NEWS FROM THE LAB - Friday, October 26, 2007

This Bud's for You? Posted by Mikko @ 06:09 GMT

We've been monitoring some spam runs lately advertising "legal herbs" for smoking purposes.

Here's an example:

The Bud Shop

This link takes you to a website called thebudshop.hk (not to be mistaken with thebodyshop.com):


Now, it is quite curious that this joint shop is located in Hong Kong (.hk), of all places.

Let's see where the actual server is hosted:

Bud Shop Hosts

Oh, I see. The address keeps changing every few minutes. And, quite curiously, the IPs point to individual DSL boxes, i.e. home computers. Sounds like a botnet to me.

Lets take a closer look at the WHOIS record of thebudshop.hk:

Name Servers

Boy, don't those nameservers look weird. In fact, we've seen these before. There's a whole range of similar nameservers, including:


All of them are registered to Chinese addresses and they are criss-crossed to provide DNS for earch other.


We've seen Citibank and Myspace phishing sites hosted under these domains before. But this is the first time we've seen a smoke shop hosted there. It's quite likely the whole site is fake and only built to collect credit card numbers.

So, Just Say No.