Read the original article: Scam Everything – Opioids, NetFlix, Phish, Covid Charities, and Government Refunds in one network neighborhood
There’s a famous line in the movie Jerry McGuire where Tom Cruise’s character says “Show me the Money!” In online investigations, I prefer the line “Show me the Data!” This morning I was doing just that and found an interesting cluster of badness.
Dr. Elizabeth Gardner at UAB leads our Forensic Sciences program in the Department of Criminal Justice. She and I have partnered on many projects in the past by mixing our expertise. She’s a forensic drug chemist, and I chase bad guys on the Internet. 8-). Our current project follows up on some of the work we shared with the BBC Click episode “Can Technology Solve the Opioid Crisis?“
Last night we threw 586 Opioid and Fentanyl selling websites into our clustering-by-location program that Zack Knight (one of my student malware analysts) had developed for another project. Our goal was to find clusters of drug-selling websites “in the same place” and then use other tools to explore what else is hosted in the same location. The tool sorts first by country, then by ASN, and then by NetBlock. There was a nice cluster that revealed itself, consisting of six websites all on the same Class C NetBlock:
Company: VERDINA Ltd., Autonomous System Number AS201133
111.90.156.117
thepleasantproducts[.]com
111.90.156.170
pharm-rx[.]to
111.90.156.173
globalheadshop[.]com
nembutalonlineshops[.]com
111.90.156.61
richmed-pharma[.]com
111.90.156.64
researchkem[.]com
Why were these sites in our database? Well, they offer some overtly bad stuff for sale. Here’s an example:
 |
| thepleasantproducts[.]com |
 |
| pharm-rx[.]to |
 |
| nembutalonlineshops[.]com |
You can clearly see why our Opioids project is interested in these sites! But what we wanted to know was, given that there were six very clearly objectionable sites on the same Class C Subnet, might there be other sites there as well. That’s where the Zetalytics “ZoneCruncher” tool came into place. We asked ZoneCruncher what other sites were recently resolved to this Netblock, fully expecting it to give us a list back of additional drug sales websites! What we got back was much more interesting!
 |
| 111.90.156.0/24 via ZoneCruncher from Zetalytics |
As soon as I saw the results, I knew exactly what scammers were behind these sites, as we were well familiar with the group from the work I’ve done with the excellent Business Email Compromise researchers at Artists Againt 419 (AA419)! The “signature” of this group is their reliance on a set of nameservers running on domains “steeldns[.]com” “metaldns[.]com” and “argondns[.]com” hosted on the Malaysian hosting company Shinjiru MSC. Verdina Ltd. is the owner of this particular netblock, which uses the Autonomous System Number AS201133.
Verdina has a few other Netblocks that we’ll be exploring later, but this one has plenty of badness on its own! Some of the most recent sites we have on this same Netblock include:
A fake Bank of Ireland site, indicating they would like to refund a suspicious transaction to your Visa card:
 |
| boi365refunds[.]com |
 |
| of course, first you have to login . . . |
An alert that your NETFLIX payment has been declined, which of course also requires a bit more information to “RESTART MEMBERSHIP” …
 |
| netflx9-msg101[.]com |
 |
| netflx9-msg101[.]com / alldetails.html |
Many of the sites identified by ZoneCruncher have either already been remedied by security researchers working with registrars, are have not yet been deployed by the scammers. The domain names themselves indicate the range of their creative scamming: