Eva Pharmacy campaign

This is transferred to the new board at http://fraudreports.prophpbb.com
Spammers should not profit, so post information here that hits their pockets.

Re: Eva Pharmacy campaign

Postby Red Dwarf » Wed Jun 21, 2017 9:01 pm

Today's most popular hosting addresses for name servers
Code: Select all
123 125.212.224.130
114 103.249.86.214
 65 46.166.129.166
 60 185.120.77.254
 50 103.221.220.169
 31 218.2.22.96
 19 103.53.231.3
 17 185.65.206.111
 17 180.235.148.209
 16 42.112.27.111
 15 103.65.236.87
 15 103.224.243.10


Abuse addresses for those IPs
Code: Select all
 125.212.224.130 soc@viettel.com.vn
 103.249.86.214 abuse@invision7.com
 46.166.129.166 abuse@nforce.com
 185.120.77.254 admin@gohost.kz
 103.221.220.169 hoanglong@azdigi.com thachpham@azdigi.com
 218.2.22.96abuse@jsinfo.net
 103.53.231.3 phuly@aohoaviet.com
 185.65.206.111 mtalaat@citynethost.com
 180.235.148.209 ndr@ardhglobal.com
 42.112.27.111 haitt3@fpt.com.vn
 103.224.243.10 abuse@webwerks.com


Format of an abuse notification:[quote]Please read this information carefully. It concerns a security breach on your computer.

On your IP address at 118.193.240.40 there is a trojan proxy name server installed, that is being used by a pharmacy spamming gang to provide access to illegal web sites.

You can prove it with these links
Code: Select all
https://who.is/whois/safemedsvalue.ru
nserver:       ns1.safemedsvalue.ru . 84.200.211.128
nserver:       ns2.safemedsvalue.ru . 118.193.240.40

https://who.is/whois/yourpillstore.ru
nserver:       ns1.yourpillstore.ru . 84.200.211.128
nserver:       ns2.yourpillstore.ru . 118.193.240.40


For more information, see http://fraud-reports.wikia.com/wiki/Hijacked_host
and http://ksforum.inboxrevenge.com/viewtopic.php?f=1&t=4949&p=189675#p189675

If you are not the administrator for this machine, please forward on these instructions.

Please respond with your findings.

Thank you from
The Pharmacy Alert Security Team[/quote]

Here are 3 sample name servers for the top 6
 125.212.224.130
ns1.iljsvqxo.ru has address 125.212.224.130
ns1.ilypguxu.ru has address 125.212.224.130
ns1.iymrgtmb.ru has address 125.212.224.130

 103.249.86.214
ns1.bestpilleshop.ru has address 103.249.86.214
ns1.canadianhottrade.ru has address 103.249.86.214
ns1.curingmedsstore.ru has address 103.249.86.214

 46.166.129.166
ns1.besttabsbargain.com has address 46.166.129.166
ns1.curativerxdeal.com has address 46.166.129.166
ns1.curingaideshop.com has address 46.166.129.166

 185.120.77.254
ns2.besttabsbargain.com has address 185.120.77.254
ns2.curativerxdeal.com has address 185.120.77.254
ns2.curingaideshop.com has address 185.120.77.254

 103.221.220.169
ns1.smartherbsgroup.ru has address 103.221.220.169
ns1.thefirstbargain.ru has address 103.221.220.169
ns1.theherbsquality.ru has address 103.221.220.169

 218.2.22.96
ns1.onlinepillsdeal.ru has address 218.2.22.96
ns1.pureherbalmart.ru has address 218.2.22.96
ns1.pureherbalsupply.ru has address 218.2.22.96
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Sat Jun 24, 2017 1:58 am

Most frequently used name server addresses and reporting address for abuse
Code: Select all
  67 125.212.224.130
  46 140.115.80.23
  46 103.221.220.169
  39 185.120.77.254
  37 46.166.129.166
  32 109.73.164.172
  30 93.95.228.34
  21 103.227.255.92
  20 103.65.236.87
  17 103.214.144.56
  14 218.2.22.96
  12 103.53.231.3


125.212.224.130
soc@viettel.com.vn tiennd@viettel.com.vn

140.115.80.23
tanetadm@moe.edu.tw

103.221.220.169
hoanglong@azdigi.com thachpham@azdigi.com

185.120.77.254
admin@gohost.kz

46.166.129.166
abuse@nforce.com

109.73.164.172
abuse@dimenoc.com

93.95.228.34
abuse@1984.is

103.227.255.92
abuse@rajasa.co.id lukman@rajasa.co.id

103.65.236.87
abuse@ptbsti.com

103.214.144.56
network-abuse@adcdata.com

218.2.22.96
anti-spam@ns.chinanet.cn.net abuse@jsinfo.net

103.53.231.3
phuly@aohoaviet.com
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Fri Jun 30, 2017 4:59 pm

As of July 1 2017, the registrars with the most domains supporting the Eva Pharmacy cyber-crime are in the list below.
The first figure is the number of domains suspended, the second is the number reported, and the third is the number still alive.

R01.RU18612622761
BIZCN123119
ARDIS-SU728412
REGTIME73752
GKG022
ADVANCED I T022
TUCOWS891
PDR1731730
Key-Systems1591590


As of July 24 2017
R0150464414
Key-Systems2411793
PDR279669
BIZCN103525
TUCOWS21513
ARDIS11110
GKG022
ADVANCED I T022
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Previous

Return to Fight Spammers

Who is online

Users browsing this forum: No registered users and 1 guest

cron