Wednesday, August 26, 2009

New Rash of Fraud Sites Touting Cheap Software

eSoft is researching a widespread and dangerous ring of fraudulent "OEM Software" distribution sites. These sites offer popular software from Microsoft, Adobe, and many other vendors at a greatly reduced price. Not only do they not deliver installable software, they collect sensitive information from individuals, including credit card numbers.

eSoft has identified over 11,000 of these web pages so far.

While these sites may look real, touting Microsoft and Verisign certifications, they are far from legitimate. Many of these sites come back as top results in Google and Yahoo searches. Alarmingly, many URL filters are NOT able to detect and block these sites.

Here is just one example of the many sites currently up and running. 

The company name given on many of these fraudulent sites is "OEM Downloads Inc", “Authorized Software Reseller” or “Download Software”. You can check for this at the bottom of the page where there is often a copyright notice. Throughout the sites there are tell-tale signs that this is a shady website that should not be trusted.

Straight from their FAQ..."you will not receive any printed documentation (licensing or instructions) - just files and instructions in .txt format, and will not be able to register this software online." This was the company's explanation for the low prices they are able to offer. If you are not able to register the product, it is not a real copy or you won’t be getting it in the first place.

Another sign is that they are offering Adobe Creative Suite software on the site. Adobe does not distribute or allow OEM distribution of their software. In fact, OEM software is rarely sold outside of a hardware bundle, like a new computer system.

Unsurprisingly, the whois information shows Russian ownership for most of these domains. For example:



   Registrar: ONLINENIC, INC.
   Whois Server:
   Referral URL:
   Name Server: NS1.ENCATGPC.COM
   Name Server: NS2.ENCATGPC.COM
   Status: ok
   Updated Date: 20-jul-2009
   Creation Date: 06-jan-2009
   Expiration Date: 06-jan-2010

         Valery Rigalo +7.4999384712
         Novomariinskaya str., 11/1, apt. 38
         Moscow,N/A,RU 193901

Record last updated at 2009-01-06 12:08:08
Record created on 2009/1/6
Record expired on 2010/1/6

Domain servers in listed order:


The Threat Prevention Team has also noticed many compromised sites including some government and educational sites, are linking back to these domains. This further substantiates the criminal intentions of these fraudsters. eSoft is flagging these URLs as “Phishing & Fraud.”

1 comment:

even steven said...

good information--yes i noticed that russians were behind a lot of these sites. buyers beware of russians and eastern europeans as well as asia sites. another tell tale site of this fraud is the poor use of the english language. they often make simple grammatical errors.