Sunday, July 20, 2014

Suspect Website: rubmaps.com

Site Data:
Host IP Address: 104.28.2.38
Country: United States
Host IP Reputation: n/a
DNS: ivan.ns.cloudflare.com & dora.ns.cloudflare.com
DNS Root Reputation: spamhaus.org/sbl/listings/cloudflare.com
Registrant: Domains By Proxy, LLC
Additional Sites Registered: unknown
Registrar: GoDaddy.com, LLC
Registrar Reputation: n/a
Payment Processor(s): unknown
Custodian of Records U.S.C. 2257: n/a
Redirect(s): internal

External Links: 
missingkids.com/home
polarisproject.org/index.php?option=com_content&task=view&id=90&Itemid=95
google.com
aff.camplace.com/delivery/?w=12&b=Webcams&t=2&c=Rubmaps

GET Requests:
maps.google.com
cdn.rubmaps.com
maps.gstatic.com
google-analytics.com
maps.googleapis.com

Google Analytics Data:
ID: UA-20449051-1
Sites Associated to Google Analytics ID:
ampguide.net 
rubads.com 
rubmap.com 
rubmaps.ca 
rubmaps.com 

Site Geo-Location(s): 
United States

Suspect Association Data:
Suspect Association: aff.camplace.com
Host IP Address (Root Domain): 198.41.208.17
Country: United States
Host IP Reputation: n/a
DNS: JACK.NS.CLOUDFLARE.COM & LILY.NS.CLOUDFLARE.COM
DNS Root Reputation: n/a
Registrant: Praestone Services/Sergey Babayan
Registrant Email Addresses: hupower1588@hushmail.com & jk@nextdating.com

Additional Sites Registered:
asianescorts-newsl.com
benefitdate.com
benefitdates.com
bresciaescort.com
buyvirilamax.com
erosiptv.com
escort-cams.com
escortid.com
escortids.com
escortoncam.com
escortsids.com
eufreecams.com
flatiptv.com
freecamplace.com
gayescortguide.com
hamburg-escorts.com
labeldate-mail.com
labeldates.com
nextdating-mail.com
nverner.com
openflirts.com
padovaescort.com
palermoescort.com
parmaescort.com
praestone.com
royal-clinique.com
rubmaplive.com
vareseescort.com
virilamax.com
viriliomax.com
virilomax.com

Site Geo-Location(s): 
Czech Republic, Germany, Solvakia, United States

Associated Criminal/Suspicious Activity:
prostitution
potential human trafficking
rogue pharmacies
fraudulent credit card activity (see krebsonsecurity.com/tag/sergey-babayan/)

Researched URLs:
http://urlquery.net/report.php?id=1405608593152
http://www.webconfs.com/search-engine-spider-simulator.php  (rubmaps.com)
https://www.google.com/search?q=UA-20449051-1&oq=UA-20449051-1&aqs=chrome..69i57.800j0j8&sourceid=chrome&es_sm=93&ie=UTF-8#q=%22UA-20449051-1%22
https://tools.digitalpoint.com/cookie-search?domain=rubmaps.com
https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=site%3Adomaintools.com%20%22praestone%20services%22
http://whois.domaintools.com/praestone.com
http://whois.domaintools.com/freecamplace.com
https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=site%3Adomaintools.com%20%22sergey%20babayan%22

Monday, July 14, 2014

A Deeper Dive: Cynk Technology/introbiz.com

Please note: The analysis below does not claim to reveal who may be involved in the activity described by Yahoo. It is merely an analysis of the entity's online infrastructure and associations.

A recent article on Yahoo Finance exploring a mystery social networking service whose stock price had suddenly exploded caught my attention. From 7/8 - 7/9 Cynk Technology had seen it's Over The Counter (OTC) stock balloon from a quiet $.10 per share to a modest $14.71 per share; an increase of nearly 25000% despite all indications that Cynk is little more than a shell organization with a nondescript website.

The privately registered website, introbiz.com - which users are redirected to upon visiting cynktechnologycorp.com - had it's DNS entry deleted in May of 2009 before being renewed one month later. The domain subsequently had it's zone entry moved to hostingactive.com name servers in June of this year. As of this writing, the DNS entries have been moved to ns1.hostbaytwo.com and ns2.hostbaytwo.com and the webpage for the domain is parked at 67.222.152.162.



Curiously, an HTTP dump of the introbiz.com site reveals a java script encoded counter set to Romanian time:



Privately registered on 7/11/2014 the web page of the name servers root domain has no active content. However, in looking at the WHOIS data for hostingactive.com, a domain for which no website is available, the following public registrant information was found:

Registrant Name: Matt Smith
Registrant Organization:
Registrant Street: 1111 skyline dr
Registrant City: Johnson City
Registrant State/Province: Tennessee
Registrant Postal Code: 37604
Registrant Country: United States
Registrant Phone: 3109036747

This includes a registrant email of kc@superkc.com. The website of the email domain bills itself as a marketing and promotions consulting website while the email address itself is associated with the following domains:

awardseo.com
bestchristiancharities.com
buildyourdomainrank.com
cam1989.com
cashinurl.com
cashminer.net
domainbreed.com
domainmaturingonline.com
freegastricsleeve.com
growingnames.com
hostingactive.com
karaplacecharity.com
lighting-domain.com
linkworkforce.com
webseosoftware.com
easy-website-creator.com

Additional sites parked at 67.222.152.162 include:

cynktechnologycorp.com
diamantebelize.com
diamantebelizeproperties.com
easypiehosting.com
easywebsitebuildersoftware.com
easy-website-creator.com
ehostingteam.com
ezbeedesigns.com
gastricsleeve.ca
gingersassatelli.com
goodwebsitebuilder.com
introbiz.com
justeasyhosting.com
kaydreamer.com
lovehosting.biz
ns1.easypiehosting.com
ns2.easypiehosting.com
prohostingcompany.com
sevendaystoprofit.com
trendywebsitebuilder.com
www.introbiz.com
zonaweb.gt

The 67.222.152.162 - 67.222.152.169 IP range has been assigned to COLO4/Tierpoint's AS30496 network and is being leased by Etrinix Corp., a hosting company whose California business address resolves to a private mailing service and whose website is currently listed as "down for maintenance."



The link trail below suggests Etrinix has Pakistani roots:

http://www.thewhir.com/web-hosting-news/etrinix-launches-web-hosting-automation-application
http://www.zoominfo.com/s/#!search/profile/person?personId=900305678&targetid=profile
https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=%22inspedium.com%22

A brief timeline of events regarding the relationship between Matt Smith and Etrinix is as follows then:

  • The introbiz.com domain was privately renewed in 2009 and the website is currently hosted by Etrinix.
  • The hostingactive.com domain was publicly registered by Matt Smith in 2013 with no hosted page.
  • The cynktechnologycorp.com domain was privately registered in 2014 and the website is currently hosted by Etrinix.
  • The introbiz.com DNS records were moved to Matt Smith's ns1/ns2.hostingactive.com name servers in 2014. The name servers which are currently on the Etrinix network.
Revisiting some of the sites registered by Matt Smith, specifically karaplacecharity.com, a dump of ns1.rdserver1.com, the primary name server hosting its NS records (the root domain of which also ties back to Smith), reveals additional charity based websites as well as defunct BEEZID penny auction websites. Automated HTTP queries of a sample of those sites are listed below:

http://urlquery.net/report.php?id=1405174474176
http://urlquery.net/report.php?id=1405174184555
http://urlquery.net/report.php?id=1405174268724
http://urlquery.net/report.php?id=1405174428292
http://urlquery.net/report.php?id=1405174626880
http://urlquery.net/report.php?id=1405176580781
http://urlquery.net/report.php?id=1405176909826
http://urlquery.net/report.php?id=1405176902156

Based on a cached eBook describing the services Kara Place Charity offers, it appears the organization's revenue structure is based on a Multi Level Marketing model:

There’s an unlimited potential to earn. I don’t want to give too much away (that’s what the content areas are for), but I want to show you a chart of your earning potential. This is hypothetical, but it shows the power of recruiting people into your cause. Let’s say you recruit five people. If five people recruit five people that’s 25 people and if each one pays five dollars that 125 bucks. But what if 25 people recruit five people and all of those people recruit five people? That’s 625 people in the bottom level of your downline. When they subscribe to the content areas on our site, you and the people in your downline will earn a portion of their payments.

As of the time of this writing, the websites associated with two additional domains listed in separate SEC filings for Cynk technology and its d/b/a Introbuzz (introbizz.com and introbuzz.com, respectively) are link farms with private registrations.

Friday, July 4, 2014

Consolidated Threats 1.2.141.81 - 98.139.211.245

IP Address Country Classification Activity Detected Spamvertised URL Drop Email Address
1.2.141.81 Thailand Attacker Network Scanning n/a n/a
103.246.107.18 Indonesia Spam IP Rogue Pharmacy Spam biologicalbettershop.com n/a
103.246.107.2 Indonesia Spam IP Pornography Spam OpenInstaCam.com n/a
109.165.83.90 Russia Spam IP Rogue Pharmacy Spam gvntf.isamy.ru n/a
109.62.146.135 Russia Spam IP Counterfeit Goods Spam bestreplica.ru.com n/a
111.201.179.118 China Attacker Network Scanning n/a n/a
112.140.193.172 Korea Attacker Network Scanning n/a n/a
112.145.157.70 Korea Web Server Hosting Suspicious/Malicious Site n/a n/a
112.196.26.68 India Spam IP Mule/ID Theft Spam n/a ssunnyowo01@gmail.com
114.111.98.102 Japan Spam IP Mule/ID Theft Spam n/a n/a
114.111.98.103 Japan Spam IP Mule/ID Theft Spam n/a n/a
115.126.54.224 Hong Web Server Hosting Suspicious/Malicious Site n/a n/a
115.137.191.23 Korea Attacker Network Scanning n/a n/a
120.151.231.138 Australia Attacker Network Scanning n/a n/a
121.10.121.52 China Attacker Network Scanning n/a n/a
123.26.80.104 Vietnam Spam IP Rogue Pharmacy Spam wtxfq.magicmedicativemall.ru n/a
125.206.148.14 Japan Spam IP Mule/ID Theft Spam n/a marksonwilliamb@yahoo.com
125.45.109.178 China Attacker Network Scanning n/a n/a
125.93.180.186 China Attacker Network Scanning n/a n/a
129.97.56.26 Canada Spam IP Mule/ID Theft Spam n/a n/a
148.235.65.20 Mexico Spam IP Mule/ID Theft Spam n/a alc@shqiptar.eu
154.68.33.114 Cote D'ivoire Spam IP Mule/ID Theft Spam n/a n/a
168.215.191.216 United States Spam IP Rogue Pharmacy Spam qodk.medicatingherbstore.ru n/a
176.56.228.213 Netherlands Web Server Hosting Suspicious/Malicious Site n/a n/a
177.23.1.7 Brazil Spam IP Mule/ID Theft Spam n/a n/a
178.22.50.212 Russia Spam IP Pornography Spam VISITLOCALCAMPROFILE.COM n/a
178.72.65.75 Russia Spam IP Rogue Pharmacy Spam tsfm.ragaic.ru n/a
180.183.193.54 Thailand Spam IP Rogue Pharmacy Spam mylevitrapharmacy.com n/a
180.215.158.132 India Spam IP Mule/ID Theft Spam n/a n/a
180.37.203.134 Japan Spam IP Mule/ID Theft Spam n/a mrsangela@e-mail.ua
181.123.110.123 Paraguay Spam IP Rogue Pharmacy Spam globaltabsbargain.com n/a
182.178.12.24 Pakistan Spam IP Pornography Spam CUTELONELYLOCALCAMS.COM n/a
183.181.168.118 Japan Spam IP Mule/ID Theft Spam n/a neiltrottercharity012@gmail.com
183.79.150.33 Japan Spam IP Mule/ID Theft Spam n/a n/a
183.79.150.50 Japan Spam IP Mule/ID Theft Spam n/a n/a
184.7.75.62 United States Attacker Network Scanning n/a n/a
187.16.245.151 Brazil Attacker Network Scanning n/a n/a
188.226.71.113 Russia Attacker Network Scanning n/a n/a
189.75.46.74 Brazil Spam IP Pornography Spam CONNECTCAMLIVESPACE.COM n/a
190.131.134.164 Ecuador Spam IP Mule/ID Theft Spam n/a n/a
195.244.172.214 Belgium Spam IP Mule/ID Theft Spam n/a n/a
195.31.193.244 Italy Attacker Network Scanning n/a n/a
195.94.231.14 Russia Spam IP Rogue Pharmacy Spam zqjo.herbalbestinc.ru n/a
197.131.21.82 Morocco Spam IP Pornography Spam SKYPECAMONLINE.COM n/a
197.252.0.181 Sudan Spam IP Pornography Spam NeighborhoodCamChat.com n/a
197.6.68.205 Tunisia Spam IP Pornography Spam naprokat.lg.ua/wp-content/selinda.html n/a
2.50.181.130 United Arab Emirates Spam IP Rogue Pharmacy Spam ekobq.healingherbseshop.ru n/a
200.111.81.234 Chile Attacker Network Scanning n/a n/a
200.225.81.144 Brazil Spam IP Mule/ID Theft Spam n/a n/a
200.58.206.173 Colombia Spam IP Mule/ID Theft Spam n/a n/a
203.135.134.210 Hong Spam IP Mule/ID Theft Spam n/a skynetdelivery_company@aol.com
207.30.93.122 United States Attacker Network Scanning n/a n/a
208.113.119.10 United States Spam IP Mule/ID Theft Spam n/a support@shanfari-companies.com
209.200.10.133 United States Web Server Hosting Suspicious/Malicious Site n/a n/a
209.85.160.195 United States Spam IP Mule/ID Theft Spam n/a n/a
209.85.192.65 United States Spam IP Rogue Marketing Spam cpaway.afftrack.com/click?aid=320881473450148655 n/a
210.171.0.62 Japan Spam IP Mule/ID Theft Spam n/a funds_reimburse@yahoo.com.hk
211.232.52.11 Korea Attacker Network Scanning n/a n/a
211.233.4.238 Korea Spam IP Mule/ID Theft Spam n/a n/a
211.75.79.17 Taiwan Attacker Network Scanning n/a n/a
212.34.98.125 Russia Spam IP Pornography Spam qualityreplica.ru.com n/a
212.52.84.106 Italy Spam IP Mule/ID Theft Spam n/a davidmoore00331@hotmail.com
213.230.80.100 Uzbekistan Spam IP Rogue Pharmacy Spam gvdeef.healingherbseshop.ru n/a
213.239.106.132 Norway Attacker Network Scanning n/a n/a
217.118.83.141 Russia Spam IP Rogue Pharmacy Spam buuzkn.luckygenericsale.ru n/a
217.164.192.156 United Arab Emirates Spam IP Counterfeit Goods Spam watchesclub.ru.com  n/a
217.196.195.73 Macedonia Attacker Network Scanning n/a n/a
222.109.236.232 Korea Spam IP Rogue Pharmacy Spam vlbukv.herbalbestinc.ru n/a
222.80.15.93 China Attacker Network Scanning n/a n/a
23.236.62.147 United States Web Server Hosting Suspicious/Malicious Site n/a n/a
23.254.254.4 United States Web Server Hosting Suspicious/Malicious Site n/a n/a
23.99.20.206 United States Spam IP Mule/ID Theft Spam n/a n/a
31.132.162.39 Russia Spam IP Counterfeit Goods Spam wristluxury.ru.com  n/a
31.181.201.122 Russia Spam IP Pornography Spam VIEWLOCALCAMBABE.COM n/a
37.187.78.196 France Spam IP Mule/ID Theft Spam n/a n/a
37.204.214.80 Russia Spam IP Pornography Spam bestreplica.ru.com n/a
37.233.22.210 Moldova Spam IP Counterfeit Goods Spam replicamaster.ru.com n/a
41.102.45.230 Algeria Spam IP Rogue Pharmacy Spam purepilloutlet.com n/a
41.206.11.62 Nigeria Spam IP Mule/ID Theft Spam n/a n/a
41.207.30.151 Cote D'ivoire Spam IP Mule/ID Theft Spam n/a n/a
41.254.3.106 Libya Spam IP Pornography Spam BARFORADULTSONLINE.COM n/a
41.254.31.2 Libya Spam IP Pornography Spam SKYPECAMONLINE.COM n/a
41.58.19.209 Nigeria Spam IP Mule/ID Theft Spam n/a n/a
41.58.2.252 Nigeria Spam IP Mule/ID Theft Spam n/a n/a
41.58.39.43 Nigeria Spam IP Mule/ID Theft Spam n/a n/a
41.58.40.220 Nigeria Spam IP Mule/ID Theft Spam n/a n/a
46.22.166.13 Poland Web Server Hosting Suspicious/Malicious Site n/a n/a
46.22.166.14 Poland Web Server Hosting Suspicious/Malicious Site n/a n/a
46.22.166.15 Poland Web Server Hosting Suspicious/Malicious Site n/a n/a
46.229.140.120 Russia Spam IP Pornography Spam LOCALCONNECTWEBCAM.COM n/a
5.39.218.220 Netherlands Web Server Hosting Suspicious/Malicious Site n/a n/a
54.214.245.230 United States Spam IP Mule/ID Theft Spam n/a n/a
58.26.181.165 Malaysia Spam IP Pornography Spam FACETIMEMEINVITE.COM n/a
59.176.34.86 India Spam IP Pornography Spam ONLINESKYPEDATE.COM n/a
60.250.140.127 Taiwan Attacker Network Scanning n/a n/a
61.168.11.42 China Attacker Network Scanning n/a n/a
61.22.28.138 Japan Attacker Network Scanning n/a n/a
62.24.128.202 United Kingdom Spam IP Mule/ID Theft Spam n/a n/a
62.24.128.253 United Kingdom Spam IP Mule/ID Theft Spam n/a n/a
64.244.80.151 United States Attacker Network Scanning n/a n/a
64.26.60.146 United States Spam IP Mule/ID Theft Spam n/a n/a
64.26.60.151 United States Spam IP Mule/ID Theft Spam n/a n/a
65.164.104.78 United States Spam IP Mule/ID Theft Spam n/a n/a
65.46.26.130 United States Attacker Network Scanning n/a n/a
67.91.161.2 United States Spam IP Mule/ID Theft Spam n/a n/a
68.54.46.130 United States Spam IP Mule/ID Theft Spam n/a n/a
69.74.119.74 United States Attacker Network Scanning n/a n/a
71.43.241.86 United States Attacker Network Scanning n/a n/a
72.55.191.59 Canada Spam IP Mule/ID Theft Spam n/a n/a
74.118.235.178 United States Attacker Network Scanning n/a n/a
74.126.126.230 Canada Attacker Network Scanning n/a n/a
76.109.51.121 United States Spam IP Mule/ID Theft Spam n/a n/a
76.96.30.28 United States Spam IP Mule/ID Theft Spam n/a n/a
76.96.30.32 United States Spam IP Mule/ID Theft Spam n/a n/a
76.96.30.60 United States Spam IP Mule/ID Theft Spam n/a n/a
76.96.30.80 United States Spam IP Mule/ID Theft Spam n/a n/a
76.96.62.48 United States Spam IP Mule/ID Theft Spam n/a tjobbers1313@eml.cc
79.142.80.194 Russia Spam IP Counterfeit Goods Spam watchesdiscount.ru.com n/a
79.180.134.5 Israel Spam IP Rogue Pharmacy Spam aizyx.herbalpillsgroup.ru n/a
80.227.140.26 United Arab Emirates Spam IP Mule/ID Theft Spam n/a n/a
82.118.97.113 United Kingdom Attacker Network Scanning n/a n/a
82.57.200.117 Italy Spam IP Mule/ID Theft Spam n/a fred.ub@yandex.com
82.57.200.118 Italy Spam IP Mule/ID Theft Spam n/a ugo.ugo-fred@yandex.com
82.57.200.119 Italy Spam IP Mule/ID Theft Spam n/a atmcardoffice184@yahoo.com
85.113.151.217 Russia Spam IP Counterfeit Goods Spam watches.ru.com n/a
85.125.220.9 Austria Attacker Network Scanning n/a n/a
85.172.170.140 Russia Attacker Network Scanning n/a n/a
85.26.232.61 Russia Spam IP Pornography Spam SKYPECAMONLINE.COM n/a
87.28.209.14 Italy Attacker Network Scanning n/a n/a
88.147.153.243 Russia Spam IP Pornography Spam CUTELONELYLOCALCAMS.COM n/a
88.198.50.179 Germany Web Server Hosting Suspicious/Malicious Site n/a n/a
89.161.0.67 Poland Spam IP Counterfeit Goods Spam orderwatches.ru.com n/a
89.236.215.226 Uzbekistan Spam IP Online Casino Spam yagody-i-travy.ru/wp-content/bingobilly.html n/a
89.74.96.97 Poland Attacker Network Scanning n/a n/a
91.108.154.133 Iran Attacker Network Scanning n/a n/a
91.201.242.84 Ukraine Spam IP Rogue Pharmacy Spam gfrvlt.firstcarequality.ru n/a
91.206.200.251 Ukraine Web Server Hosting Suspicious/Malicious Site n/a n/a
91.210.106.69 Russia Web Server Hosting Suspicious/Malicious Site n/a n/a
91.234.124.3 Poland Spam IP Mule/ID Theft Spam n/a colandiaprivateloans@taxcolandia.com
91.234.25.26 Ukraine Spam IP Counterfeit Goods Spam elitewatches.ru.com n/a
92.126.45.130 Russia Spam IP Rogue Pharmacy Spam avoidcancer4free.com n/a
93.182.73.207 Turkey Attacker Network Scanning n/a n/a
93.74.251.41 Ukraine Spam IP Rogue Pharmacy Spam icngh.healingherbseshop.ru n/a
93.74.28.100 Ukraine Attacker Network Scanning n/a n/a
94.79.47.66 Russia Spam IP Rogue Pharmacy Spam kxff.herbalbestinc.ru n/a
95.57.201.88 Kazakhstan Spam IP Rogue Pharmacy Spam qsfkkv.caloriesdietpill.ru n/a
95.58.50.172 Kazakhstan Spam IP Pornography Spam FACETIMEMEINVITE.COM n/a
98.138.100.118 United States Spam IP Mule/ID Theft Spam n/a n/a
98.138.226.169 United States Spam IP Mule/ID Theft Spam n/a n/a
98.138.229.29 United States Spam IP Mule/ID Theft Spam n/a n/a
98.139.211.242 United States Spam IP Mule/ID Theft Spam n/a n/a
98.139.211.244 United States Spam IP Mule/ID Theft Spam n/a n/a
98.139.211.245 United States Spam IP Mule/ID Theft Spam n/a n/a