Fourth-oldest dot-com domain now relegated to serving up scareware at $400 a victim

062215blog scareware2

Do not click on mcc … oh, wait, let’s not even create a link here, lest someone be tempted. Do not go there.

Founded in 1982, the Microelectronics and Computer Technology Corporation (safe Wikipedia link) was this country’s first computer research and development consortium. It was also the fourth organization of any kind to register a dot-com domain name, having done so nearly 30 years ago on July 11, 1985. MCC researched and developed until the year 2000.

Today that notable domain name is controlled by scam artists pedaling fraudulent antivirus services, a fact that I discovered the hard way when researching a number of the earliest dot-coms. My click on the link that shall not be named locked up my browser, Google Chrome, and produced this frighteningly immovable message that required IT help to dispatch:

062215blog spyware1

Yes, a fairly obvious fake, but not to everyone, as a search on the toll-free “assistance” number revealed.

“Called this number after Norton virus came up,” reported one victim. “Computer started beeping. I fell for it. They charged me $399.99.”

There was also a report of the number being associated with the same scam on a typo-squatting site – close to but not quite

One thing I wasn’t sure about was whether I, too, had mistyped the MCC address or had indeed landed on the fourth oldest dot-com and it was scareware-infested. Either was possible. After quickly ruling out the option of going back for a second look, I asked an IDG Enterprise colleague, CSO senior writer and Salted Hash blogger Steve Ragan, a former IT security pro himself, if he might go there wearing all the proper protective clothing.

Ragan’s finding: Yes, indeed, the former online home of the first computer research and development consortium has a bad case of malware. It’s designed to serve up the phony antivirus scam to every third visitor – guess I was lucky – while others get more run-of-the-mill spam or this innocuous looking variant.

062215blog mcc not scareware

The domain name in question is registered to entities in Shanghai and Czechoslovakia .

“I've checked the domains, both are offline,” says Ragan. “The traffic direction script is this URL (altered here):   5c36197277a018559XX. “This is interesting because it runs over HTTPS, which makes tracking the path a bit tricky. The big number you see is a referral ID, which means it will not serve you the same direction URL twice. You've gotten the scam AV/PC support URL from there. Next time, you might get Walmart Gift Cards, or perhaps an offer to purchase discount drugs or watches - general spam. This ID also helps pay the person(s) running the campaign on the DNTRAX system.”

And then there’s the role of DNTX, self-billed as “The Traffic Marketplace.”

“That is the root company controlling the affiliate program that redirected you,” Ragan says. “They are a traffic seller, so the odds are they are hosting criminals. Question is, do they know, or are they clueless? Odds are, as long as the money is there, they don't care who they're hosting.”

It’s just one infested site, albeit one with a history, and the scam it hosts only came to my attention because my work took me there. But MCC seems a common acronym – think M-whatever Community College, for example – so it’s likely that a fair number of unsuspecting victims tack on dot-com because it’s more famous than dot-edu. The machine starts beeping.

And at least some fork over $399.99 to learn a painful lesson.

(UPDATE: Email just received from Jim Grace, director of business development for DNTX: “We have seen your article and thank you for bringing up this problem.  Per our Terms Of Service, we do not allow any scareware ads on our network; however, because we are a self-service network there is a chance that one of these ads/advertisers are able to get through our quality control filters.  We have terminated the advertiser in question from our network and the domain won’t show any tech support or scareware ads anymore.”)

Welcome regulars and passersby. Here are a few more recent buzzblog items. And, if you’d like to receive Buzzblog via e-mail newsletter, here’s where to sign up. You can follow me on Twitter here and on Google+ here.

060115blog primary projector fan
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2015 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)