Friday, August 28, 2009

Chinese Scams Resurface with New Branding

The Threat Prevention Team has found thousands of URLs and over 200 new domains registered to a group of Chinese scammers. The new sites are the same as the old, but with new branding and promotional products, such as "Acai Power Slim" "Pure Magnum Pro" and "Colo Cleanse Plus". This scam is perpetrated by sending spam messages advertising a "free trial" of the products. In the end, the criminals have made off with personal information, a credit card number and a recurring monthly charge.

Here is an example of an “Acai Power Slim” site. The pages are filled with bogus testimonials, citations from CBS and ABC News and clinical research. Also note the pressure to sign up for the "risk free trial."

As you dig through the site, you'll notice any meaningful way to contact the site owners has been removed. An email form is present which presumably will never be answered. All of the domains found match the previous pattern and have been registered to Chinese ownership.

DomainName :

Creation Date ..................2009-08-19
Last Update Date ...............2009-08-24

Registrant Name .................FANG JUN
Registrant Organization .........FANG JUN
Registrant Address ..............JIANGYANGBERILI13
Registrant City..................YY
Registrant Province/State .......HN
Registrant Country Code .........CN
Registrant Postal Code ..........414039
Registrant Phone Number .........+86.073051421473
Registrant Fax ..................+86.073051421473
Registrant Email

Expect to see an increase in spam associated with these domains over the next several weeks as the scammers attempt to lure people to these sites. eSoft is detecting these sites as "Phishing & Fraud."

Here is a sample list of the recently registered domains:
More information on this scam is available on Wikipedia

Wednesday, August 26, 2009

New Rash of Fraud Sites Touting Cheap Software

eSoft is researching a widespread and dangerous ring of fraudulent "OEM Software" distribution sites. These sites offer popular software from Microsoft, Adobe, and many other vendors at a greatly reduced price. Not only do they not deliver installable software, they collect sensitive information from individuals, including credit card numbers.

eSoft has identified over 11,000 of these web pages so far.

While these sites may look real, touting Microsoft and Verisign certifications, they are far from legitimate. Many of these sites come back as top results in Google and Yahoo searches. Alarmingly, many URL filters are NOT able to detect and block these sites.

Here is just one example of the many sites currently up and running. 

The company name given on many of these fraudulent sites is "OEM Downloads Inc", “Authorized Software Reseller” or “Download Software”. You can check for this at the bottom of the page where there is often a copyright notice. Throughout the sites there are tell-tale signs that this is a shady website that should not be trusted.

Straight from their FAQ..."you will not receive any printed documentation (licensing or instructions) - just files and instructions in .txt format, and will not be able to register this software online." This was the company's explanation for the low prices they are able to offer. If you are not able to register the product, it is not a real copy or you won’t be getting it in the first place.

Another sign is that they are offering Adobe Creative Suite software on the site. Adobe does not distribute or allow OEM distribution of their software. In fact, OEM software is rarely sold outside of a hardware bundle, like a new computer system.

Unsurprisingly, the whois information shows Russian ownership for most of these domains. For example:



   Registrar: ONLINENIC, INC.
   Whois Server:
   Referral URL:
   Name Server: NS1.ENCATGPC.COM
   Name Server: NS2.ENCATGPC.COM
   Status: ok
   Updated Date: 20-jul-2009
   Creation Date: 06-jan-2009
   Expiration Date: 06-jan-2010

         Valery Rigalo +7.4999384712
         Novomariinskaya str., 11/1, apt. 38
         Moscow,N/A,RU 193901

Record last updated at 2009-01-06 12:08:08
Record created on 2009/1/6
Record expired on 2010/1/6

Domain servers in listed order:


The Threat Prevention Team has also noticed many compromised sites including some government and educational sites, are linking back to these domains. This further substantiates the criminal intentions of these fraudsters. eSoft is flagging these URLs as “Phishing & Fraud.”

Friday, August 21, 2009

Mass Compromise of Sites with Webalizer

The eSoft Threat Prevention Team has been tracking a rapidly growing pattern in website exploits over the last 24 hours. Since Thursday, Aug 20 eSoft has seen over 6,000 compromised URLs of the pattern:

And the numbers are growing at a rate of several hundred per hour. A google search for inurl:050609wareza shows around 30,000 such compromised sites.

The compromised sites typically have nonsense text and a series of pictures of pills with links to more compromised sites and dangerous scripts that trigger well known exploits including the recent exploit of the ActiveX streaming video control, discussed in this eSoft security bulletin:

In some cases, such as when eSoft researchers tried navigating to a compromised site using Firefox on Windows, a redirection to files express occurs:

In testing, when the exploit is successful, it seems to be an information stealing Trojan, though the payload has varied. As the payloads seem to have weak coverage by AV companies and seem to be changing frequently, blocking the offending websites is the best solution for preventing infection.

eSoft’s threat prevention team notes that around 1/3 of the compromised sites include a webalizer directory, which may indicate a correlation with a recently published webalizer exploit. This exploit allows an attacker to execute arbitrary code, often with elevated privileges. More information on this exploit can be located below. It is recommended that administrators configure webalizer to not do reverse DNS lookups until a patch is released.

eSoft will continue to cover this threat and continue to protect customers from these websites by flagging them as Compromised. At the start of research, Google had very few of these sites flagged as malicious, but it seems that increasing numbers are being identified by their cloud security as well. Other security engines tested including Web of Trust, Norman, and Mcafee SiteAdvisor have very poor detection of these sites at this time.