EstDomains: A Sordid History and a Storied CEO

In this second part to an ongoing investigation into the notorious Web site host and domain name registrar EstDomains Inc., Security Fix examines the company's history, the legacy of its current chief executive, and its future prospects.

The "Est" in EstDomains is a nod to the company's origins: It was founded in Tartu, the second largest city in Estonia (although the corporation is officially registered in Delaware). The chief executive of EstDomains is 27-year-old Vladimir Tsastsin, pictured below.

Tsastsin also is named as the head of Rove Digital, a company that appears to encompass a domain auction service named Bakler.com, and a recently launched Web traffic-shaping service called Zmot.

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

A Superlative Scam and Spam Site Registrar

Over the past week, a number of the Internet's largest data carriers have ceased providing online connectivity to Atrivo (a.k.a. "Intercage"), an ISP that security experts say is home to a huge number of scammers and spammers. This week, I'm turning the spotlight on EstDomains Inc., Atrivo's most important customer and the single biggest reason so many experts have condemned Atrivo.

According to RegistrarStats.com, EstDomains is the 49th largest domain name registrar, with more than 270,000 domains. Security Fix is still working on cataloging all of those domains, but for the purposes of this analysis we'll examine some 10,000 Web site names that are both registered through EstDomains and using the company's various domain name servers to route traffic to them.

I chose to focus on that particular subset of 10,000 domains mainly so that EstDomains could not simply disavow knowledge of the sites' activities by claiming it serves as nothing more than a registrar for those domains.

Turns out, at least one-third of those domains (.CSV) are currently blacklisted by SURBL.org, which tracks Web site names that are advertised in junk e-mail.

Have a look at the complete list of those 10,000 names -- which I've made available at this link here (.CSV file) -- and it should quickly become evident why so many are blacklisted.

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

FBI Warns of Hit Man Scam Resurgence

The FBI is warning people not to be disturbed by an e-mail scam that threatens your life and orders you to pay up to avoid being the target of a hired hit man.

The FBI said its Internet Crime Complaint Center continues to receive thousands of reports concerning the hit man e-mail scheme. The FBI notes that while the content of the missive has evolved since similar hit man scams first surfaced in late 2006, the message remains the same, claiming the sender has been hired to kill the recipient.

In some cases, the use of names, titles, addresses, and telephone numbers of government officials and business executives, and/or the victims' personal information are used in an attempt to make the fraud appear more authentic, the FBI said.


Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

Beware of Five-Star Vaporware

U.K. computer programmer Andy Brice was proud of the awards and accolades his software had won from his peers online. That is, until he noticed that pretty much everyone else's software received the same "5-star" rating and high praise from various software directories and download sites.

Curious about just how thorough the sites are at reviewing software, Brice submitted a fake program that did absolutely nothing. The place he sent the program to was a clearinghouse that distributes shareware and trialware to hundreds of other sites.
Brice even included a descriptor file stating that he was submitting a useless program, which he tauntingly named "awardmestars." To his amazement, the do-nothing program came away with top honors -- complete with official-looking seals of approval -- from at least 16 download sites.

"I should be delighted at this recognition of the quality of my software, except that the 'software' doesn't even run," Brice wrote of the experiment on his blog. "This is hardly surprising when you consider that it is just a text file with the words 'this program does nothing at all" repeated a few times and then renamed as an .exe."

Of the nearly 1,000 download sites that received a copy of "awardmestars," 218 now offer the file for download. Brice said the junk file is awaiting review at nearly 400 other sites. The good news is that some 421 download sites did see the program for what it was worth and rejected it outright.

"The truth is that many download sites are just electronic dung heaps, using fake awards, dubious [search engine optimization] and content misappropriated ... in a pathetic attempt to make a few dollars from Google Adwords," Brice said. "Hopefully these bottom-feeders will be put out of business by the continually improving search engines, leaving only the better sites."
This story got picked up late last week by news-for-nerds megasite Slashdot.org, and the discussion has some interesting perspectives from other programmers and their experiences with software awards.

While there may indeed be hundreds of legitimate download sites that don't try to pull one over on visitors, I've never strayed far beyond a handful of sites that I have come to know fairly well, such as CNet's Download.com, SourceForge.net, and Tucows.com.

Security Fix
Brian Krebs on Computer Security
The Washington Post Company

Would You Like A Job With That Virus?

Cyber crooks are targeting a wave of new attacks at people searching for jobs online, security experts warn. Oddly enough, the criminals behind this scam appear to be just as interested in hiring you as they are in hijacking your PC.

Over the course of the past few weeks, virus writers have set their sights on users of job search giant Monster.com and at least one other jobs site with tainted online advertisements designed to install malicious software on the visitors' machines, according to SecureWorks, an Atlanta-based security and research firm.

SecureWorks says that since May, more than 40,000 people have had their personal information stolen -- including Social Security numbers, bank account data and job site credentials -- thanks to a Trojan horse program that was planted in several advertisements running on the jobs sites. Some of these ads required a visitor to actually click on them before the Trojan could do its dirty work, while in other cases the Trojan appeared to swing into action as soon as the page hosting the ad was served, researchers found.

SecureWorks researcher Don Jackson said the Trojan was developed using a toolkit sold in black market forums under the name "icepack." The toolkit is similar to the Mpack toolkit that surfaced earlier this year. It generates Trojans that probe for the absence of several software security updates holes that then permit the program to deliver its viral payload. Among the many weapons in its arsenal are exploits for recently patched security vulnerabilities in Apple's QuickTime and Microsoft's Windows Media Player. It also includes exploits for multiple Web browsers, including Internet Explorer, Firefox and Opera. ...

Read more ...
Brian Krebs on Computer Security
The Washington Post Company

Would You Like A Job With That Virus?

Cyber crooks are targeting a wave of new attacks at people searching for jobs online, security experts warn. Oddly enough, the criminals behind this scam appear to be just as interested in hiring you as they are in hijacking your PC.

Over the course of the past few weeks, virus writers have set their sights on users of job search giant Monster.com and at least one other jobs site with tainted online advertisements designed to install malicious software on the visitors' machines, according to SecureWorks, an Atlanta-based security and research firm. ...

Read more ...