A cyber gang known for aggressively spreading fake anti-spyware programs through hijacked and malicious Web sites has become an authorized reseller of domain names. Security Fix has learned that this gang is using its access as a registrar to ease the process of creating new Web sites used to push their invasive software.

Klikdomains.com, also known as Vivids Media GMBH, sells Web site names in the .com, .net, .org, .info, .biz, .name, .us, and .in top level domains. Klikdomains is part of Klikvip.com, which has for at least the last three years hired affiliates to trick people into installing its fake antivirus and anti-spyware products.

Experts say Klikdomains is yet another example of what happens when major Internet domain name registrars fail to police the activities of domain resellers. Klik is a reseller of domain registration services offered by India based registrar Directi Internet Solutions. Last week, Security Fix examined the vast number of scam domains registered by EstDomains, another Directi reseller.

Patrick Jordan, a researcher at Sunbelt Software who has long tracked the group’s activities, said Klik’s fake anti-spyware programs come disguised as video «codecs,» which some porn and youtube look-alike sites claim users need to install in order to view video content. In reality, the codecs hijack search engine traffic and serve fake alerts about bogus security threats in order to convince the victim to purchase some worthless security software.

Some of the more recognizable fake security products pushed by the Klik gang are Razespyware, SpySheriff, Spywareno, and Spytrooper.

Directi president Bhavin Turakhia said his company has disabled its registrant-anonymizing privacyprotect.org service for all Web site names registered through Klikdomains.com, which he said has sold roughly 100,000 Web site names through Directi during the past couple of years. Nearly half of those have been suspended due to abuse complaints, Turakhia said. More than 21,000 sites were suspended in the past 48 hours alone. Directi currently is investigating most of the remaining 50,000 domains registered through Klikdomains.com, Turakhia added.

Chris Barton, lead research scientist with McAfee Avert Labs, said the situation demonstrates the need for more aggressive monitoring of resellers by domain registrars.

«I think the situation this week says a lot about both companies, culling over 20,000 domains in a couple of days proves there is something that can be done despite a few claims to the contrary, however still doing new business with a registrars or resellers that infested with bogus sites speaks volumes too,» Barton said. «I know there are legal issues involved but they need to be balanced against the risks all-round and combined with process improvements.»

Spend any amount of time perusing the entries at various computer self-help forums and you will quickly notice a massive number of people seeking help in removing these fake security software programs. While the purveyors of this software are extremely good at increasing the page rank of their scam sites through search engine optimization or sending links to the sites via blog spam, most of the traffic to these fake security sites occurs when a victim’s machine is already infected.

Consider the Web site statistics gathered daily by Quantcast, which ranks Web sites in order of their popularity. In Quantcast’s latest listing of the Web’s top one million Web sites, yourfavoritetube.com, a Klik-registered domain that installs one of the aforementioned nasty codecs, ranked 7,095th, with more than 560,000 visits at its peak in mid-August.

antivirus2008scanner.com — a fake security software site registered at Estdomains.com in July and only shuttered this week — was ranked 2,051, attracting more eyeballs than sites like Ebay Australia and eBay Germany, torrentportal.com, discover.com and visa.com, according to Quantcast. To put that in better perspective, traffic comparison site Compete.com tracked about 1.1 million visitors to the site in the middle of August (see screen shot above).

Antivirus2009-freeverscan.com, one of dozens of fake security products registered by mynick.name — yet another Directi domain reseller — measured 2,317th, ahead of sites like dhl.com, informationweek.com, and fulltiltpoker.com. EstDomains-registered Power-antivirus-2009.com received more traffic than chrysler.com, pontiac.com or salesforce.com before it was deactivated recently.

Вот ссылка

Без рубрики, Новости