syspage.com
I was recently informed by someone that they experienced a hijacking similar to the zendmedia hijack and advertising InternetAntispy. The hijacking URL's are http://www.syspage.com/ads/homepagesai.php?id=start6 and also http://209.50.241.38/start/ads/homepagesai.php?id=start6. This hijacking also forces the CD rom drive door to open. The hijacker also features an order page which has the address of https://www.supportcs.com/epayment/pay.php?site_id=60&prod_id=69&aid=zend_spy&lid=start6. Notice the "zend_spy" reference in this link. I will include screen shots at the end of this article for reference and documentation purposes.
The whois information for syspage.com is:
Domain Name: SYSPAGE.COM
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Name Server: NS1.SYSPAGE.COM
Name Server: NS2.SYSPAGE.COM
Status: ACTIVE
Updated Date: 04-jan-2004
Creation Date: 02-jan-2004
Expiration Date: 02-jan-2005
But if we look at the whois information for supportcs.com (the order page) we see this:
Domain name: SUPPORTCS.COM
Registrant Contact:
Support
Customer Service (host@supportcs.com)
+380.444960459
Fax: 444960459
P.O. Box 37
Kiev, 01103
UA
Administrative Contact:
Support
Customer Service (host@supportcs.com)
+380.444960459
Fax: 444960459
P.O. Box 37
Kiev, 01103
UA
Technical Contact:
Support
Customer Service (host@supportcs.com)
+380.444960459
Fax: 444960459
P.O. Box 37
Kiev, 01103
UA
Billing Contact:
Support
Customer Service (host@supportcs.com)
+380.444960459
Fax: 444960459
P.O. Box 37
Kiev, 01103
UA
Status: registrar-lock
Name Servers:
ns1.iad1.nssrv.com
ns2.iad1.nssrv.com
ns3.iad1.nssrv.com
Creation date: 28 Apr 2002
15:46:13
Expiration date: 28 Apr 2004 15:46:13
If we compare this with the zendmedia.com whois, we see:
Registrant:
Zend Media, Inc.
P.O. Box 192
Kiev, NA 01103
UA (Ukraine)
Domain name: ZENDMEDIA.COM
Administrative Contact:
Hostmaster, Zend
hostmaster@zendmedia.com
P.O. Box 192
Kiev, NA 01103
UA
+380 44 496 04 59 Fax: +380
44 496 04 59
Technical Contact:
Hostmaster, Zend
hostmaster@zendmedia.com
P.O. Box 192
Kiev, NA 01103
UA
+380 44 496 04 59 Fax: +380
44 496 04 59
Registrar of Record: TUCOWS, INC.
Record last updated on 19-Aug-2003.
Record expires on 15-Apr-2004.
Record Created on 15-Apr-2002.
Domain servers in listed order:
NS1.IAD1.NSSRV.COM 64.186.152.111
NS2.IAD1.NSSRV.COM 64.186.152.112
Notice that supportcs.com and zendmedia.com are both located in Kiev, Ukraine, and both share the same fax number. The only difference is that supportcs uses a post office box of 37 while zendmedia uses post office box 192. Apparently though, they're sharing the same fax machine.
Another interesting discovery was that the website of www.supportcs.com is the same site as www.gito.com although gito.com has a whois registry of:
Registrant:
Gito.Com
po box 821
the valley, 89119
AI (this stands for Anguilla which is located in the Caribbean in
the UK)
Registrar: DOTSTER
Domain Name: GITO.COM
Created on: 12-FEB-00
Expires on: 12-FEB-07
Last Updated on: 08-SEP-03
Administrative, Technical Contact:
Ferreira, Claudio dns@gito.com
Gito.Com
po box 821
the valley, 89119
AI
705-927-5426
Domain servers in listed order:
NS1.IAD1.NSSRV.COM
NS2.IAD1.NSSRV.COM
Given this information, is supportcs.com an outsourced merchant account service for the hijacking syspage.com marketing company and just happens to have an almost identical registry address as that of the hijacking zendmedia.com marketing company? If supportcs.com and gito.com are one and the same company, why do they show different addresses in the whois data base?
The hijacking URL of http://www.syspage.com/ads/homepagesai.php?id=start6 looks like this (also notice at the bottom that the page loads with errors):
The hijacking page for the URL http://209.50.241.38/start/ads/homepagesai.php?id=start6 is identical to the previous one and, therefore, I am not including the entire screen shot due to the size of the file:
The order page URL https://www.supportcs.com/epayment/pay.php?site_id=60&prod_id=69&aid=zend_spy&lid=start6 looks like this:
UPDATE: I have recently received several emails from people who were hijacked by syspage.com advertising InternetAntispy. I decided to do some more research on them and found these sites from others having trouble with them:
http://ripoffreport.com/reports/ripoff78050.htm
http://www.computercops.biz/modules.php?name=Forums&file=viewtopic&p=62076
http://www.help2go.com/postp20939.html
http://forums.techguy.org/t195010/sd881793de8106bf089525537280c7cc6.html
http://www.publicissue.org/ICANN-INTERNIC.htm
http://vnboards.ign.com/AC_General_Board/b5141/62922690/?13
http://ourmessageboard.com/messages/4488.html
This website will be updated regularly with any new developments. Anyone wishing to contact me for inquiries or to relate their experiences may do so at nomorespyware@yahoo.com.