<<<
NEWS FROM THE LAB - Friday, October 26, 2007
>>>
 

 
This Bud's for You? Posted by Mikko @ 06:09 GMT

We've been monitoring some spam runs lately advertising "legal herbs" for smoking purposes.

Here's an example:

The Bud Shop

This link takes you to a website called thebudshop.hk (not to be mistaken with thebodyshop.com):

thebudshop.hk

Now, it is quite curious that this joint shop is located in Hong Kong (.hk), of all places.

Let's see where the actual server is hosted:

Bud Shop Hosts

Oh, I see. The address keeps changing every few minutes. And, quite curiously, the IPs point to individual DSL boxes, i.e. home computers. Sounds like a botnet to me.

Lets take a closer look at the WHOIS record of thebudshop.hk:

Name Servers

Boy, don't those nameservers look weird. In fact, we've seen these before. There's a whole range of similar nameservers, including:

  02f3c5e0f.com
  1acca152d7817.com
  2349e44075.com
  38aca76e087.com
  52352a0c60a9c29.com
  6309a46.com
  871235bc.com
  926817a885d86e1.com
  ac8a562.com
  c0fbfef6e372ca34a.com
  e7bec7797.com

All of them are registered to Chinese addresses and they are criss-crossed to provide DNS for earch other.

thebudshop.hk

We've seen Citibank and Myspace phishing sites hosted under these domains before. But this is the first time we've seen a smoke shop hosted there. It's quite likely the whole site is fake and only built to collect credit card numbers.

So, Just Say No.