I said I'd get back to this, and I am (finally). If you read the previous article concerning Eveloz, you'll already be familiar with the back story concerning them, so lets continue.
I've been monitoring Eveloz for quite some time now, as they've seemingly decided to be rather open about their provision of a haven for criminals, and things haven't stopped, changed or errr, well gotten anything but worse really.
The latest domain to surface on their network, is longsignups.net, which is serving as a middle man, for the fake AV crowd. The domains registrar (Alantron BLTD, alantron.com) apparently doesn't want anyone accessing their WhoIs from anywhere except their own site, so although likely faked, the owner is listed as;
Not surprisingly, "Alexander Kupalo" is tied to other domains, and other scams.
The domain is residing at 18.104.22.168, which you'll remember, also housed previous MITMs, such as;
And yes, these are still active (the only one not actually redirecting at the time of writing, is roomafterhide.net, it is still resolving to the same IP however). At the time of writing, the redirection locations for the domains are;
Looking over this /24, there appears to be only 1 IP (22.214.171.124) that's actually housing legit websites. The rest are either malware related or phishing related. One rather interesting phishing domain is beverified.org, which claims to, well let's see what they say shall we;
"Beverified.org is the premier free age verification service used by safe adults in the area"
Age verification? Really? How is this done then? Well actually it isn't (as if you were surprised). All it actually does, is submit your information to;
Note: Accessing join.php directly results in an error stating invalid input parameters. You can view what it actually contains using the following URL;
A site with no homepage, and registered to a company that evidently can't decide where they are (address is Cyprus, but telephone number has a +44 (UK) dialing code).
dns2.allnetservers.net resides at 126.96.36.199 (AS36529 188.8.131.52/24 RACKCO). RACKCO also has several other /24's and based on the sites hosted there, all of them need blackholed.
A little further digging, showed a plethora of similar phishing sites housed at;
184.108.40.206/24 - AS10929 Netelligent
220.127.116.11/24 - AS11696 Simlab Bell Atlantic Global Networks Madison, NJ
18.104.22.168/24 - AS21949 BEANFIELD-AS Beanfield Technologies inc. 77 Mowat Ave. Toronto, ON M6K3E3
22.214.171.124/24 - AS19181 CWIE Cavecreek Wholesale Internet Exchange, LLC
126.96.36.199/24 - AS19181 CWIE Cavecreek Wholesale Internet Exchange, LLC
Getting back to Eveloz however, I've tried numerous times to reach both themselves, and their upstreams, and to date, no response has been received, so personally, I'm still recommending they be blackholed.
Crimeware friendly ISP's: Eveloz (AS27716, 188.8.131.52/21, 184.108.40.206/23, 220.127.116.11/22)