Fraudulent SMS domains!

by Albin on February 27th, 2009 in Researcher Comments, Security Alerts.

Lavasoft Malware Labs recently had a closer look on an IP range full of hoax sites. Reverse IP on 78.129.142.235 will reveal around 200 fraudulent domains which are hosted in United Arab Emirates.  Most of the sites hosted under 78.129.142.235 will use and take advantage of already existing products from the security industry and other popular software. The examples below display their way to make illegal domains look reliable.

hxxp://7zip-2009.info
hxxp://Directx-full.info
hxxp://Icq-full.info
hxxp://Messengerplus-2009.info
hxxp://Safari-full.info
hxxp://Winrar-2009.com
hxxp://Www-kaspersky.info

The victims are tricked into a “SMS trap” where they are offered freeware/Trial products for “~3$” per SMS. The only developing costs for the villains are actual time on making homepages look legitimate/trustworthy and to “steal” others freeware products.

The first picture shows the site hxxp://adaware-full.info/se/. This “fake domain” distributes the free version of Ad-Aware AE and uses screenshots from the real program to entice users to make a purchase. 

The goal is to redirect the user to a site full of flags as you can see in the second picture. 

If the user chooses to click on one of the flags, a telephone number will pop up in a new window. The victim will then send a SMS to the specific number to purchase an access code. 

This is a smart, cheap and easy way to trick people into buying freeware, so remember to be careful and suspicious if you end up at “dodgy” SMS pay sites.