Network News

X My Profile
View More Activity

Fake Antispyware Purveyor Doubles as Domain Registrar

A cyber gang known for aggressively spreading fake anti-spyware programs through hijacked and malicious Web sites has become an authorized reseller of domain names. Security Fix has learned that this gang is using its access as a registrar to ease the process of creating new Web sites used to push their invasive software.

klikhome.jpg

Klikdomains.com, also known as Vivids Media GMBH, sells Web site names in the .com, .net, .org, .info, .biz, .name, .us, and .in top level domains. Klikdomains is part of Klikvip.com, which has for at least the last three years hired affiliates to trick people into installing its fake antivirus and anti-spyware products.

klikreg.jpg

Experts say Klikdomains is yet another example of what happens when major Internet domain name registrars fail to police the activities of domain resellers. Klik is a reseller of domain registration services offered by India based registrar Directi Internet Solutions. Last week, Security Fix examined the vast number of scam domains registered by EstDomains, another Directi reseller.

Patrick Jordan, a researcher at Sunbelt Software who has long tracked the group's activities, said Klik's fake anti-spyware programs come disguised as video "codecs," which some porn and youtube look-alike sites claim users need to install in order to view video content. In reality, the codecs hijack search engine traffic and serve fake alerts about bogus security threats in order to convince the victim to purchase some worthless security software.

Some of the more recognizable fake security products pushed by the Klik gang are Razespyware, SpySheriff, Spywareno, and Spytrooper.

Directi president Bhavin Turakhia said his company has disabled its registrant-anonymizing privacyprotect.org service for all Web site names registered through Klikdomains.com, which he said has sold roughly 100,000 Web site names through Directi during the past couple of years. Nearly half of those have been suspended due to abuse complaints, Turakhia said. More than 21,000 sites were suspended in the past 48 hours alone. Directi currently is investigating most of the remaining 50,000 domains registered through Klikdomains.com, Turakhia added.

Chris Barton, lead research scientist with McAfee Avert Labs, said the situation demonstrates the need for more aggressive monitoring of resellers by domain registrars.

"I think the situation this week says a lot about both companies, culling over 20,000 domains in a couple of days proves there is something that can be done despite a few claims to the contrary, however still doing new business with a registrars or resellers that infested with bogus sites speaks volumes too," Barton said. "I know there are legal issues involved but they need to be balanced against the risks all-round and combined with process improvements."

Spend any amount of time perusing the entries at various computer self-help forums and you will quickly notice a massive number of people seeking help in removing these fake security software programs. While the purveyors of this software are extremely good at increasing the page rank of their scam sites through search engine optimization or sending links to the sites via blog spam, most of the traffic to these fake security sites occurs when a victim's machine is already infected.

competeav.jpg

Consider the Web site statistics gathered daily by Quantcast, which ranks Web sites in order of their popularity. In Quantcast's latest listing of the Web's top one million Web sites, yourfavoritetube.com, a Klik-registered domain that installs one of the aforementioned nasty codecs, ranked 7,095th, with more than 560,000 visits at its peak in mid-August.

antivirus2008scanner.com -- a fake security software site registered at Estdomains.com in July and only shuttered this week -- was ranked 2,051, attracting more eyeballs than sites like Ebay Australia and eBay Germany, torrentportal.com, discover.com and visa.com, according to Quantcast. To put that in better perspective, traffic comparison site Compete.com tracked about 1.1 million visitors to the site in the middle of August (see screen shot above).

Antivirus2009-freeverscan.com, one of dozens of fake security products registered by mynick.name -- yet another Directi domain reseller -- measured 2,317th, ahead of sites like dhl.com, informationweek.com, and fulltiltpoker.com. EstDomains-registered Power-antivirus-2009.com received more traffic than chrysler.com, pontiac.com or salesforce.com before it was deactivated recently.

By Brian Krebs  |  September 11, 2008; 11:52 AM ET
Categories:  From the Bunker , Latest Warnings , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Security Updates for iPod Touch, iTunes and QuickTime
Next: Web Fraud 2.0: Fake YouTube Page Maker Helps Spread Malware

Comments

"More than 21,000 sites were suspended in the past 48 hours alone."

And even more need to be suspended...
Registrar: Directi Internet Solutions

fantasticdollars.com
getyouneed.com
golnanosat.com
safe-security-advisour.com
virusburst.com
xpenprotect.com
xpsecuritycenter.com
vipasotka.com

Posted by: vert | September 11, 2008 12:51 PM | Report abuse

Thanks Brian; as always, informative. This new series is a welcome spotlight on these net-wrecking schemes and you're doing a great job.

Just wish you'd start using the term "search engine gaming" instead of "search engine optimization" to further focus this issue.

Posted by: relayer | September 11, 2008 3:40 PM | Report abuse

Clicking on the Vivids Media GMBH link (above) leads to a purported Microsoft page with a non-Microsoft address in the address bar. Plainly a sham. What, if any, is the significance?

Posted by: kfritz | September 11, 2008 4:30 PM | Report abuse

Search google for KLIK gang
http://www.google.com/search?hl=en&q=%22KLIK+gang%22

http://www.haloscan.com/comments/alexeck/194940738777982252/
http://www.castlecops.com/t193669-New_codec_pusher_nmextensions_etc_fake_porn_malware.html

Maksim Samov
KLIK Media GmbH
Grosse Leege Str. 41
13055, Berlin, DE
+49.3094413291

Maxim Korolevich
MK Digital Media
4185 S. Paradise Rd. #3049
Las Vegas, NV 89109 US

These guys are cyber EVIL!

Posted by: Anonymous | September 11, 2008 4:38 PM | Report abuse

Kfritz-- That link was redirecting. I have fixed it now. It should go to the correct placeholder page at Directi (at least until Directi cancels it).

Posted by: Bk | September 11, 2008 5:56 PM | Report abuse

ПИДОРАСТЫ

Posted by: bljat | September 11, 2008 6:41 PM | Report abuse

Here is his real location:

Maxim Korolevich
email: timurmail@hotmail.kz
Aviatornaja St. 3-12a
Minsk, 220039
BY
375 172 2578841

Thank you,

James McQuaid

Posted by: James McQuaid | September 11, 2008 7:15 PM | Report abuse

A big thank you to BK and others for shining spotlights on these cyber vandals, thugs and thieves. With utmost respect to the security industry, the problem can not be addressed behind closed doors. Cybercriminal gangs have flourished like mushrooms in the dark. Sharing information and public exposure is rightfully needed to shut these criminal activities down.

Since Mr. McQuaid knows of the Belarus location, I am hoping the spammy affiliate pharma programs created via Belarus by an organization claiming to be US based by using (suprise) an Oregon mail dropbox will be similarly exposed--my research indicates they have not stopped at pharma scams but have attacked one of the more vulnerable areas of the US economy in continuing identity theft and fraud operations.

Posted by: Anonymous | September 11, 2008 9:31 PM | Report abuse

Another great write up. Brian, thank you for your work on exposing these criminals for what they are.

Posted by: suzi | September 12, 2008 1:50 AM | Report abuse

Hi


Bye

Posted by: ereveasty | September 12, 2008 3:00 AM | Report abuse

Another great article, thank you Brian. I hope it will help debating good ways to fight fraudulent domain resellers.

Posted by: Cedric Pernet | September 12, 2008 4:41 AM | Report abuse

bljat basically insulted you. And a pretty
lame attempt at that:

ПИДОРАСТЫ:

http://en.wikipedia.org/wiki/Pederasty

- ferg

Posted by: Fergie | September 12, 2008 6:34 AM | Report abuse

Hi


G'night

Posted by: ereveasty | September 12, 2008 6:42 AM | Report abuse

Klik also owns triple.com ICANN accredited registrar.

They have a wembaster board at klikforum.com. Domain is offline now I guess...

Posted by: AJ | September 12, 2008 6:43 AM | Report abuse

Nope AJ ;)
klikforum.com working ok but only for Russia and so on countries

Posted by: TJ | September 12, 2008 8:02 AM | Report abuse

Hi


Bye

Posted by: ereveasty | September 12, 2008 9:12 AM | Report abuse

Vivids == Klik ~ Triple

Posted by: Dave | September 12, 2008 10:19 AM | Report abuse

@AJ, Dave: What is your source for saying Klik owns Triple.com? Is it the Klik forum, or somewhere else as well?

Posted by: Bk | September 12, 2008 10:50 AM | Report abuse

Better post articles about Pro US Government in Georgia killing children in Osetia.

Posted by: Johan Smidt | September 12, 2008 10:58 AM | Report abuse

Indeed, Klik/MK/Impro/ICommerce/Nelroy also operated various CWS-era spyware themselves, installed through 'aggressive' ActiveX downloaders and exploits from other CWS groups.

Possibly not the best guys to buy anti-spyware software from...

Incidentally, whilst RazeSpyware was operated directly by Klik and Painter, the other titles mentioned above are products of Innovagest, another Russian-malware-complex group which is one of the two biggest rogue-AV vendors. (The other being Innovative Marketing.)

Posted by: bobince | September 12, 2008 11:12 AM | Report abuse

Brian, ever felt like John the Baptist crying in the wilderness? Hopefully, someday, someone who can actually do something about eliminating these scam artists will listen. Thanks for all you do.

Posted by: Pete from Arlington | September 12, 2008 11:33 AM | Report abuse

Please remove the following hi-jack sites.

antispyexpert.com

zoombli.com

These are also fake program sites.

Mahalo Nui Loa,

Keep up the good work !

Posted by: Henry in Hawaii | September 12, 2008 12:54 PM | Report abuse

Hello


Bye

Posted by: ereveasty | September 12, 2008 5:01 PM | Report abuse

УЕБАНЫ ЯНКОВСКИЕ ХВАТИТ ПАЛИТЬ ОХУЕТИТЕЛЬНЫХ РЕГИСТРАНТОВ... :)

Posted by: piska | September 12, 2008 5:12 PM | Report abuse

Бляя... DE. попалился =))

Posted by: hyu | September 12, 2008 6:30 PM | Report abuse

Better post articles about Pro US Government in Georgia killing children in Osetia.

Posted by: Johan Smidt | September 12, 2008 10:58 AM

===============

As tempting as it is to contemplate, I don't think that simply killing Russians is a cost effective way to fight spam.

Posted by: Robert | September 13, 2008 5:24 AM | Report abuse

Хорошо что начали давить этот "бизнес по-русски", это сраное ворьё!

Posted by: Ненавижу русских | September 13, 2008 11:06 AM | Report abuse

Чо, чо? Оппа нихуя! Бодрячком пацанчики, бодрячком!

Posted by: Сява | September 13, 2008 11:18 AM | Report abuse

Бля, ну как не старайтесь - все равно будем разводить вас на бабло. Чем дальше - тем больше! А все потому что вы - ЛОХИ! И никакие статьи не помогут. ЛОХ это судьба, лох и в африке лох. Привет амеры!

Posted by: Cube | September 13, 2008 11:23 AM | Report abuse

had that antivirus 2008Scanner on one of my client computer and had to reformat the hard drive. Thanks for the info.

Posted by: Egghead | September 13, 2008 11:49 AM | Report abuse

читал. ржал )

Posted by: краб | September 13, 2008 12:14 PM | Report abuse

The "hi".."bye" comments are a waste of space, but distasteful only in that they may inspire copycats, adding extra work for everyone.
Given the lack of language training in US schools, I'd prefer to have comments written in foreign languages posted only if they include a translation. I admit my inadequate knowledge of Russian.

Posted by: Michelle Matel | September 13, 2008 12:24 PM | Report abuse

Maksim Samov is an executive and owner of an internet partnership program that sells movies via internet without license. This partnership program is known under the following names: kinovip.com and ZML.com

Posted by: magma | September 13, 2008 2:52 PM | Report abuse

Roosky, sosati khuy, urody!

Posted by: Jamie | September 13, 2008 3:14 PM | Report abuse

more klik gang projects:
zml.com (illegal DVD sale)
uploading.com (file hosting)
vipsoftcash.com (fake xp antivirus software sale)

& check out this article too
http://sunbeltblog.blogspot.com/2008/03/more-excess-by-klik-revenue.html

Posted by: Anonymous | September 13, 2008 5:26 PM | Report abuse

They need to 'take care of' this one too:

Results returned from whois.publicdomainregistry.com:

Registration Service Provided By: VIVIDS MEDIA GMBH
Contact: +49.3094413291

Domain Name: POWERANTIVIRUS.NET

Registrant:
Sawert Alliance ltd.
Peltonen Martti (seodancer@gmail.com)
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266

Creation Date: 01-Sep-2008
Expiration Date: 01-Sep-2009

IP address: 91.208.0.233
Host name: powerantivirus.net
91.208.0.233 is from Russian Federation(RU) in region Eastern Europe


DNS servers
ns2.powerantivirus.net [91.208.0.233]
ns1.powerantivirus.net [91.208.0.233]

Posted by: Trish | September 13, 2008 5:27 PM | Report abuse

They need to 'take care of' this one too:

Results returned from whois.publicdomainregistry.com:

Registration Service Provided By: VIVIDS MEDIA GMBH
Contact: +49.3094413291

Domain Name: POWERANTIVIRUS.NET

Registrant:
Sawert Alliance ltd.
Peltonen Martti (seodancer@gmail.com)
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266

Creation Date: 01-Sep-2008
Expiration Date: 01-Sep-2009

IP address: 91.208.0.233
Host name: powerantivirus.net
91.208.0.233 is from Russian Federation(RU) in region Eastern Europe


DNS servers
ns2.powerantivirus.net [91.208.0.233]
ns1.powerantivirus.net [91.208.0.233]

Posted by: Trish | September 13, 2008 5:33 PM | Report abuse

БМВ - гавно.
Удачного вам дня :)

Posted by: Вася | September 14, 2008 3:20 PM | Report abuse

another klik project: http://www.vippirog.com/

Posted by: donald | September 14, 2008 5:31 PM | Report abuse

Вашингтонпост полная лажа )

Posted by: Вася Мася | September 14, 2008 9:03 PM | Report abuse

6lw.info
hartnetwork.org
hujashka.com
kukutrustnet888.info
kukutrustnet999.info
microupdate14.info
newhardwork.com
offsitehost.com
snow-job.com

Posted by: Directi Presents... | September 15, 2008 11:02 AM | Report abuse

Posted by: AntiAbuse | September 15, 2008 2:14 PM | Report abuse

To "Henry in Hawaii | September 12, 2008 12:54 PM"

Zoombli.com is not a fake site nor is it hi-jacked. It should not be removed. Thanks.

Posted by: Matt | September 15, 2008 5:05 PM | Report abuse

umaxforum.com the most badware source in the world thank you for eliminating harmless competitors!! This RBN net!

Posted by: Anonymous | September 15, 2008 5:51 PM | Report abuse

@Matt | September 15, 2008 5:05 PM

zoombli.com IS a bad website as it is peddling KNOWN ROGUES!

Posted by: MysteryFCM | September 15, 2008 7:30 PM | Report abuse

The following was taken from:
http://www.klikforum.com/viewtopic.php?p=96443

Automatically translated to English and presented here,for the sake of easiness:
"In light of recent events, offer their services to register and escort abuzostoykih domains with a guarantee in the following areas: com / net / biz / info

Domains guaranteed hold:
-- All types and amounts of web-spam (abuzy uribl from him and such, including the notorious malwaredomainlist.com)
-- Codecs and any other low-security software
-- Content (dorvei, etc.), besides indicating the content below"

Does anyone need to read anything more than the above regarding these web criminals?
Oh ICANN,where art thou?

Posted by: sowhat-x | September 15, 2008 10:28 PM | Report abuse

romero.ru

This is a blog about black hat seo, fake antispyware and violations of visa regime.

Thank you!

Posted by: Jamie | September 16, 2008 3:16 AM | Report abuse

Дебилы конченые...

Posted by: Piter Ragnarson | September 16, 2008 5:58 AM | Report abuse

Что, ворьё долбанное, обложили со всех сторон?!

Posted by: antirussia | September 16, 2008 8:17 AM | Report abuse

Boyancheg

Posted by: Alex | September 16, 2008 8:26 AM | Report abuse

livejournal.com is also KLIK project
shut that spam down

Posted by: JohnMalkovich | September 16, 2008 9:00 AM | Report abuse

http://www.epese.com is Klik project too

Posted by: dreamer | September 16, 2008 10:10 AM | Report abuse

lie
This is amerikan black competition.
Amerikanos trying to destroy western - europe e-commerce.
Now we can see the true face of amerikan demokraty.

Posted by: Yes | September 16, 2008 4:04 PM | Report abuse

lie
This is amerikan black competition.
Amerikanos trying to destroy western - europe e-commerce.
Now we can see the true face of amerikan demokraty.

Posted by: Yes | September 16, 2008 4:05 PM | Report abuse

@Yes | September 16, 2008 4:05 PM

You really do like to talk bo**ocks, don't you? This has nothing to do with Americans destroying anything, and everything to do with the good guys taking the bad guys down .... the way things should be!

Posted by: MysteryFCM | September 16, 2008 8:12 PM | Report abuse

I know owners of projects klik. The majority of their projects are absolutely legal. That that is written above - Provocation.

Posted by: bark | September 18, 2008 6:35 AM | Report abuse

ebay.com (and now PayPal also)is also projects of Russian cheaters. Owner is a russian mafia

Posted by: anonystus | September 18, 2008 9:06 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company