Gambling Casinos
From Spamwiki
Contents |
[edit] Description
| Gambling Casino Family | ||||
|---|---|---|---|---|
 |  |  |  |  |
 |  |  |  |  |
 |  |  |  |  |
 |  |  |  |  |
 |  |  |  |  |
 |  |  |
Casino sites are difficult to categorize: A spamvertised brand may be on a single IP or on a fast flux botnet; it may be spammed as short-lived "throwaway" domains that redirect to the target site, or the throwaway domain may load the target domain in an iframe. Spam may arrive in consistent bunches that would suggest the same mailer is responsible for all, yet promote sites with different brands and different behaviors. There are probably several competing casino operations whose affiliates do not deal exclusively with a single sponsoring casino.
All spam casino sites require the player to be gullible enough to download software onto his/her own computer to play the games. Such programs are identified as adware or malware by various antivirus programs, though it is difficult to tell how malicious they may be nor to know if actually playing the games will download additional executable programs onto the computer. Some sites will attempt to download the software automatically by reloading themselves. Others require a click, but will download no matter what the user clicks, even the "about us" links. Others won't download at all unless the user enables javascript for the entire site, a risky move. Site visitors who have java enabled by default or who are using browsers like Internet Explorer that permit ActiveX controls may not witness this behavior -- because the software is being automatically downloaded and installed without permission from the user.
Many gambling casinos run on an illegally hijacked fast-flux set of botnet machines. The casino botnet being used in early 2008 was primarily located in the US, Romania, and Argentina. There were seats for 24 round robin addresses at a time with a refresh every 5 minutes, though fewer than 24 IP addresses were actually filled.
Legitimate sites which are barely within the law, like offshore casinos, often will have multiple servers due to the risk of Distributed Denial of Service attacks (DDoS). However, it was unlikely these sites were being hosted legitimately, since some of the host ISPs were cable/DSL providers in the U.S., where online gambling is illegal.
Example of an incompletely-filled 24-seat botnet: Casino La Scala, April 2008
Name: FIRSTPRIMEGAME.NET Addresses: 194.213.6.245 79.118.207.6 195.189.153.155 79.118.207.6 79.118.207.6 79.118.207.6 84.232.162.13 76.105.29.90 79.118.207.6 79.114.155.59 5.204.84.20 89.35.172.188 79.114.155.59 79.118.207.6 79.118.207.6 79.118.207.6 79.118.207.6 195.189.153.155 78.139.149.132 89.35.172.188 86.105.132.74 79.119.140.4 194.213.6.245 194.213.6.245
[edit] Sponsoring Registrars
Typical site
Domain Name: EUROCASINOMILPI.COM Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
eurocasinomilpi.com has address 210.14.128.200
Registrant
ZBYD Technology Co.,Ltd 15A build , xiyongle road ,shijingshan district ,Beijing
Name Servers: ns1.788tom.com ns2.788tom.com
Domain Name: 788TOM.COM Registrar: ENOM, INC.
Typical site
Domain Name: CASINOVEGASPLUS.COM Registrar: ENOM, INC.
Registrant:
Alex Basovski (goldgame@mail.by) +375.85627345 Fax: +1.11111111111 Marksa str. 19 Pinsk, PI 213121 BY
Name servers: ns1.mycandydns.com ns2.mycandydns.com ns3.mycandydns.com ns4.mycandydns.com ns5.mycandydns.com
Domain Name: MYCANDYDNS.COM Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Typical site
Domain Name: CASINOPLAYGAME.COM Registrar: REGTIME LTD.
Registrant:
bella kotz Email: bella2007@newmail.ru Organization: Private person Address: prospekt 60-letiya sssr, 18 City: birobidzhan State: birobidzhan ZIP: 679017 Country: RU Phone: +7.4262268811 Fax:
Name servers: ns1.f942b690.com ns2.f942b690.com ns3.f942b690.com ns4.f942b690.com
Domain Name: F942B690.COM Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
[edit] History
The botnet hosting these sites has also been used for bank phishing and money mule scams.
One example is the domain name arfcu.us, February 2008, which was an attempt to run a phishing operation against the Atlantic Regional Federal Credit Union site.
The bank phishing botnet is predominantly located on machines infected in Romania, USA, and Argentina.
The same botnet has been seen being used for fake escrow business scams using domains like bigeurocargo.com in February 2008. This has been exposed and again exposed and yet again.
[edit] Sample Spam
Subject: Enjoy our MASSIVE $2400 bonus......... Amazing $2400 bonuses..... Amazing Customer Support...... Amazing games..... Play at the world's most prestigious online casino..... Come and get your MASSIVE $2400 BONUS NOW! Fair Gaming, Fast Payouts unrivalled customer support: GUARANTEED!!! Join the superstars and some of the world’s BIGGEST winners........ ENTER HERE http://dokofuko73864.blogspot.com/ TO DOWNLOAD NOW!
[edit] April 2008 casino nameservers and representative domains
nameserver: ns1.cameltrophier.com 24 seat botnet 7 unique bots "Casino La Scala :: Elegant Gaming" firstprimegame.net loads site in an iframe from gamez-downloadz.com/lascala/en/ executable download = gamez-downloadz.com/lascala/SetupCasino.exe ":: Euro Dice Casino ::" gamingnewsite.net loads site in an iframe from gamez-downloadz.com/eurodice executable download = gamez-downloadz.com/eurodice/SetupCasino.exe "Welcome to the Euro VIP Casino" newfirstplaying.com loads site in an iframe from gamez-downloadz.com/eurovip executable download = gamez-downloadz.com/eurovip/SetupCasino.exe "Welcome to the Royal Casino!" gamblingnewplace.com loads site in an iframe from gamez-downloadz.com/royalvip/ executable download = gamez-downloadz.com/royalvip/SetupCasino.exe "EURO PRIME CASINO" casinoprimevip.net loads site in an iframe from gamez-downloadz.com/europrime/index.html executable download = gamez-downloadz.com/europrime/download/casinoen.exe (depending on language chosen; requires javascript enabled) "***EURO VIP CASINO*** Amazing Games, Big Winnings, Fantastic Promotions! PLAY NOW & WIN!" newvipgambling.net loads site in an iframe from gamez-downloadz.com/eurovip/ executable download = gamez-downloadz.com/eurovip/SetupCasino.exe "Casino Club V.I.P" vipgamingworld.net executable download = vipgamingworld.net/smartdownload.exe no iframe target domain for some of the above sites: GAMEZ-DOWNLOADZ.COM single IP address 217.20.209.180, shared only with a Russian tax software site Host = InformTelecom, Moscow
nameserver: ns1.worlddwins.com and ns1.worldewins.com (Xin Net) sites hosted on IP address 210.14.131.10 with ZBYD Technology Co.,Ltd, Beijing (LACNIC) "Jackpot Casino/Gambling Online Casino" fjdiif.com.cn executable download = fjdiif.com.cn/go.php => InstallCasinoV2.exe "Welcome to the Euro VIP Casino" jksudia.cn executable download = jksudia.cn/SetupCasino.exe "Welcome to the Vegas Casino!" cniijid.cn executable download = meta refresh to cniijid.cn/SetupCasino.exe same nameservers/IP also have domains for "E2 Finance" and "Freedom From Debt Forever!/Freedom4U"
nameservers: ns1.slim25.com and ns1.fort23.com sites hosted on IP address 118.216.29.237 Hanaro Telecom, Korea "world_casino_out"/"World Casino" kingscasinoworld.com executable download = kingscasinoworld.com/SmartDownload.exe "Golden Gate Casino" goldfirstplaying.com executable download = goldfirstplaying.com/SmartDownload.exe
nameserver: ns1.teetns.com sites hosted at 118.216.29.237 (see above) "Welcome to the Royal Casino !" eurocasinoafy.com executable download = eurocasinoafy.com/SetupCasinoR.exe
[edit] How to Report this Spam
The Complainterator is configured to report this spamming operation. When preparing the report, add a link to this page for evidence.
