zvelo is researching a widespread and dangerous ring of fraudulent “OEM Software” distribution sites. These sites offer popular software from Microsoft, Adobe, and many other vendors at a greatly reduced price. Not only do they not deliver installable software, they collect sensitive information from individuals, including credit card numbers.
zvelo has identified over 11,000 of these web pages so far.
While these sites may look real, touting Microsoft and Verisign certifications, they are far from legitimate. Many of these sites come back as top results in Google and Yahoo searches.
Alarmingly, many URL filters are NOT able to detect and block these sites.
Here is just one example of the many sites currently up and running.
The company name given on many of these fraudulent sites is “OEM Downloads Inc”, “Authorized Software Reseller” or “Download Software”. You can check for this at the bottom of the page where there is often a copyright notice. Throughout the sites there are tell-tale signs that this is a shady website that should not be trusted.
Straight from their FAQ…”you will not receive any printed documentation (licensing or instructions) – just files and instructions in .txt format, and will not be able to register this software online.” This was the company’s explanation for the low prices they are able to offer. If you are not able to register the product, it is not a real copy or you won’t be getting it in the first place.
Another sign is that they are offering Adobe Creative Suite software on the site. Adobe does not distribute or allow OEM distribution of their software. In fact, OEM software is rarely sold outside of a hardware bundle, like a new computer system.
Unsurprisingly, the whois information shows Russian ownership for most of these domains. For example:
WHOIS – COMPUTERCODEPLANET.COM
Domain Name: COMPUTERCODEPLANET.COM
Registrar: ONLINENIC, INC.
Whois Server: whois.onlinenic.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS1.ENCATGPC.COM
Name Server: NS2.ENCATGPC.COM
Updated Date: 20-jul-2009
Creation Date: 06-jan-2009
Expiration Date: 06-jan-2010
Valery Rigalo vrigalo77 @ inbox.ru +7.4999384712
Novomariinskaya str., 11/1, apt. 38
Record last updated at 2009-01-06 12:08:08
Record created on 2009/1/6
Record expired on 2010/1/6
Domain servers in listed order:
zveloLABS™ has also noticed many compromised sites including some government and educational sites, are linking back to these domains. This further substantiates the criminal intentions of these fraudsters. zvelo is flagging these URLs as “Phishing & Fraud.”