A few weeks back, we started seeing a lot of spam promoting sites selling 'Russian art' under the name GorgeousArt. The names of the sites changed from day to day — bodycomponent.com, bodypreparation.com, componentunique.com etc — but all shared the same IP address and content. Each site also referred to a payment processing site called active-bill.com. Both the 'art' sites and the payment processor were covered with not-quite-convincing messages designed to convince visitors of their trustworthiness, but they had something else in common as well: the so-called payment processor was hosted at the same IP address as the 'art' sites.
In due course, the GorgeousArt spam wave subsided. This morning, however, I received spam promoting a domain called revolbest.com and advertising a product called 'advanceVPN'. The spam warns recipients of the terrible threat posed to their privacy by state snooping and offers an answer:
We propose you make use of our VPN service! VPN (Virtual Private Network) is a permanent encrypted connexion between your personal computer and VPN server based on data transfer by dint of encrypted GRE packages. Enciphering's created using the present-day safest algorithm MPPE 128bit stateful.
Sounds pretty impressive, and as they say, their costs seem to be very fetching
. Just $40 for 10GB of traffic through their quick I-net channels
. Sign me up now!
Except that before I could hand over my credit card details, another flight of spam arrived, this time pointing to preparationsuper.com , with the same message. Whereas one spam promoting a domain might suggest a clueless idiot who thinks spam is a good way to push the product, a sequence of spams featuring nonsense names says that this is a spammer who is deliberately trying to dodge filters and takedowns. And the technobabble says that this is someone who's out to con the recipient.
Sure enough, when we dig a little deeper, what do we find? The nameserver for advanceVPN is none other than our friend active-bill.com. Busted!
There's one minor difference, which is that while the GorgeousArt domains and active-bill.com are registered to one Hansheng Wei, the new advanceVPN scam domains are registered to Stephen Patterson. By a fascinating coincidence, Googling for his details turns up some CastleCops records for Canadian Health & Care Mall, a probably-fictitious organization behind a number of spamvertised 'Internet pharmacies'. You can't get much dirtier than that.
Fine art, VPN software — what else have you got for us, guys?