As we noted in our post “Your Bill Is Now Available”, the Blackhole kit used by the Verizon Wireless spam was first located at http://slickcurve.com/showthread.php?t=d7ad916d1c0396ff.

The security research community was quick to spot this domain and have it taken down. Unfortunately, this did not stop the bad guys. Throughout the day we noted that the following Blackhole kits were used:

It appeared that almost as soon as one domain was taken down another domain took its place.

It is interesting to note the common theme used by some of these domains. In particular, the <color>cellular.com/org naming convention.

The domains browncellular.com, cyancellular.com and whitecellular.org  were registered on 22-mar-2012

The domain browncellular.com was registered to:

Renee Fabian clarelam@primasia.com
2840 Center Port Circle
Pompano Beach

The domains cyancellular.com and whitecellular.org (note the same email address clarelam@primasia.com):

jeffrey vaughn
jeffrey vaughn (clarelam@primasia.com)
+1.2524320178 ext
Fax: +1. ext
1000 facet road
henderson, NC

The domains slickidian.com and slickcurve.com were both registered on 13-mar-2012 to the following:

Peter Bousun abcdub@hathway.com
40 Frontage Rd
08551 ringoes
United States
Tel: +1.6093970078


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: