We've been monitoring some spam runs lately advertising "legal herbs" for smoking purposes.
Here's an example:
This link takes you to a website called thebudshop.hk (not to be mistaken with thebodyshop.com):
Now, it is quite curious that this joint shop is located in Hong Kong (.hk), of all places.
Let's see where the actual server is hosted:
Oh, I see. The address keeps changing every few minutes. And, quite curiously, the IPs point to individual DSL boxes, i.e. home computers. Sounds like a botnet to me.
Lets take a closer look at the WHOIS record of thebudshop.hk:
Boy, don't those nameservers look weird. In fact, we've seen these before. There's a whole range of similar nameservers, including:
All of them are registered to Chinese addresses and they are criss-crossed to provide DNS for earch other.
We've seen Citibank and Myspace phishing sites hosted under these domains before. But this is the first time we've seen a smoke shop hosted there. It's quite likely the whole site is fake and only built to collect credit card numbers.