A large scam of a type I’ve not seen before

A client contacted me unsure whether the be honored or worried when he came across his own site completely cached on another domain name “domainname.newvirtuallife.com”, doing a Google of the domain name “newvirtuallife.com” gave me dozens of other examples of this abuse in process including but not limited to these pretty high profile sites:

  • space.newvirtuallife.com
  • canada.newvirtuallife.com
  • bit.newvirtuallife.com
  • androidheadlines.newvirtuallife.com
  • carfind.newvirtuallife.com
  • wfaa.newvirtuallife.com
  • triradar.newvirtuallife.com
  • gulfnews.newvirtuallife.com
  • businessiafrica.newvirtuallife.com
  • newsmax.newvirtuallife.com
  • post.newvirtuallife.com
  • sportscenter.newvirtuallife.com
  • cnet.newvirtuallife.com
  • automattic.newvirtuallife.com
  • wordpress.newvirtuallife.com

A lookup on the domain name newvirtuallife.com gives the following, pretty sure the name is faked.

Domain Name: NEWVIRTUALLIFE.COM
Registrant: Rose Mary Burciaga
Registrar: Godaddy
Domain servers in listed order:
AMY.NS.CLOUDFLARE.COM
WOZ.NS.CLOUDFLARE.COM

running a Dig…

dig @AMY.NS.CLOUDFLARE.COM newvirtuallife.com axfr

Lists hundreds more subdomains

WordPressTaking a look at the footers and comparing each version, we notice that the advertising links are changed quite a bit. Directing any lost browsers and bots to what I would guess are their clients. But more worrying than that, is that the login and WordPress bylines are also being misdirected, so not only are they advertising a bunch of white label affiliate sites, they have forms that steal credentials. Following through a few links especially on blog rolls on each of the fake sites takes me to further faked instances and with many of the smaller faked instances being WordPress sites, all having these are harvesting credentials.WordPress2

brainyStrangely on the footer of the faked mirror of brainyquote.com they take credit for the sites in the Copyright notice. I brought this to their admins attention, and they immediately blocked the caching systems IP address which was immediately effective in taking the instance down.

All of the domains that seem to be linked in with the scam are being served by CloudFlare and registered with godaddy, a notice has been sent to them advising them of the abuse.

While Phishing Scams are very common, misdirecting traffic this is not quite the same thing.

I’ll update this post as I learn more.

Leave a Reply

Your email address will not be published. Required fields are marked *