.162]:
Reports waltrc.com. Response:
Domain
Type
Class
TTL
Answer
waltrc.com.
A
IN
1800
77.125.14.230
waltrc.com.
A
IN
1800
84.109.89.72
waltrc.com.
A
IN
1800
86.124.85.192
waltrc.com.
A
IN
1800
89.40.110.152
waltrc.com.
A
IN
1800
89.137.85.163
waltrc.com.
A
IN
1800
89.178.45.86
waltrc.com.
A
IN
1800
77.41.50.204
waltrc.com.
NS
IN
1800
ns1.tthroot.com.
waltrc.com.
NS
IN
1800
ns2.tthroot.com.
ns1.tthroot.com.
A
IN
1800
64.21.48.162
ns2.tthroot.com.
A
IN
1800
24.80.95.10
Looking up at the 2 waltrc.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard zombie botnet where the
nameserver ns1.tthroot.com [64.21.48.162] hosted by Net Access
Corporation, on IP 64.21.48.162 is acting as a zombie botnet
controller 'herding' the rotating zombies, (as evidenced by IP RDNS
data), in the 'A' records list which are hosting the fraud site (as
evidenced by domain TRACERT data), using the listed domains. ***Latest News*** 30th. January 2008
Looks
like Net Access Corporation have taken action as both botnet
nameservers are now timing out and the crooks domains are all timing
out except watrco.ac which is resolving courtesy
of NIC.AC
and SOFTBANK TELECOM
Corp. of Japan on IP 211.3.9.123.
The only network now still open is the one hosting the Nic.ac domain watrco.ac as follows:
Looking up at the 2 watrco.ac. parent servers:
Server
Response
ns1.nsters.com
[200.72.139.67]
211.3.9.123
ns3.nsters.com
[200.111.60.84]
Timeout
The IP 211.3.9.123 belongs to SOFTBANK TELECOM Corp. of Japan.
The
nameserver IPs 200.72.139.67 and 200.111.60.84 are the usual ENTEL
CHILE S.A. nameserver IPs - they have not responded to abuse reports.
The nameserver domain nsters.com, (registered with TODAYNIC.COM, INC),
is also undoubtedly criminally owned as it is used in association with
hosting zombies and has been recorded as having been used for hundreds
of
'rockphish' phishing domains, apart from also having been used
for
the Cronos Investment fraudster's networks. The nameserver
ns1.nsters.com proves these crooks and the 'rockphish' scammers are one
and the same so any service provider who supports this criminal
is also supporting the rockphish phishing criminals. That
includes the registrar NIC.AC,
(Dorset, UK), who still ignores all abuse reports
concerning their criminal clients as they have done all along and as
they also did for the
Cronos Investment
fraudster and the Draper Investment fraudsters. ***Latest News*** 31st. January 2008
New domain notified by site contact - wt.gs
It looks like the crook is transferring his criminal
intentions
to the South Georgia & South Sandwich Islands domains. Oddly
enough
it's still on the Net Access Corporation hosted zombie botnet, still
using nameserver ns1.gloriale.com [64.21.48.162]. Here's the network
details:
Searching for wt.gs A record at k.root-servers.net [193.0.14.129]: Got
referral to ns-gs.ripe.net. (zone: gs.)
Searching for wt.gs A record at ns-gs.ripe.net. [193.0.12.206]: Got
referral to ns2.gloriale.com. (zone: wt.gs.)
Searching for wt.gs A record at ns2.gloriale.com. [67.14.18.25]: Timed
out. Trying again.
Searching for wt.gs A record at ns1.gloriale.com. [64.21.48.162]:
Reports wt.gs. Response:
Domain
Type
Class
TTL
Answer
wt.gs.
A
IN
1800
82.79.134.15
wt.gs.
A
IN
1800
84.236.72.143
wt.gs.
A
IN
1800
86.123.50.10
wt.gs.
A
IN
1800
87.70.96.202
wt.gs.
A
IN
1800
89.35.210.32
wt.gs.
A
IN
1800
89.43.236.175
wt.gs.
A
IN
1800
79.112.208.235
wt.gs.
NS
IN
1800
ns1.gloriale.com.
wt.gs.
NS
IN
1800
ns2.gloriale.com.
ns1.gloriale.com.
A
IN
1800
64.21.48.162
ns2.gloriale.com.
A
IN
1800
67.14.18.25
Looking up at the 2 wt.gs. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard zombie botnet where the
nameserver ns1.gloriale.com [64.21.48.162] hosted by Net Access
Corporation on IP 64.21.48.162 is acting as a zombie botnet controller
'herding' the rotating zombies, (as evidenced by IP RDNS data), in the
'A' records list which are hosting the fraud site (as evidenced by
domain TRACERT data), using the listed domains.
No doubt there are other .gs domains. Tip
for registrar - any domain that uses the
nameserver ns1.gloriale.com or ns1.tthroot.com is one
of this
criminal's domains.
Later: and here we are:
Reported to me by a site contact. He's reinstated his other Net Access
Corporation botnet to host them:
DNS Data for: wlt.gs
and wc.gs
How I am searching:
Searching for wlt.gs A record at e.root-servers.net
[192.203.230.10]: Got referral to NS.ANYCAST.NIC.gs. (zone: gs.)
Searching for wlt.gs A record at NS.ANYCAST.NIC.gs.
[204.61.216.21]: Got referral to ns1.tthroot.com. (zone: wlt.gs.)
Searching for wlt.gs A record at ns1.tthroot.com. [64.21.48.162]:
Reports wlt.gs. Response:
Domain
Type
Class
TTL
Answer
wlt.gs.
A
IN
1800
87.70.96.202
wlt.gs.
A
IN
1800
88.110.27.98
wlt.gs.
A
IN
1800
89.137.215.171
wlt.gs.
A
IN
1800
190.161.81.11
wlt.gs.
A
IN
1800
84.95.115.19
wlt.gs.
A
IN
1800
85.178.33.201
wlt.gs.
A
IN
1800
86.124.85.192
wlt.gs.
NS
IN
1800
ns1.tthroot.com.
wlt.gs.
NS
IN
1800
ns2.tthroot.com.
ns1.tthroot.com.
A
IN
1800
64.21.48.162
ns2.tthroot.com.
A
IN
1800
24.80.95.10
Looking up at the 2 wlt.gs. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard zombie botnet where the
nameserver ns1.tthroot.com [64.21.48.162] hosted by Net Access
Corporation, on IP 64.21.48.162 is acting as a zombie botnet
controller 'herding' the rotating zombies, (as evidenced by IP RDNS
data), in the 'A' records list which are hosting the fraud site (as
evidenced by domain TRACERT data), using the listed domains. ***Latest News*** 1st. February 2008 Another
month and the registrar NIC.AC is still ignoring any direct approach
regarding the criminal's domain watrco.ac. Fortunately,
other registrars do not tolerate
criminal activity - the domains wt.gs, wlt.gs and wc.gs have been suspended by their
registrar, in fact none of the criminals domains are functional
save watrco.ac, (first
reported to NIC.AC on 30-Nov-2007), which explains why the spam I am
currently receiving uses that domain... Later - new criminal fraud domain
received in spam - wtru.la hosted on the above ns1.gloriale.com
hosted zombie botnet - unlike the domain watrco.ac,
I
do not expect wtru.la to last very
long. ***Latest News*** 2nd. February 2008 As
predicted, the ethical registrar www.la has suspended the domain wtru.la, whereas the NIC.AC
domain
watrco.ac
is still active despite the fact that NIC.AC are aware
of the criminality. ***Latest News*** 3rd. February 2008
Spam received using
domains wltk.la
and wcc.la,
both hosted on the zombie botnet controlled by ns1.tthroot.com
[64.21.48.162].
Still no response from Net Access Corporation to their continued
hosting of these criminals on their IP 64.21.48.162 Later
- New fraud domain notified by site contact - wlrt.ph, hosted on the
ns1.gloriale.com [64.21.48.162] zombie botnet. Later
- The above two botnets on 64.21.48.162 have been disabled. Later
- The crook's botnet(s) are back up on another Cogentco.com IP
- 38.100.214.33
DNS Data:
How I am searching:
Searching for wlrt.ph A record at k.root-servers.net [193.0.14.129]:
Got referral to auth50.ns.uu.net. (zone: ph.)
Searching for wlrt.ph A record at auth50.ns.uu.net. [198.6.1.161]:
Got referral to ns1.gloriale.com. (zone: wlrt.ph.)
Searching for wlrt.ph A record at ns1.gloriale.com. [38.100.214.33]:
Reports wlrt.ph. Response:
Domain
Type
Class
TTL
Answer
wlrt.ph.
A
IN
1800
87.68.48.66
wlrt.ph.
A
IN
1800
79.112.211.67
wlrt.ph.
A
IN
1800
79.114.95.196
wlrt.ph.
A
IN
1800
79.114.243.182
wlrt.ph.
A
IN
1800
79.115.65.120
wlrt.ph.
A
IN
1800
79.177.166.197
wlrt.ph.
A
IN
1800
85.182.40.21
wlrt.ph.
NS
IN
1800
ns1.gloriale.com.
wlrt.ph.
NS
IN
1800
ns2.gloriale.com.
ns1.gloriale.com.
A
IN
1800
38.100.214.33
ns2.gloriale.com.
A
IN
1800
67.14.18.25
Looking up at the 2 wlrt.ph parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard zombie botnet where the
nameserver ns1.gloriale.com [38.100.214.33] hosted by Cogentco.com on
IP 38.100.214.33 is acting as a zombie botnet controller
'herding' the rotating zombies, (as evidenced by IP RDNS data), in the
'A' records list which are hosting the fraud site (as evidenced by
domain TRACERT data), using the listed domains. ***Latest News*** 4th. February 2008 New domains notified
by site contact - waltru.com, watrk.com both on the ns1.gloriale.com zombie botnet
The
criminal is also reinstating his second botnet on the Cogentco.com IP
38.100.214.30 but the domains are not yet known - please let me know of
any active domains I don't currently list in the domain tables.
Tracerts on the two
nameservers ns1.gloriale.com
and ns1.tthroot.com show the destination domain as
arrowsolutionsllc3.com. This domain was only registered with Joker on
25-sep-2007 & appears to be linked to a large number of
US media
marketing sites....
Wherever I look for this criminal, (&
remember he's undoubtedly linked to the 'Rockphish' group), I always
see & hear about US connections, e.g. an abuse team told me the
other day "They
are possibly in the US"....
They have bought their servers using Paypal and have used the Paypal
email address kelleykeelef@uk2.net to do so.
Later
- new domain received in spam - wtru.ph Later -
new domain notified by site contact - wt.tl DNS data for wt.tl,
wlt.tl:
How I am searching:
Searching for wt.tl A record at b.root-servers.net
[192.228.79.201]: Got referral to PHLOEM.UOREGON.EDU. (zone: tl.)
Searching for wt.tl A record at PHLOEM.UOREGON.EDU.
[128.223.32.35]: Got referral to ns2.tthroot.com. (zone: wt.tl.)
Searching for wt.tl A record at ns2.tthroot.com. [24.80.95.10]: Timed
out. Trying again.
Searching for wt.tl A record at ns1.tthroot.com. [38.100.214.33]:
Reports wt.tl. Response:
Domain
Type
Class
TTL
Answer
wt.tl.
A
IN
1800
89.33.220.138
wt.tl.
A
IN
1800
78.55.64.128
wt.tl.
A
IN
1800
82.79.239.184
wt.tl.
A
IN
1800
82.131.230.67
wt.tl.
A
IN
1800
86.121.71.100
wt.tl.
A
IN
1800
86.124.85.192
wt.tl.
A
IN
1800
87.70.42.202
wt.tl.
NS
IN
1800
ns2.tthroot.com.
wt.tl.
NS
IN
1800
ns1.tthroot.com.
ns1.tthroot.com.
A
IN
1800
38.100.214.33
ns2.tthroot.com.
A
IN
1800
24.80.95.10
Looking up at the 2 wt.tl. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
Later
- new domain reported by site contact - wlt.tl hosted on the
ns1.tthroot.com botnet. Later
- CogentCo appear to have taken action against the two botnets above as
the nameservers are timing out, in fact the criminal has already moved
his ns1.gloriale.com botnet to a fairly frequent supplier -
SoftLayer Technologies Inc. of Dallas on IP 75.126.241.172
(server4sale.com from a Tracert).
Searching for watrk.com A record at l.root-servers.net
[199.7.83.42]: Got referral to d.gtld-servers.net. (zone: com.)
Searching for watrk.com A record at d.gtld-servers.net.
[192.31.80.30]: Got referral to ns2.gloriale.com. (zone: watrk.com.)
Searching for watrk.com A record at ns2.gloriale.com. [67.14.18.25]:
Timed out. Trying again.
Searching for watrk.com A record at ns1.gloriale.com. [75.126.241.172]:
Reports watrk.com. Response:
Domain
Type
Class
TTL
Answer
watrk.com.
A
IN
1800
84.108.78.24
watrk.com.
A
IN
1800
89.35.210.32
watrk.com.
A
IN
1800
89.136.146.112
watrk.com.
A
IN
1800
79.112.199.120
watrk.com.
A
IN
1800
79.115.30.2
watrk.com.
A
IN
1800
79.119.157.98
watrk.com.
A
IN
1800
83.138.225.37
watrk.com.
NS
IN
1800
ns2.gloriale.com.
watrk.com.
NS
IN
1800
ns1.gloriale.com.
ns1.gloriale.com.
A
IN
1800
75.126.241.172
ns2.gloriale.com.
A
IN
1800
67.14.18.25
Looking up at the 2 watrk.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard zombie botnet where the
nameserver ns1.gloriale.com [75.126.241.172] hosted by
SoftLayer
Technologies Inc. of Dallas on IP 75.126.241.172
(server4sale.com
from a Tracert), is acting as a zombie botnet controller
'herding' the rotating zombies, (as evidenced by IP RDNS data), in the
'A' records list which are hosting the fraud site (as evidenced by
domain TRACERT data), using the listed domains.
The criminal has now moved his other zombie botnet over to
Softlayer/Server4sale as well:
Searching for wt.tl A record at l.root-servers.net [199.7.83.42]: Got
referral to sec3.apnic.net. (zone: tl.)
Searching for wt.tl A record at sec3.apnic.net. [202.12.28.140]: Got
referral to ns2.tthroot.com. (zone: wt.tl.)
Searching for wt.tl A record at ns2.tthroot.com. [24.80.95.10]: Timed
out. Trying again.
Searching for wt.tl A record at ns1.tthroot.com. [75.126.241.172]:
Reports wt.tl. Response:
Domain
Type
Class
TTL
Answer
wt.tl.
A
IN
1800
85.178.30.231
wt.tl.
A
IN
1800
86.120.36.112
wt.tl.
A
IN
1800
89.32.171.33
wt.tl.
A
IN
1800
217.233.112.144
wt.tl.
A
IN
1800
24.93.117.56
wt.tl.
A
IN
1800
79.114.93.225
wt.tl.
A
IN
1800
84.109.89.72
wt.tl.
NS
IN
1800
ns2.tthroot.com.
wt.tl.
NS
IN
1800
ns1.tthroot.com.
ns1.tthroot.com.
A
IN
1800
75.126.241.172
ns2.tthroot.com.
A
IN
1800
24.80.95.10
Looking up at the 2 wt.tl. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard zombie botnet where the
nameserver ns1.tthroot.com [75.126.241.172] hosted by
SoftLayer
Technologies Inc. of Dallas on IP 75.126.241.172,
(server4sale.com
from a Tracert), is acting as a zombie botnet
controller 'herding' the rotating zombies, (as evidenced by IP RDNS
data), in the 'A' records list which are hosting the fraud site (as
evidenced by domain TRACERT data), using the listed domains. ***Latest News*** 5th. February 2008 Later
- new domain received in spam - wtru.kg***Latest News*** 6th. February 2008 Both
Softlayer hosted botnets are still alive this morning. Softlayer have
been made aware of this criminal activity that they are hosting on
their IP
75.126.241.172 but have so far not responded to abuse reports, neither
have
server4sale.com. Later
- two new domains reported by site contact - wlrt.kg
and wcc.kg Later
- The Softlayer/Server4sale botnets are finally timing out but it
should not have taken so long to action and Softlayer have still not
responded to my abuse reports. Later
- I don't know if Softlayer have done anything, as they haven't
responded, but the two zombie
botnets are back on line with the nameservers/controllers on the same
IP 75.126.241.172. ***Latest News*** 7th. February 2008
Both
Softlayer/server4sale.com hosted botnets are still
alive this morning. Softlayer & server4sale.com still have not responded to
any abuse reports, (first submitted 4th. February). Later -
The criminals have moved both their botnets onto another vps provider
under the Softlayer umbrella - vpswelcome.com (IP 74.86.253.99).
DNS data: waltru.com, watrk.com, wtru.kg,
wlrt.kg
How I am searching:
Searching for watrk.com A record at l.root-servers.net
[199.7.83.42]: Got referral to d.gtld-servers.net. (zone: com.)
Searching for watrk.com A record at d.gtld-servers.net.
[192.31.80.30]: Got referral to ns2.gloriale.com. (zone: watrk.com.)
Searching for watrk.com A record at ns2.gloriale.com. [67.14.18.25]:
Timed out. Trying again.
Searching for watrk.com A record at ns1.gloriale.com. [74.86.253.99]:
Reports watrk.com. Response:
Domain
Type
Class
TTL
Answer
watrk.com.
A
IN
1800
79.113.35.218
watrk.com.
A
IN
1800
79.113.224.203
watrk.com.
A
IN
1800
82.78.57.110
watrk.com.
A
IN
1800
83.138.225.37
watrk.com.
A
IN
1800
85.186.115.206
watrk.com.
A
IN
1800
86.126.23.69
watrk.com.
A
IN
1800
89.45.15.181
watrk.com.
NS
IN
1800
ns2.gloriale.com.
watrk.com.
NS
IN
1800
ns1.gloriale.com.
ns1.gloriale.com.
A
IN
1800
74.86.253.99
ns2.gloriale.com.
A
IN
1800
67.14.18.25
Looking up at the 2 watrk.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard zombie botnet where the
nameserver ns1.gloriale.com [74.86.253.99] hosted by SoftLayer
Technologies Inc. of Dallas on IP 74.86.253.99 (vpswelcome.com
from a tracert to ns1.gloriale.com), is acting as a zombie botnet
controller
'herding' the rotating zombies, (as evidenced by IP RDNS data), in the
'A' records list which are hosting the fraud site (as evidenced by
domain TRACERT data), using the listed domains.
Searching for wt.tl A record at l.root-servers.net [199.7.83.42]: Got
referral to sec3.apnic.net. (zone: tl.)
Searching for wt.tl A record at sec3.apnic.net. [202.12.28.140]: Got
referral to ns2.tthroot.com. (zone: wt.tl.)
Searching for wt.tl A record at ns2.tthroot.com. [24.80.95.10]: Timed
out. Trying again.
Searching for wt.tl A record at ns1.tthroot.com. [74.86.253.99]:
Reports wt.tl. Response:
Domain
Type
Class
TTL
Answer
wt.tl.
A
IN
1800
79.112.196.9
wt.tl.
A
IN
1800
79.113.35.218
wt.tl.
A
IN
1800
83.138.225.37
wt.tl.
A
IN
1800
84.108.78.24
wt.tl.
A
IN
1800
86.55.168.15
wt.tl.
A
IN
1800
86.126.23.69
wt.tl.
A
IN
1800
89.45.15.181
wt.tl.
NS
IN
1800
ns2.tthroot.com.
wt.tl.
NS
IN
1800
ns1.tthroot.com.
ns1.tthroot.com.
A
IN
1800
74.86.253.99
ns2.tthroot.com.
A
IN
1800
24.80.95.10
Looking up at the 2 wt.tl. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard zombie botnet where the
nameserver ns1.tthroot.com [74.86.253.99] hosted by
SoftLayer
Technologies Inc. of Dallas on IP 74.86.253.99,
(vpswelcome.com
from a tracert to ns1.tthroot.com), is acting as a zombie
botnet
controller 'herding' the rotating zombies, (as evidenced by IP RDNS
data), in the 'A' records list which are hosting the fraud site (as
evidenced by domain TRACERT data), using the listed domains. Later
- Having been notified of the activity, Prontohost/Vpswelcome have
acted very promptly
to remove this fraudster from their network which is very much to their
credit. If only all service providers were as responsible and ethical. ***Latest News*** 8th. February 2008
The criminal has once again moved his zombie botnets onto Net
Access Corporation/VPSville.ca.
Searching for wcc.kg A record at c.root-servers.net [192.33.4.12]: Got
referral to NS.kg. (zone: kg.)
Searching for wcc.kg A record at NS.kg. [195.38.160.36]: Got referral
to NS2.TTHROOT.COM. (zone: wcc.kg.)
Searching for wcc.kg A record at NS2.TTHROOT.COM. [24.80.95.10]: Timed
out. Trying again.
Searching for wcc.kg A record at NS1.TTHROOT.COM. [64.21.48.156]:
Reports wcc.kg. Response:
Domain
Type
Class
TTL
Answer
wcc.kg.
A
IN
1800
76.254.2.122
wcc.kg.
A
IN
1800
77.81.232.76
wcc.kg.
A
IN
1800
89.32.107.123
wcc.kg.
A
IN
1800
89.32.140.225
wcc.kg.
A
IN
1800
89.37.99.88
wcc.kg.
A
IN
1800
90.134.119.118
wcc.kg.
A
IN
1800
68.44.61.216
wcc.kg.
NS
IN
1800
ns1.tthroot.com.
wcc.kg.
NS
IN
1800
ns2.tthroot.com.
ns1.tthroot.com.
A
IN
1800
64.21.48.156
ns2.tthroot.com.
A
IN
1800
24.80.95.10
Looking up at the 2 wcc.kg. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard zombie botnet where the
nameserver ns1.tthroot.com [64.21.48.156] hosted by Net Access
Corporation/VPSville.ca on IP 64.21.48.156, is acting
as a
zombie botnet
controller 'herding' the rotating zombies, (as evidenced by IP RDNS
data), in the 'A' records list which are hosting the fraud site (as
evidenced by domain TRACERT data), using the listed domains.
Searching for watrk.com A record at i.root-servers.net
[192.36.148.17]: Got referral to E.GTLD-SERVERS.NET. (zone: com.)
Searching for watrk.com A record at E.GTLD-SERVERS.NET.
[192.12.94.30]: Got referral to ns2.gloriale.com. (zone: watrk.com.)
Searching for watrk.com A record at ns2.gloriale.com. [67.14.18.25]:
Timed out. Trying again.
Searching for watrk.com A record at ns1.gloriale.com. [64.21.48.156]:
Reports watrk.com. Response:
Domain
Type
Class
TTL
Answer
watrk.com.
A
IN
1800
76.254.2.122
watrk.com.
A
IN
1800
77.81.232.76
watrk.com.
A
IN
1800
84.108.41.110
watrk.com.
A
IN
1800
89.41.168.145
watrk.com.
A
IN
1800
24.93.117.56
watrk.com.
A
IN
1800
60.33.190.124
watrk.com.
A
IN
1800
68.44.61.216
watrk.com.
NS
IN
1800
ns2.gloriale.com.
watrk.com.
NS
IN
1800
ns1.gloriale.com.
ns1.gloriale.com.
A
IN
1800
64.21.48.156
ns2.gloriale.com.
A
IN
1800
67.14.18.25
Looking up at the 2 watrk.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard zombie botnet where the
nameserver ns1.gloriale.com [64.21.48.156] hosted by Net Access
Corporation/VPSville.ca on IP 64.21.48.156 is acting as a
zombie
botnet controller 'herding' the rotating zombies, (as evidenced by IP
RDNS data), in the 'A' records list which are hosting the fraud site
(as evidenced by domain TRACERT data), using the listed domains. Later -
and once again vpsville.ca have taken prompt and ethical action against
these fraudsters.
The nic.ac domain watrco.ac is now hosted on bora.net as
below: Looking up at the 2 watrco.ac. parent
servers:
Server
Response
ns1.nsters.com
[200.72.139.67]
211.60.129.140
ns3.nsters.com
[200.111.60.84]
Timeout
The
nameserver IPs 200.72.139.67 and 200.111.60.84 are the usual ENTEL
CHILE S.A. nameserver IPs - they have not responded to abuse reports.
The nameserver domain nsters.com,
(registered with TODAYNIC.COM, INC),
is also undoubtedly criminally owned as it is used in association with
hosting zombies and has been recorded as having been used for hundreds
of
'rockphish' phishing domains, apart from also having been used
for
the Cronos Investment fraudster's networks. The nameserver
ns1.nsters.com proves these crooks and the 'rockphish' scammers are one
and the same so any service provider who supports this criminal
is also supporting the rockphish phishing criminals. That
includes the registrar NIC.AC,
(Dorset, UK), who still ignores all abuse reports
concerning their criminal client watrco.ac as they have done all along
for all .ac domains and as
they also did for the
Cronos Investment
fraudster and the Draper Investment fraudsters.
Later
- new domain notified by site contact - wtruk.org
The criminal has set up a new botnet:
Searching for wtruk.org A record at l.root-servers.net
[199.7.83.42]: Got referral to d0.org.afilias-nst.org. (zone: org.)
Searching for wtruk.org A record at d0.org.afilias-nst.org.
[199.19.57.1]: Got referral to ns2.regtoo.com. (zone: wtruk.org.)
Searching for wtruk.org A record at ns2.regtoo.com. [68.74.57.31]:
Timed out. Trying again.
Searching for wtruk.org A record at ns1.regtoo.com. [64.86.17.185]:
Reports wtruk.org. Response:
Domain
Type
Class
TTL
Answer
wtruk.org.
A
IN
1800
89.40.5.124
wtruk.org.
A
IN
1800
207.47.242.10
wtruk.org.
A
IN
1800
24.93.117.56
wtruk.org.
A
IN
1800
79.119.175.27
wtruk.org.
A
IN
1800
84.108.41.110
wtruk.org.
A
IN
1800
86.122.168.181
wtruk.org.
A
IN
1800
89.33.45.164
wtruk.org.
NS
IN
1800
ns2.regtoo.com.
wtruk.org.
NS
IN
1800
ns1.regtoo.com.
ns1.regtoo.com.
A
IN
1800
64.86.17.185
ns2.regtoo.com.
A
IN
1800
68.74.57.31
Looking up at the 2 wtruk.org. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard zombie botnet where the
nameserver ns1.regtoo.com [64.86.17.185] hosted by Velcom of Brampton
Ontario on IP 64.86.17.185 is acting as a zombie
botnet controller 'herding' the rotating zombies, (as evidenced by IP
RDNS data), in the 'A' records list which are hosting the fraud site
(as evidenced by domain TRACERT data), using the listed domains.
The
nameserver domain regtoo.com
was registered by the criminal on
07-feb-2008 with Register.com
Inc. to control his botnet as ns1.regtoo.com [64.86.17.185]
Later
- The crook is trying his luck with the Yahoo small business network
with a new domain waller-truck.com. DNS data:
waller-truck.com,
How I am searching:
Searching for waller-truck.com A record at b.root-servers.net
[192.228.79.201]: Got referral to A.GTLD-SERVERS.NET. (zone: com.)
Searching for waller-truck.com A record at A.GTLD-SERVERS.NET.
[192.5.6.30]: Got referral to yns2.yahoo.com. (zone: waller-truck.com.)
Searching for waller-truck.com A record at yns2.yahoo.com.
[216.109.116.20]: Reports waller-truck.com. Response:
Domain
Type
Class
TTL
Answer
waller-truck.com.
A
IN
1200
216.39.58.208
waller-truck.com.
A
IN
1200
216.39.58.209
waller-truck.com.
A
IN
1200
216.39.58.235
waller-truck.com.
A
IN
1200
216.39.58.236
waller-truck.com.
A
IN
1200
216.39.58.237
waller-truck.com.
A
IN
1200
216.39.58.192
waller-truck.com.
NS
IN
86400
ns9.san.yahoo.com.
waller-truck.com.
NS
IN
86400
yns2.yahoo.com.
waller-truck.com.
NS
IN
86400
yns1.yahoo.com.
waller-truck.com.
NS
IN
86400
ns8.san.yahoo.com.
yns1.yahoo.com.
A
IN
1800
66.218.71.205
yns2.yahoo.com.
A
IN
1800
216.109.116.20
ns8.san.yahoo.com.
A
IN
1800
66.218.71.205
ns9.san.yahoo.com.
A
IN
1800
216.109.116.20
Looking up at the 2 waller-truck.com. parent servers:
***Latest News*** 9th. February 2008 New
domain received from site contact - wl-tr.net
hosted on Velcom botnet ns1.regtoo.com New domain received
from site contact - wl-tr.com
hosted on Velcom botnet ns1.regtoo.com New domain received
from site contact - wtcom.net
hosted on Velcom botnet ns1.iprintworld.com New domain received
from site contact - wllcm.com
hosted on Velcom botnet ns1.iprintworld.com New domain received
from site contact - wltc.biz
hosted on Velcom botnet ns1.regtoo.com
The criminal has set
up a second botnet on the Velcom IP 64.86.17.185 using nameserver
ns1.iprintworld.com
DNS Data: (wtcom.net,
wllcm.com)
How I am searching:
Searching for wtcom.net A record at g.root-servers.net
[192.112.36.4]: Got referral to D.GTLD-SERVERS.net. (zone: net.)
Searching for wtcom.net A record at D.GTLD-SERVERS.net.
[192.31.80.30]: Got referral to ns2.iprintworld.com. (zone: wtcom.net.)
Searching for wtcom.net A record at ns2.iprintworld.com. [24.81.52.10]:
Timed out. Trying again.
Searching for wtcom.net A record at ns1.iprintworld.com.
[64.86.17.185]: Reports wtcom.net. Response:
Domain
Type
Class
TTL
Answer
wtcom.net.
A
IN
1800
207.47.242.10
wtcom.net.
A
IN
1800
59.9.230.28
wtcom.net.
A
IN
1800
86.120.93.92
wtcom.net.
A
IN
1800
87.207.56.7
wtcom.net.
A
IN
1800
89.40.5.124
wtcom.net.
A
IN
1800
89.136.196.38
wtcom.net.
A
IN
1800
89.179.69.16
wtcom.net.
NS
IN
1800
ns1.iprintworld.com.
wtcom.net.
NS
IN
1800
ns2.iprintworld.com.
ns1.iprintworld.com.
A
IN
1800
64.86.17.185
ns2.iprintworld.com.
A
IN
1800
24.81.52.10
Looking up at the 2 wtcom.net. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard zombie botnet where the
nameserver ns1.iprintworld.com
[64.86.17.185] hosted by Velcom of Brampton,
Ontario on IP 64.86.17.185 is acting as a zombie
botnet controller 'herding' the rotating zombies, (as evidenced by IP
RDNS data), in the 'A' records list which are hosting the fraud site
(as evidenced by domain TRACERT data), using the listed domains.
The
nameserver domain iprintworld.com
was registered by the criminal on
07-feb-2008
with IA
Registry/Spiritdomains to control his botnet
as ns1.iprintworld.com
[64.86.17.185] ***Latest News*** 10th. February 2008 The criminal has moved his zombie botnet nameserver ns1.regtoo.com [38.100.214.58] to one of his frequent suppliers - CogentCo aka Performance Systems International. He also appears to have 'hardened' his system by using a second botnet nameserver ns2.regtoo.com [68.74.57.31] on an AT&T Internet Services IP, although I am not entirely convinced that this data is all that it seems.
The data shows a standard site hosting zombie botnet setup where the nameserver ns1.regtoo.com [38.100.214.58] hosted by CogentCo, (Performance Syatems International) and nameserver ns2.regtoo.com [68.74.57.31],
hosted by AT&T Internet Services, are acting as zombie botnet
controllers, 'herding' the rotating zombies, (as evidenced by IP RDNS
data), in the 'A' records list which are hosting the fraud site (as
evidenced by domain TRACERT data), using the listed domains.
The criminal has also moved his other botnet onto the same CogentCo IP [38.100.214.58]
The data shows a standard site hosting zombie
botnet setup where the nameserver ns1.iprintworld.com
[38.100.214.58] hosted by CogentCo, (Performance Systems International)
is acting as zombie botnet controller, 'herding' the rotating zombies,
(as evidenced by IP RDNS data), in the 'A' records list which are
hosting the fraud site (as evidenced by domain TRACERT data), using the
listed domains. ***Latest News*** 11th. February 2008 New domains spotted in the wild - walr.tl & waltr.biz - both hosted on the ns1.iprintworld.com [38.100.214.58] botnet nameserver. Both CogentCo/Performance Systems International zombie botnest are still functional - no response to abuse reports as per usual. The domain waller-truck.com is still active on the Yahoo small business network with
the DNS intact despite Yahoo's assurances that action has been taken - reminder sent. ***Latest News*** 14th. February 2008 New domain received in spam - wwtrk.net
on the above ns1.iprintworld.com controlled zombie botnet. No action at
all taken against the two botnets they are hosting by CogentCo/Performance Systems International who are completely unresponsive to abuse reports and continue to aid and abet these fraudsters. The AT&T Internet Services IP ns2.regtoo.com [68.74.57.31] now appears to have been blocked, so the DNS data was apparently genuine and they have taken action. Nic.ac continue to deny all responsibilty for their criminal client watrco.ac
who is now hosted on an IP (202.103.49.198) belonging to The Dongpu
Information Technology Company, in ShiYan city Hubei Province. DNS data:
The nameserver IP 200.72.139.67 is the usual ENTEL CHILE S.A. nameserver IP - they have not responded to abuse reports. The nameserver domain nsters.com, (registered with TODAYNIC.COM, INC),
is also undoubtedly criminally owned as it is used in association with
hosting zombies and has been recorded as having been used for hundreds
of 'rockphish' phishing domains, apart from also having been used for
the Cronos Investment
fraudster's networks. The nameserver ns1.nsters.com proves these crooks
and the 'rockphish' scammers are one and the same so any service
provider who supports this criminal is also supporting the rockphish
phishing criminals. That includes the registrar NIC.AC, (Dorset, UK), who still ignores all abuse reports concerning their criminal client watrco.ac as they have done all along for all .ac domains and as they also did for the Cronos Investment fraudster and the Draper Investment fraudsters. Unfortunately, in CogentCo/Performance Systems International, Entel Chile S.A. and Nic.ac
we appear to have service suppliers that do not respond to abuse reports and continue to
host these criminals despite having been notified of their activities. Later
- CogentCo seem to have finally taken action - the criminal has now
moved his two botnets to 64.191.89.200 (Network Operations Center Inc.
of Scranton PA).
[Error: Port Unreachable] - Fake nameserver, (never resolves).
The data shows a standard site hosting zombie botnet setup where the nameserver ns1.regtoo.com [64.191.89.200]hosted by Network Operations Center Inc. of Scranton PA, (BurstNET Technologies, Inc.™) is acting as zombie botnet
controller, 'herding' the rotating zombies, (as evidenced by IP RDNS
data), in the 'A' records list which are hosting the fraud site (as
evidenced by domain TRACERT data), using the listed domains.
The data
shows a standard site hosting zombie
botnet setup where the nameserver ns1.iprintworld.com [64.191.89.200]
hosted by Network Operations Center Inc. of Scranton PA, (BurstNET
Technologies, Inc.™)
is acting as zombie botnet controller, 'herding' the rotating zombies,
(as evidenced by IP RDNS data), in the 'A' records list which are
hosting the fraud site (as evidenced by domain TRACERT data), using the
listed domains. ***Latest News*** 16th. February 2008 No
action by HostNoc (BurstNET Technologies, Inc.™). Both of the
criminal's above botnets are still active on IP address 64.191.89.200 ***Latest News*** 17th. February 2008 No
action by HostNoc (BurstNET Technologies, Inc.™). Both of the
criminal's above botnets are still active on IP address 64.191.89.200
Abuse report and reminder have received no response other than an
auto-ack. ***Latest News*** 18th. February 2008 No
action by HostNoc (BurstNET Technologies, Inc.™). Both of the
criminal's above botnets are still active on IP address 64.191.89.200
Abuse report and reminder have received no response other than an
auto-ack. It would appear that HostNoc
(BurstNET Technologies, Inc.™) of Scranton, P.A. are not concerned that
they are hosting criminals and fraudsters on zombie botnets. ***Latest News*** 20th. February 2008 Action finally taken by Burst.net and the hosting of both botnets has been ceased. ***Latest News*** 21st. February 2008 To
add to the criminal's woes, all of his Spiritdomains website domains
have been suspended, but not apparently his nameserver domains.
The only resolving domain I know of now is the Nic.ac domain watrco.ac which is hosted on the IP 212.0.90.42 which is listed as belonging to JSC Electrosvyaz of Buryatia Republic.
Looking up at the 2 watrco.ac. parent servers:
Server
Response
ns1.nsters.com [200.72.139.67]
212.0.90.42
ns3.nsters.com [200.111.60.84]
Timeout
It's a waste of time reporting watrco.ac to Nic.ac, of course as, (to quote them), they "do not get involved",
i.e. they are simply not prepared to take any action if it is reported
to them that their clients are using their domains for criminal
purposes. If you've got $500 to spare, you could try reporting it
through the Nic.ac WIPO 'procedure'.... Personally I would have
absolutely nothing to do with any company adopting that unethical and
indefensible attitude, and that includes the related companies Internet Computer Bureau plc of
Christchurch, Dorset, UK, nic.io, nic.sh,
nic.tm, UWhois.com, and 'InOne' , a
'one-stop' networking business. ***Latest News*** 22nd. February 2008 The criminal's domain watrco.ac is now on a new host:
Looking up at the 2 watrco.ac. parent servers:
Server
Response
ns1.nsters.com [200.72.139.67]
85.105.182.6
ns3.nsters.com [200.111.60.84]
Timeout
It's on Turktelecom IP 85.105.182.6 which has an RDNS of dsl.static.85-105-46598.ttnet.net.tr
- looks like a zombie on a Turktelecom ADSL network. It seems like the
crook is just moving from one zombie to another with his 'bombproof'
domain watrco.ac ***Latest News*** 26th. February 2008 Information from site contact - two previously unknown domains found - wwtrc.com and wwtrc.net.
Hosted on the ns1.regtoo.com botnet but not resolving at the moment as
the DNS data for both domains on ns1.regtoo.com loops back to the root
servers. The domain watrco.ac is not resolving at the moment, (no thanks to Nic.ac), but the criminal has brought his domain waller-truck.com back into service as Joker have ignored all abuse reports.
DNS Data:
How I am searching:
Searching for waller-truck.com A record at g.root-servers.net
[192.112.36.4]: Got referral to K.GTLD-SERVERS.NET. (zone: com.) Searching for waller-truck.com A record at K.GTLD-SERVERS.NET. [192.52.178.30]: Timed out. Trying again.
Searching for waller-truck.com A record at F.GTLD-SERVERS.NET.
[192.35.51.30]: Got referral to ns44.domaincontrol.com. (zone:
waller-truck.com.) Searching for waller-truck.com A record at ns44.domaincontrol.com. [208.109.255.22]: Reports waller-truck.com. Response:
Domain
Type
Class
TTL
Answer
waller-truck.com.
A
IN
3600
208.109.181.92
waller-truck.com.
NS
IN
3600
ns43.domaincontrol.com.
waller-truck.com.
NS
IN
3600
ns44.domaincontrol.com.
Looking up at the 2 waller-truck.com. parent servers:
Server
Response
ns44.domaincontrol.com [208.109.255.22]
208.109.181.92
ns43.domaincontrol.com [208.109.78.180]
208.109.181.92
Rather oddly this seems to be hosted on GoDaddy's own servers at the moment (208.109.181.92). ***Latest News*** 28th. February 2008 The
domain waller-truck.com seems to have finally been suspended as there
appears to be no 'A' record at the above GoDaddy/Wild West Domains
nameservers, although the Joker whois data shows no indication of
suspension and as per usual no-one bothers to respond to queries so
your guess is as good as mine...... The watrco.ac
domain is still operational, (courtesy of Nic.ac's blackhat policies),
not to mention Todaynic's ignoring of abuse reports relating to
the domain nsters.com and it's still hosted on the TurkTelecom phishing
IP 85.105.182.6 (See Spamhaus reports). Not a pretty nest of thieves and accomplices.... ***Latest News*** 4th. March 2008 I think the fraudster's given up on this scam now and is concentrating his efforts on the replacement Newman, Esmond & Eisenberg fraud. The last known active domain, watrco.ac, is still an active registration, but the hosting seems to have died a death, so hopefully that will be the end of this fraud.
