I woke up one beautiful morning to find a Steam message (8 of the same messages about an hour apart) from a man self-representing himself as a Jew informing me of a Karambit CS:GO knife that I supposedly forgot to retrieve. This would be the first time that someone of the Jewish faith reached out to me directly to give me something for free, so naturally, my instincts told me this was going to be fun. I, being the professional internet man that I am, visited the website and was presented with a shitty steam phishing page. Nothing unusual about that, the internet is full of phishing pages and people to this day continue to fall for phishing websites even though this got old sometimes back in 2010 (kind of on-par with Google Dorks).
Unfortunately for skinlux.work and their respective hosting company, I did not have much to do this week and decided to go down the rabbit hole that is investigating their hosting company and reporting on anything I could find.
Whois records for Skinlux(.)work show that the domain was registered on March 30th of 2020 via eNom. While the whois information is redacted/private, the nameservers showed that the domain was utilizing Cloudflare for reverse-proxy purposes. I headed on over to Cloudflare's Abuse Reporting Form and reported the domain for hosting a phishing page. While Cloudflare will help malicious pages like this hide their real IP and hosting company, Cloudflare often responds to abuse/phishing reports and provides the reporting party with the hosting provider's name and abuse contact email. You can see their reply in regards to my report below:
After Cloudflare provided me with the hosting provider's name and abuse email, it was only a matter of some googling and OSINT to get all the information below.
DDOS-GUARD CORP / DDOS-GUARD LTD operates under the domain ddos-guard(.)net and AS numbers AS57724 and AS262254 with majority of their IP's located in Russia (AS262254 is the one with IP's reporting in Belize). They are a registered company in Belize with the registration number 173694, you can reach out to ibcbelize.com in order to perform a 'search' of the company in which you pay them $25 to get the Registered Agent, Agent's Address, Registered Office, Public Investment and the Registered Documents, but I don't care enough to pay for that. They are also a limited liability corporation in Russia which you may find by searching at https://egrul.nalog.ru/index.html with a supposed physical address of House 276, Floor 5, Office 11 on Street of Maxim Gorky in Rostov, 344019 Russia. The two listed persons for the company are Evgeny Anatolevich Marchenko (ЕВГЕНИЙ АНАТОЛЬЕВИЧ МАРЧЕНКО) and Dmitry Vladimirovich Sabitov (ДМИТРИЙ ВЛАДИМИРОВИЧ САБИТОВ) both of whom hold a 50% stake in the company.
The Russian wikipedia article for DDOS-Guard lists Evgeny Marchenko and Dmitry Sabitov as the founders of DDOS-Guard. DDOS-Guard signed a partnership agreement with Reg.ru (a quasi bulletproof domain registrar) in 2014 to supposedly assist in protecting customers from DDOS attacks. You can read an interview with Dmitry Sabitov here. During this interview, Dmitriy Sabitov says that Evgeny's new passion was fighting DDOS attacks and he was eager to help Evgeny with this task. This begs the question of why an IT company that was supposedly created to provide their customers with "high-quality services at affordable prices" and to "get rid of the headaches that are DDOS attacks" is now responsible for hosting thousands of malicious websites with no end in sight.
DDOS-Guard(.)net was originally registered on January 1st, 2008 with the nameservers ns3.spyderzwebz(.)com and ns4.spyderzwebz(.)com
The domain was parked and then subsequently dropped on February 1st, 2009 due to a lack of renewal. The domain was re-registered on June 1st of 2011 with the nameservers ns1.reg(.)ru and ns2.reg(.)ru which matches the supposed incorporation date of the company itself.
The domain nameservers were ns1.ddos-guard(.)net ns2.ddos-guard(.)net ns3.ddos-guard(.)net ns4.ddos-guard(.)net ns5.ddos-guard(.)net ns6.ddos-guard(.)net and were amended to ns1.ddos-guard(.)net and ns2.ddos-guard(.)net on February 10th of 2018.
The domain has had Whois privacy enabled for nearly its' whole lifetime except for October 11th, 2017. The whois record on October 11th, 2017 was:
Registrant Name: Evgenii Marchenko
Registrant Organization: Private Person
Registrant Street: Vyatskaya str, 55/4-11
Registrant City: Rostov-on-Don
Registrant State/Province: Rostov
Registrant Postal Code: 344065
Registrant Country: RUSSIAN FEDERATION
Registrant Email: [email protected]
Registrant Phone: 79282797045
Administrative Name: Evgenii Marchenko
Administrative Organization: Private Person
Administrative Street: Vyatskaya str, 55/4-11
Administrative City: Rostov-on-Don
Administrative State/Province: Rostov
Administrative Postal Code: 344065
Administrative Country: RUSSIAN FEDERATION
Administrative Email: [email protected]
Administrative Phone: 79282797045
Technical Name: Evgenii Marchenko
Technical Organization: Private Person
Technical Street: Vyatskaya str, 55/4-11
Technical City: Rostov-on-Don
Technical State/Province: Rostov
Technical Postal Code: 344065
Technical Country: RUSSIAN FEDERATION
Technical Email: [email protected]
Technical Phone: 79282797045
The number 79282797045 is in fact from the Rostov region of the Russian Federation and is a mobile phone. Searching that phone number led me to discover that a lot of Russian internet users have been complaining regarding spam and phishing pages hosted by Evgeniy Marchenko for years. Once such report on zvonil.octo(.)net describes the following malicious domains:
SPAMM(.)ME - Registered January 7th, 2018 by a Nikolay Kolchanov with an email of e-pay(.)tv@yandex(.)com who hosted his malicious website at 190.115.19(.)218 LACNIC for whom the technical contact was one Evgeniy Marchenko with a telephone number of 79282797045 and email of xengine@mail(.)ru
SPAMMM(.)INFO - Registered on January 12th, 2018 via Namecheap and located at 190.115.19(.)218 LACNIC for whom the technical contact was once again Evgeniy Marchenko with the same telephone number and email as the domain above. Spammm(.)info redirected to Goldemails(.)ru at the time of the report (Jan 14, 2018)
MYPAYS(.)Info - Registered January 8th, 2018 by a Nikolay Kolchanov with the email of kolchanov-n@ya(.)ru and also hosted at 190.115.19(.)218 LACNIC for whom the technical contact was one Evgeniy Marchenko with the same telephone number and email as the domains above.
Nikolay Kolchanov has also been the registrant for domains 8800(.)city minisite(.)one partnerlnk(.)net v-kontakte(.)co ellinks(.)org my-kassir(.)org partnerslink(.)me homebusines(.)info partnerlnk(.)com and qwerty40(.)com
Evgeny's business email e.marchenko@ddos-guard(.)net does not currently show up on any WHOIS records, however, his personal email xengine@mail(.)ru has registered two domains: cognitive-machines.com and rostov.pet. Rostov.pet historical whois data shows the following registrant information (click to expand):
Whois records for ROSTOV.PET
Domain Name: ROSTOV.PET Registry Domain ID: D503300000006126772-LRMS Registrar WHOIS Server: Registrar URL: http://www.key-systems.net Updated Date: 2017-04-09T19:46:12Z Creation Date: 2016-02-25T14:54:39Z Registry Expiry Date: 2018-02-25T14:54:39Z Registrar Registration Expiration Date: Registrar: Key-Systems, LLC Registrar IANA ID: 1345 Registrar Abuse Contact Email: Registrar Abuse Contact Phone: Reseller: Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: pendingDelete https://icann.org/epp#pendingDelete Domain Status: serverHold https://icann.org/epp#serverHold Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod Domain Status: redemptionPeriod https://icann.org/epp#redemptionPeriod Registry Registrant ID: C167765369-LRMS Registrant Name: Evgeny Marchenko Registrant Organization: Private Person Registrant Street: Vyatskaya str Registrant Street: 55/4-11 Registrant City: Rostov-on-Don Registrant State/Province: Rostov Registrant Postal Code: 344056 Registrant Country: RU Registrant Phone: +7.9282797045 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: [email protected] Registry Admin ID: C198903919-LRMS Admin Name: Evgeny Marchenko Admin Organization: Private Person Admin Street: Vyatskaya str Admin Street: 55/4-11 Admin City: Rostov-on-Don Admin State/Province: ROSTOV Admin Postal Code: 344056 Admin Country: RU Admin Phone: +7.9282797045 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: [email protected] Registry Tech ID: C198903924-LRMS Tech Name: Evgeny Marchenko Tech Organization: Private Person Tech Street: Vyatskaya str Tech Street: 55/4-11 Tech City: Rostov-on-Don Tech State/Province: ROSTOV Tech Postal Code: 344056 Tech Country: RU Tech Phone: +7.9282797045 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: [email protected] Name Server: NS7.EXPIRATIONWARNING.NET Name Server: NS3.EXPIRATIONWARNING.NET DNSSEC: unsigned
Now let's take a look at some random websites that are utilizing DDOS-Guard nameservers and see if they serve any sort of legitimate purpose because after all I may just be a retard and not know what I'm talking about. Keep in mind I'm not selectively choosing malicious domains, I'm just grabbing random ones from THIS LIST, your mileage will not vary, I promise.
Domain #1 - Benjiro(.)io
Utilizing ddos-guard(.)net nameservers, hosted at 190.115.18(.)235 (DDOS-GUARD CORP) and mail.tutanota(.)de (back to 2010 we go) for the mail server.
Benjiro.io claims to allow users to deposit bitcoin, ethereum and other cryptocurrency and earn 2.1% every day for a period of 20 days. This would mean a 42% return on investment within the 20 day period. Seem to good to be true, I implore you to invest and tell me what happens.
Domain #2 - Cryptosub(.)net
Utilizing ddos-guard(.)net nameservers, hosted at 190.115.30(.)136 (DDOS-GUARD CORP) and mail.cryptosub(.)net for the mails erver.
Claims to reward users for promoting crypto currencies and "get highly rewarded for that". Open ports on this IP indicate that this website is hosted on a cPanel server hosted on DDOS-GUARD.
Domain #3 - Free-bitcoin2020(.)com
Same as Cryptosub but hosted at DDOS-Guard IP 190.115.30(.)178, also cPanel. Shitty website with broken English (spoiler alert: most of these sites are shitty and use broken English).
Domain #4 - Oastland(.)biz
Appears to be a woodworking company but in reality they offer an investment options of 5% to 7% daily growth if you invest with cryptocurrencies. Once again a cryptocurrency scam website with DDOS-GUARD DNS servers, A record and mail server. Hosted at IP 190.115.30(.)251 (cPanel).
Domain #5 - Lazy-Revenge(.)com
Another scam website that is a self-proclaimed "high-profile matric project f new generation where all participants are lined from left to right closing each other tables." Yet again hosted with DDOS-Guard and residing on public IP 190.115.21(.)197 (cPanel)
Domain #6 - BitProFund(.)com
A "Safe, high yield industry-specific solution for Private ivestors, Families and more.) offering cryptocurrency investment options thats scale as high as 250% a day. Everything hosted with DDOS-Guard, A record of 190.115.21(.)230 (cPanel).
Domain #7 - TopVest(.)ltd
Another cryptocurrency investment scam. Resides on 185.178.208(.)154 so not a cPanel site but still hosted with DDOS-Guard, still a scam, but hosted in Russia rather than an IP pretending to be in Belize.
Domain #8 - Gold8(.)io
Another cryptocurrency scam. Utilizes DDOS-Guard for DNS, web hosting and email. Utilizes public IP's 190.115.18(.)117 for web hosting and has a record for 190.115.21(.)235 for mail
Domain #9 - TurboTaxLogin(.)us
Company claming to provide third-party support for TurboTax. Definitely a scam. Who would've guessed, it's also hosted with DDOS-Guard and utilizes the IP of 190.115.26(.)62. Also appears to be just one site out of thousands of sites owned by contactassistance.com which is listed as a company called Callspartner located in Delhi, India (but no such entity exists according to India's company search). Most likely a VPS/Dedicated server just for Callspartner as there are a lot of scam support sites under that IP, see screenshot below.
Records for contactassistance(.)com show the following information throughout the life of the domain (click to expand as it is a shitton of retarded data). Not even joking, these retards could have a hundred blog posts on just their sites and scummy practices alone.
Whois Records for ContactAssistance(.)com
April 24, 2014 Domain Name: CONTACTASSISTANCE.COM Updated Date: 21-Mar-2014 Creation Date: 20-Mar-2014 Registrar Registration Expiration Date: 20-Mar-2015 Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Registrar IANA ID: 303 Domain Status: clientTransferProhibited Registrant Name: Nathanniel carter Registrant Organization: Assit group Registrant Street: 01bp58245 abj 01 Registrant City: Abidjan Registrant State/Province: lagune Registrant Postal Code: 584 Registrant Country: CI Registrant Phone: +225.22501457845 Registrant Email: [email protected] Admin Name: Nathanniel carter Admin Organization: Assit group Admin Street: 01bp58245 abj 01 Admin City: Abidjan Admin State/Province: lagune Admin Postal Code: 584 Admin Country: CI Admin Phone: +225.22501457845 Admin Email: [email protected] Tech Name: Nathanniel carter Tech Organization: Assit group Tech Street: 01bp58245 abj 01 Tech City: Abidjan Tech State/Province: lagune Tech Postal Code: 584 Tech Country: CI Tech Phone: +225.22501457845 Tech Email: [email protected] Name Server: ns1.contactassistance.com Name Server: ns2.contactassistance.com November 22, 2016 Domain Name: contactassistance.com Registrar URL: http://www.godaddy.com Creation Date: 2016-11-21T16:21:43Z Registrar Registration Expiration Date: 2017-11-21T16:21:43Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited Registrant Name: Abhishek Malhotra Registrant Street: G40 Registrant Street: Vikaspuri Registrant City: New Delhi Registrant State/Province: Delhi Registrant Postal Code: 110018 Registrant Country: IN Registrant Phone: +91.1128543236 Registrant Email: [email protected] Admin Name: Abhishek Malhotra Admin Street: G40 Admin Street: Vikaspuri Admin City: New Delhi Admin State/Province: Delhi Admin Postal Code: 110018 Admin Country: IN Admin Phone: +91.1128543236 Admin Email: [email protected] Tech Name: Abhishek Malhotra Tech Street: G40 Tech Street: Vikaspuri Tech City: New Delhi Tech State/Province: Delhi Tech Postal Code: 110018 Tech Country: IN Tech Phone: +91.1128543236 Tech Email: [email protected] Name Server: NS01.DOMAINCONTROL.COM Name Server: NS02.DOMAINCONTROL.COM April 19, 2018 Domain name: contactassistance.com Creation Date: 2016-11-21T08:21:43Z Registrar Registration Expiration Date: 2019-11-20T16:00:00Z Registrar: ERANET INTERNATIONAL LIMITED Registrar IANA ID: 1868 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +867563810566 Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited Registrant Name: Prateek kapoor Registrant Organization: Callspartner Registrant Street: 58C JG3 Vikas Puri Registrant City: Delhi Registrant Province/state: Delhi Registrant Postal Code: 110018 Registrant Country: IN Registrant Phone: +91.9990609669 Registrant Fax: +91.9990609669 Registrant Email: [email protected] Admin Name: Prateek kapoor Admin Organization: Callspartner Admin Street: 58C JG3 Vikas Puri Admin City: Delhi Admin Province/state: Delhi Admin Postal Code: 110018 Admin Country: IN Admin Phone: +91.9990609669 Admin Fax: +91.9990609669 Admin Email: [email protected] Tech Name: Prateek kapoor Tech Organization: Callspartner Tech Street: 58C JG3 Vikas Puri Tech City: Delhi Tech Province/state: Delhi Tech Postal Code: 110018 Tech Country: IN Tech Phone: +91.9990609669 Tech Fax: +91.9990609669 Tech Email: [email protected] Name Server: ns200.01isp.com Name Server: ns201.01isp.net Billing Name: Prateek kapoor Billing Organization: Callspartner Billing Street: 58C JG3 Vikas Puri Billing City: Delhi Billing Province/state: Delhi Billing Postal Code: 110018 Billing Country: IN Billing Phone: +91.9990609669 Billing Fax: +91.9990609669 Billing Email: [email protected]
Domain #10 - Rex-Consulting(.)biz
Oh wow who would've guessed, another fucking cryptocurrency investment site with a 110% weekly return (lmfao). Can you guess what nameservers they use? 190.115.30(.)224 for IP and MX records. Yes it's DDOS-GUARD, they all are.
Domain #11 - Game-of-thrones(.)me
No way that a domain following a show is a cryptocurrency investment site, oh wait, yeah it fucking is. They use a DDOS-GUARD owned IP of 190.115.21(.)204 and also operate a mail server at 116.203.113(.)89 which is, suprisingly Hetzner, another great hosting company.
Domain #12 - Skladchik.biz
Basically a warez site, which is whatever, seems to be focused on posting training courses and webinars from a shitton of different fields. They use a DDOS-GUARD IP of 186.2.163(.)63 and THEFIRST-AS IP's of 188.120.239(.)242 and 62.109.21(.)86 for their mail servers. One could argue this is the first out of the 12 domains I've opened that serves a non-scamming purpose (but don't quote me on that).
Domain #13 - CrdClub(.)su
Carding forum with no MX records, obviously follows the trend of using DDOS-GUARD nameservers. Also has a shitton of pointless A records all pointing to DDOS-GUARD IP 186.2.163(.)93
Domain #14 - Balenciaga-Market(.)ru
Online store with counterfeit Balenciaga products. All hosted on DDOS-Guard and using IP of 185.178.208(.)153
I could keep going but it's kind of pointless, going down the list all you'll find is cryptocurrency investment scams, telephone support scams, carding forums and maybe a couple of businesses that appear to be legitimate. All I know is that the majority of the domains I looked at are all scams. The fact that nearly all these website continue to stay online is proof in of itself that majority of DDOS-Guard's revenue comes from hacking groups and scammers. One could infer that they must cater to such customers or at the very least invite them to use their services by failing to remove malicious actors off their network.
DDOS-Guard acts against their own published Acceptable Use Policy (AUP) in allowing the majority of their customers to continue to operate. Given that over 75% of their customer base is engaged in 'attempting without authorization to access a computer system', 'pirating (distributing copyrighted material in violation of copyright law)', as well as 'gambling; schemes to defraud;' it goes to show that they do not actually enforce their own AUP.
Reading their AUP does have its benefits though. We get to find out that they now refer to themselves as COGNITIVE CLOUD L.P. which is a company registered in the United Kingdom. Their UK company was registered on November 24th, 2017 and has an LP number of SL032463 with a registered office address of 18 S1 Forth Street, Scotland, United Kingdom, EH1 3LH.
The address listed for the company is one of hundreds of virtual office addresses available on various sites including Regus.de
One other address that shows up on some of the filings for their UK company is Golden Cross House, 8 Duncanno Street, Office 504, London WC2N 4JF, UK which is another virtual office.
The UK company lists Evgenii Marchenko (DOB Feb 1982) and Aleksei Likhachev (DOB October 1967) as the two active persons with significant controls. Aleksei Likhachev is listed as the CISO of DDOS-GUARD LTD on TAdviser.com and Xing.com
Anyway, now that I've established what the average customer of DDOS-Guard looks like, it's time to talk about the people behind it.
Evgeny Marchenko was born on 02/27/1982 and is currently the General Director of DDOS-Guard which has a PSRN number of 1149204010988 and was registered on 07/29/2014 with an authorized capital of 10 000 rubles. He attended Don State Technical University (DTSU). He is also the General Director of Cognitive Machines, a joint stock company with the PSRN of 1166196090862 registered on 08/05/2016 with an authorized capital of 750 000 rubles and located at 344019, Rostov region, Rostov-on-Don, Maxim Gorky street, house 276 floor 5, office 19,20,23.
Dmitry Vladimirov Sabitov is currently the General Director of DDOS-Guard as well as the General Director of ISK LLC a/k/a 'Information Systems Consulting' with the PSRN number 1187746325029 which was registered on 03/22/2018 with an authorized capital of 10 000 rubles and an address of 115407, Moscow city, Nagatinskaya embankment, building 56a, underground pom I to 9 of 1.
During the course of my autistic 'investigation', I also found plenty of reviews on various forums regarding DDOS-Guard complaining that the company is full of liars, that the stability and latency of the network is sub-par and that the ddos protection barely even works. Imagine you create a DDOS protection service that sucks so much penis you have to restort to providing services to low-life scum that is telemarketing scammers and phishing page owners as they don't care about latency and shitty service.
It's also important to note that AS262254 was once named Dancom Ltd (and continues to be broadcasted as such in a lot of places) and has had reports regarding bitcoin scams and phishing pages by various sources, most notably, Cisco Umbrella which referred to the AS262254 by its 'other' name DANCOM LTD and listed it as being a part of the DDOS-GUARD bulletproof hosting structure. MalwareURL also lists several malicious domains and IP's originating from AS262254 which you can review here. Dancom LTD is an inactive company in Belize with the registration number 115964 so its pretty safe to say that Dancom LTD is now DDOS-Guard LTD.
As you can see, these activites havn't exactly gone unnoticed, even being reported on on the RIPE mailing list where the mentioned ASN's were registered by the same party using different company names and addresses. One of the ASN's that was registered was the ASN that now belongs to DDOS-GUARD AS57724 and it was originally registered with the domain id-trafic.ro
Hosting providers like this have popped up and disappeared throughout the better part of two decades and I don't think we'll see anything changing any time soon. I'll add more info and other parts to this as I have time to research more.