Fake Antispyware Purveyor Doubles as Domain Registrar
A cyber gang known for aggressively spreading fake anti-spyware programs through hijacked and malicious Web sites has become an authorized reseller of domain names. Security Fix has learned that this gang is using its access as a registrar to ease the process of creating new Web sites used to push their invasive software.
Klikdomains.com, also known as Vivids Media GMBH, sells Web site names in the .com, .net, .org, .info, .biz, .name, .us, and .in top level domains. Klikdomains is part of Klikvip.com, which has for at least the last three years hired affiliates to trick people into installing its fake antivirus and anti-spyware products.
Experts say Klikdomains is yet another example of what happens when major Internet domain name registrars fail to police the activities of domain resellers. Klik is a reseller of domain registration services offered by India based registrar Directi Internet Solutions. Last week, Security Fix examined the vast number of scam domains registered by EstDomains, another Directi reseller.
Patrick Jordan, a researcher at Sunbelt Software who has long tracked the group's activities, said Klik's fake anti-spyware programs come disguised as video "codecs," which some porn and youtube look-alike sites claim users need to install in order to view video content. In reality, the codecs hijack search engine traffic and serve fake alerts about bogus security threats in order to convince the victim to purchase some worthless security software.
Some of the more recognizable fake security products pushed by the Klik gang are Razespyware, SpySheriff, Spywareno, and Spytrooper.
Directi president Bhavin Turakhia said his company has disabled its registrant-anonymizing privacyprotect.org service for all Web site names registered through Klikdomains.com, which he said has sold roughly 100,000 Web site names through Directi during the past couple of years. Nearly half of those have been suspended due to abuse complaints, Turakhia said. More than 21,000 sites were suspended in the past 48 hours alone. Directi currently is investigating most of the remaining 50,000 domains registered through Klikdomains.com, Turakhia added.
Chris Barton, lead research scientist with McAfee Avert Labs, said the situation demonstrates the need for more aggressive monitoring of resellers by domain registrars.
"I think the situation this week says a lot about both companies, culling over 20,000 domains in a couple of days proves there is something that can be done despite a few claims to the contrary, however still doing new business with a registrars or resellers that infested with bogus sites speaks volumes too," Barton said. "I know there are legal issues involved but they need to be balanced against the risks all-round and combined with process improvements."
Spend any amount of time perusing the entries at various computer self-help forums and you will quickly notice a massive number of people seeking help in removing these fake security software programs. While the purveyors of this software are extremely good at increasing the page rank of their scam sites through search engine optimization or sending links to the sites via blog spam, most of the traffic to these fake security sites occurs when a victim's machine is already infected.
Consider the Web site statistics gathered daily by Quantcast, which ranks Web sites in order of their popularity. In Quantcast's latest listing of the Web's top one million Web sites, yourfavoritetube.com, a Klik-registered domain that installs one of the aforementioned nasty codecs, ranked 7,095th, with more than 560,000 visits at its peak in mid-August.
antivirus2008scanner.com -- a fake security software site registered at Estdomains.com in July and only shuttered this week -- was ranked 2,051, attracting more eyeballs than sites like Ebay Australia and eBay Germany, torrentportal.com, discover.com and visa.com, according to Quantcast. To put that in better perspective, traffic comparison site Compete.com tracked about 1.1 million visitors to the site in the middle of August (see screen shot above).
Antivirus2009-freeverscan.com, one of dozens of fake security products registered by mynick.name -- yet another Directi domain reseller -- measured 2,317th, ahead of sites like dhl.com, informationweek.com, and fulltiltpoker.com. EstDomains-registered Power-antivirus-2009.com received more traffic than chrysler.com, pontiac.com or salesforce.com before it was deactivated recently.
By
Brian Krebs
|
September 11, 2008; 11:52 AM ET
Categories:
From the Bunker
,
Latest Warnings
,
Web Fraud 2.0
Save & Share:
Previous: Security Updates for iPod Touch, iTunes and QuickTime
Next: Web Fraud 2.0: Fake YouTube Page Maker Helps Spread Malware
Posted by: vert | September 11, 2008 12:51 PM | Report abuse
Thanks Brian; as always, informative. This new series is a welcome spotlight on these net-wrecking schemes and you're doing a great job.
Just wish you'd start using the term "search engine gaming" instead of "search engine optimization" to further focus this issue.
Posted by: relayer | September 11, 2008 3:40 PM | Report abuse
Clicking on the Vivids Media GMBH link (above) leads to a purported Microsoft page with a non-Microsoft address in the address bar. Plainly a sham. What, if any, is the significance?
Posted by: kfritz | September 11, 2008 4:30 PM | Report abuse
Search google for KLIK gang
http://www.google.com/search?hl=en&q=%22KLIK+gang%22
http://www.haloscan.com/comments/alexeck/194940738777982252/
http://www.castlecops.com/t193669-New_codec_pusher_nmextensions_etc_fake_porn_malware.html
Maksim Samov
KLIK Media GmbH
Grosse Leege Str. 41
13055, Berlin, DE
+49.3094413291
Maxim Korolevich
MK Digital Media
4185 S. Paradise Rd. #3049
Las Vegas, NV 89109 US
These guys are cyber EVIL!
Posted by: Anonymous | September 11, 2008 4:38 PM | Report abuse
Kfritz-- That link was redirecting. I have fixed it now. It should go to the correct placeholder page at Directi (at least until Directi cancels it).
Posted by: Bk | September 11, 2008 5:56 PM | Report abuse
ПИДОРАСТЫ
Posted by: bljat | September 11, 2008 6:41 PM | Report abuse
Here is his real location:
Maxim Korolevich
email: timurmail@hotmail.kz
Aviatornaja St. 3-12a
Minsk, 220039
BY
375 172 2578841
Thank you,
James McQuaid
Posted by: James McQuaid | September 11, 2008 7:15 PM | Report abuse
A big thank you to BK and others for shining spotlights on these cyber vandals, thugs and thieves. With utmost respect to the security industry, the problem can not be addressed behind closed doors. Cybercriminal gangs have flourished like mushrooms in the dark. Sharing information and public exposure is rightfully needed to shut these criminal activities down.
Since Mr. McQuaid knows of the Belarus location, I am hoping the spammy affiliate pharma programs created via Belarus by an organization claiming to be US based by using (suprise) an Oregon mail dropbox will be similarly exposed--my research indicates they have not stopped at pharma scams but have attacked one of the more vulnerable areas of the US economy in continuing identity theft and fraud operations.
Posted by: Anonymous | September 11, 2008 9:31 PM | Report abuse
Another great write up. Brian, thank you for your work on exposing these criminals for what they are.
Posted by: suzi | September 12, 2008 1:50 AM | Report abuse
Hi
Bye
Posted by: ereveasty | September 12, 2008 3:00 AM | Report abuse
Another great article, thank you Brian. I hope it will help debating good ways to fight fraudulent domain resellers.
Posted by: Cedric Pernet | September 12, 2008 4:41 AM | Report abuse
bljat basically insulted you. And a pretty
lame attempt at that:
ПИДОРАСТЫ:
http://en.wikipedia.org/wiki/Pederasty
- ferg
Posted by: Fergie | September 12, 2008 6:34 AM | Report abuse
Hi
G'night
Posted by: ereveasty | September 12, 2008 6:42 AM | Report abuse
Klik also owns triple.com ICANN accredited registrar.
They have a wembaster board at klikforum.com. Domain is offline now I guess...
Posted by: AJ | September 12, 2008 6:43 AM | Report abuse
Nope AJ ;)
klikforum.com working ok but only for Russia and so on countries
Posted by: TJ | September 12, 2008 8:02 AM | Report abuse
Hi
Bye
Posted by: ereveasty | September 12, 2008 9:12 AM | Report abuse
Vivids == Klik ~ Triple
Posted by: Dave | September 12, 2008 10:19 AM | Report abuse
@AJ, Dave: What is your source for saying Klik owns Triple.com? Is it the Klik forum, or somewhere else as well?
Posted by: Bk | September 12, 2008 10:50 AM | Report abuse
Better post articles about Pro US Government in Georgia killing children in Osetia.
Posted by: Johan Smidt | September 12, 2008 10:58 AM | Report abuse
Indeed, Klik/MK/Impro/ICommerce/Nelroy also operated various CWS-era spyware themselves, installed through 'aggressive' ActiveX downloaders and exploits from other CWS groups.
Possibly not the best guys to buy anti-spyware software from...
Incidentally, whilst RazeSpyware was operated directly by Klik and Painter, the other titles mentioned above are products of Innovagest, another Russian-malware-complex group which is one of the two biggest rogue-AV vendors. (The other being Innovative Marketing.)
Posted by: bobince | September 12, 2008 11:12 AM | Report abuse
Brian, ever felt like John the Baptist crying in the wilderness? Hopefully, someday, someone who can actually do something about eliminating these scam artists will listen. Thanks for all you do.
Posted by: Pete from Arlington | September 12, 2008 11:33 AM | Report abuse
Please remove the following hi-jack sites.
antispyexpert.com
zoombli.com
These are also fake program sites.
Mahalo Nui Loa,
Keep up the good work !
Posted by: Henry in Hawaii | September 12, 2008 12:54 PM | Report abuse
Hello
Bye
Posted by: ereveasty | September 12, 2008 5:01 PM | Report abuse
УЕБАНЫ ЯНКОВСКИЕ ХВАТИТ ПАЛИТЬ ОХУЕТИТЕЛЬНЫХ РЕГИСТРАНТОВ... :)
Posted by: piska | September 12, 2008 5:12 PM | Report abuse
Бляя... DE. попалился =))
Posted by: hyu | September 12, 2008 6:30 PM | Report abuse
Better post articles about Pro US Government in Georgia killing children in Osetia.
Posted by: Johan Smidt | September 12, 2008 10:58 AM
===============
As tempting as it is to contemplate, I don't think that simply killing Russians is a cost effective way to fight spam.
Posted by: Robert | September 13, 2008 5:24 AM | Report abuse
Хорошо что начали давить этот "бизнес по-русски", это сраное ворьё!
Posted by: Ненавижу русских | September 13, 2008 11:06 AM | Report abuse
Чо, чо? Оппа нихуя! Бодрячком пацанчики, бодрячком!
Posted by: Сява | September 13, 2008 11:18 AM | Report abuse
Бля, ну как не старайтесь - все равно будем разводить вас на бабло. Чем дальше - тем больше! А все потому что вы - ЛОХИ! И никакие статьи не помогут. ЛОХ это судьба, лох и в африке лох. Привет амеры!
Posted by: Cube | September 13, 2008 11:23 AM | Report abuse
had that antivirus 2008Scanner on one of my client computer and had to reformat the hard drive. Thanks for the info.
Posted by: Egghead | September 13, 2008 11:49 AM | Report abuse
читал. ржал )
Posted by: краб | September 13, 2008 12:14 PM | Report abuse
The "hi".."bye" comments are a waste of space, but distasteful only in that they may inspire copycats, adding extra work for everyone.
Given the lack of language training in US schools, I'd prefer to have comments written in foreign languages posted only if they include a translation. I admit my inadequate knowledge of Russian.
Posted by: Michelle Matel | September 13, 2008 12:24 PM | Report abuse
Maksim Samov is an executive and owner of an internet partnership program that sells movies via internet without license. This partnership program is known under the following names: kinovip.com and ZML.com
Posted by: magma | September 13, 2008 2:52 PM | Report abuse
Roosky, sosati khuy, urody!
Posted by: Jamie | September 13, 2008 3:14 PM | Report abuse
more klik gang projects:
zml.com (illegal DVD sale)
uploading.com (file hosting)
vipsoftcash.com (fake xp antivirus software sale)
& check out this article too
http://sunbeltblog.blogspot.com/2008/03/more-excess-by-klik-revenue.html
Posted by: Anonymous | September 13, 2008 5:26 PM | Report abuse
They need to 'take care of' this one too:
Results returned from whois.publicdomainregistry.com:
Registration Service Provided By: VIVIDS MEDIA GMBH
Contact: +49.3094413291
Domain Name: POWERANTIVIRUS.NET
Registrant:
Sawert Alliance ltd.
Peltonen Martti (seodancer@gmail.com)
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266
Creation Date: 01-Sep-2008
Expiration Date: 01-Sep-2009
IP address: 91.208.0.233
Host name: powerantivirus.net
91.208.0.233 is from Russian Federation(RU) in region Eastern Europe
DNS servers
ns2.powerantivirus.net [91.208.0.233]
ns1.powerantivirus.net [91.208.0.233]
Posted by: Trish | September 13, 2008 5:27 PM | Report abuse
They need to 'take care of' this one too:
Results returned from whois.publicdomainregistry.com:
Registration Service Provided By: VIVIDS MEDIA GMBH
Contact: +49.3094413291
Domain Name: POWERANTIVIRUS.NET
Registrant:
Sawert Alliance ltd.
Peltonen Martti (seodancer@gmail.com)
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266
Creation Date: 01-Sep-2008
Expiration Date: 01-Sep-2009
IP address: 91.208.0.233
Host name: powerantivirus.net
91.208.0.233 is from Russian Federation(RU) in region Eastern Europe
DNS servers
ns2.powerantivirus.net [91.208.0.233]
ns1.powerantivirus.net [91.208.0.233]
Posted by: Trish | September 13, 2008 5:33 PM | Report abuse
БМВ - гавно.
Удачного вам дня :)
Posted by: Вася | September 14, 2008 3:20 PM | Report abuse
another klik project: http://www.vippirog.com/
Posted by: donald | September 14, 2008 5:31 PM | Report abuse
Вашингтонпост полная лажа )
Posted by: Вася Мася | September 14, 2008 9:03 PM | Report abuse
6lw.info
hartnetwork.org
hujashka.com
kukutrustnet888.info
kukutrustnet999.info
microupdate14.info
newhardwork.com
offsitehost.com
snow-job.com
Posted by: Directi Presents... | September 15, 2008 11:02 AM | Report abuse
Cool AntiAbuse services:
http://dir.webst.ru/
http://sellout.name/
http://panel.nics.name/
Posted by: AntiAbuse | September 15, 2008 2:14 PM | Report abuse
To "Henry in Hawaii | September 12, 2008 12:54 PM"
Zoombli.com is not a fake site nor is it hi-jacked. It should not be removed. Thanks.
Posted by: Matt | September 15, 2008 5:05 PM | Report abuse
umaxforum.com the most badware source in the world thank you for eliminating harmless competitors!! This RBN net!
Posted by: Anonymous | September 15, 2008 5:51 PM | Report abuse
@Matt | September 15, 2008 5:05 PM
zoombli.com IS a bad website as it is peddling KNOWN ROGUES!
Posted by: MysteryFCM | September 15, 2008 7:30 PM | Report abuse
The following was taken from:
http://www.klikforum.com/viewtopic.php?p=96443
Automatically translated to English and presented here,for the sake of easiness:
"In light of recent events, offer their services to register and escort abuzostoykih domains with a guarantee in the following areas: com / net / biz / info
Domains guaranteed hold:
-- All types and amounts of web-spam (abuzy uribl from him and such, including the notorious malwaredomainlist.com)
-- Codecs and any other low-security software
-- Content (dorvei, etc.), besides indicating the content below"
Does anyone need to read anything more than the above regarding these web criminals?
Oh ICANN,where art thou?
Posted by: sowhat-x | September 15, 2008 10:28 PM | Report abuse
romero.ru
This is a blog about black hat seo, fake antispyware and violations of visa regime.
Thank you!
Posted by: Jamie | September 16, 2008 3:16 AM | Report abuse
Дебилы конченые...
Posted by: Piter Ragnarson | September 16, 2008 5:58 AM | Report abuse
Что, ворьё долбанное, обложили со всех сторон?!
Posted by: antirussia | September 16, 2008 8:17 AM | Report abuse
Boyancheg
Posted by: Alex | September 16, 2008 8:26 AM | Report abuse
livejournal.com is also KLIK project
shut that spam down
Posted by: JohnMalkovich | September 16, 2008 9:00 AM | Report abuse
http://www.epese.com is Klik project too
Posted by: dreamer | September 16, 2008 10:10 AM | Report abuse
lie
This is amerikan black competition.
Amerikanos trying to destroy western - europe e-commerce.
Now we can see the true face of amerikan demokraty.
Posted by: Yes | September 16, 2008 4:04 PM | Report abuse
lie
This is amerikan black competition.
Amerikanos trying to destroy western - europe e-commerce.
Now we can see the true face of amerikan demokraty.
Posted by: Yes | September 16, 2008 4:05 PM | Report abuse
@Yes | September 16, 2008 4:05 PM
You really do like to talk bo**ocks, don't you? This has nothing to do with Americans destroying anything, and everything to do with the good guys taking the bad guys down .... the way things should be!
Posted by: MysteryFCM | September 16, 2008 8:12 PM | Report abuse
I know owners of projects klik. The majority of their projects are absolutely legal. That that is written above - Provocation.
Posted by: bark | September 18, 2008 6:35 AM | Report abuse
ebay.com (and now PayPal also)is also projects of Russian cheaters. Owner is a russian mafia
Posted by: anonystus | September 18, 2008 9:06 AM | Report abuse
The comments to this entry are closed.
"More than 21,000 sites were suspended in the past 48 hours alone."
And even more need to be suspended...
Registrar: Directi Internet Solutions
fantasticdollars.com
getyouneed.com
golnanosat.com
safe-security-advisour.com
virusburst.com
xpenprotect.com
xpsecuritycenter.com
vipasotka.com