Re: Crooks on the Intrernet: Episode 6,427
We have noticed a huge influx of people requesting us to route blocks of ips they rent from IP brokers, we always make sure they show us an LOA and that radb records match the company name and proper registration is in place, I doubt some smaller providers do the same due diligence, but for me it’s concerning how easy it is to rent ip space these days , it just means that there is a coming storm. Nice investigative work, is this guy listed in rokso by chance ? I am traveling and have crappy connectivity on my phone so I don’t want to bother and check at the moment. On Wed, Nov 21, 2018 at 4:33 PM Ronald F. Guilmette wrote: > > I just thought that y'all might want to be aware of this. > > My attention was called recently to a RIPE-issued block of IPv4 addresses > assigned to a particular Polish firm (Marton Media: > https://martonmedia.pl/) > that appears to sell digital TV services. > > The block in question is 91.149.192.0/18 aka "PL-MARTON-20061120". > > It appears that perhaps this company didn't quite need all of that /18 that > it got from RIPE, so it looks like they parceled out some sub-parts of that > /18 to at least a couple of other parties, to wit: > > "Hostermatrix LLC" aka "ORG-HL183-RIPE": > 91.149.232.0/22 > 91.149.252.0/22 > > "Real Tone Hosting LLC" aka "ORG-RTHL1-RIPE" > 91.149.224.0/21 > 91.149.236.0/22 > 91.149.240.0/21 > 91.149.248.0/22 > > Ignoring, for the moment, the fact that neither of these companies actually > seem to exist anywhere... at least not on -this- planet... my attention was > further called to the pair of /22 blocks that have been sub-allocated by > Marton Media (Poland) to this thing they are calling "Hostermatrix LLC". > > The reverse DNS for those blocks looked like this, just a few short > days ago, on November 16th: > > https://pastebin.com/raw/hjWG5KxA > > But apparently, that all has been changed rather substantially, just in the > past few days, so now it all looks like this instead: > > https://pastebin.com/raw/58qCdPrc > > (You might call this the "Schrodinger Effect". When researching bad guys > on > the Internet, their stuff may change, even as you are looking at it, and > perhaps even -because- you are looking at it.) > > Anyway, the rDNS listing, as it was on the 16th, looked more than a little > fishy. Why would anyone need quite this many different outbound SMTP > servers? > > The one and only second-level domain name that appeared in the rDNS listing > as of the 16th was "sm-smtp.net". I did a bit of research on that domain > name and found that historical passive DNS associates that domain, quite > unambiguously, with another domain name, sendermatrix.net. > > It didn't take much more research for me to find out that a company called > Sender Matrix, LLC is in fact registered in the State of Florida to a Mr. > Jay Passerino. Mr. Passerino appears to have registered a number of > different > Florida companies: > > Haggle USA Corp. > Mahem Partners, Inc. > Sourcehire, LLC > Boat App, LLC, > All In Nutraceuticals, LLC > Miami Suppliments, LLC > Balladex Enterprises, LLC > Sender Matrix, LLC (http://sendermatrix.com/) > Gasher, Inc. > Digital Platinum, Inc. (http://digital-platinum.com/) > BB Ventures, Inc. > > Of course, there's nothing at all wrong with Mr. Passerino having prolific > and multiple business interests, however a fellow who also, coincidentally, > has the name Jay Passerino, and who also, coincidentally, hails from the > State of Florida seems to have gotten into what the Brits might call "a > spot > of bother" with respect to not one but -two- U.S. federal regulatory > agencies > of late, specifically the SEC and the CFTC, both of which appear to have > taken serious issue with this Mr. Jay Passerino's business practices, along > with those of several of his cohorts: > > CFTC Press Release: > https://www.cftc.gov/PressRoom/PressReleases/7807-18 > > SEC Press Release: > https://www.sec.gov/news/press-release/2018-216 > > As you can see, both the SEC and the CFTC elected to take issue... on the > exact same day, by the way... with this Mr. Jay Passerino's activities on > the Internet, and specifically relating to "pump and dump" email scams. > > Returning now to the subject of the two /22 sub-allocations that were made > by this Polish outfit, Marton Media, to this apparently non-existant > corporate > entity called "Hostermatrix LLC", i hope that it will not escape anoyone's > notice that whereas the IPv4 blocks in question have been provided... > seemingly > to an Internet crook named Jay Passerino... by a Polish company, the actual > -routing- of each of these blocks shows the participation of some other > actors within two more (different) European countries: > > 91.149.232.0/22 - > routed by AS51765 (Oy Creanova Hosting Solutions Ltd. - Finland) > > 91.149.252.0/22 - > routed by AS24768 (ALMOUROLTEC
Crooks on the Intrernet: Episode 6,427
I just thought that y'all might want to be aware of this. My attention was called recently to a RIPE-issued block of IPv4 addresses assigned to a particular Polish firm (Marton Media: https://martonmedia.pl/) that appears to sell digital TV services. The block in question is 91.149.192.0/18 aka "PL-MARTON-20061120". It appears that perhaps this company didn't quite need all of that /18 that it got from RIPE, so it looks like they parceled out some sub-parts of that /18 to at least a couple of other parties, to wit: "Hostermatrix LLC" aka "ORG-HL183-RIPE": 91.149.232.0/22 91.149.252.0/22 "Real Tone Hosting LLC" aka "ORG-RTHL1-RIPE" 91.149.224.0/21 91.149.236.0/22 91.149.240.0/21 91.149.248.0/22 Ignoring, for the moment, the fact that neither of these companies actually seem to exist anywhere... at least not on -this- planet... my attention was further called to the pair of /22 blocks that have been sub-allocated by Marton Media (Poland) to this thing they are calling "Hostermatrix LLC". The reverse DNS for those blocks looked like this, just a few short days ago, on November 16th: https://pastebin.com/raw/hjWG5KxA But apparently, that all has been changed rather substantially, just in the past few days, so now it all looks like this instead: https://pastebin.com/raw/58qCdPrc (You might call this the "Schrodinger Effect". When researching bad guys on the Internet, their stuff may change, even as you are looking at it, and perhaps even -because- you are looking at it.) Anyway, the rDNS listing, as it was on the 16th, looked more than a little fishy. Why would anyone need quite this many different outbound SMTP servers? The one and only second-level domain name that appeared in the rDNS listing as of the 16th was "sm-smtp.net". I did a bit of research on that domain name and found that historical passive DNS associates that domain, quite unambiguously, with another domain name, sendermatrix.net. It didn't take much more research for me to find out that a company called Sender Matrix, LLC is in fact registered in the State of Florida to a Mr. Jay Passerino. Mr. Passerino appears to have registered a number of different Florida companies: Haggle USA Corp. Mahem Partners, Inc. Sourcehire, LLC Boat App, LLC, All In Nutraceuticals, LLC Miami Suppliments, LLC Balladex Enterprises, LLC Sender Matrix, LLC (http://sendermatrix.com/) Gasher, Inc. Digital Platinum, Inc. (http://digital-platinum.com/) BB Ventures, Inc. Of course, there's nothing at all wrong with Mr. Passerino having prolific and multiple business interests, however a fellow who also, coincidentally, has the name Jay Passerino, and who also, coincidentally, hails from the State of Florida seems to have gotten into what the Brits might call "a spot of bother" with respect to not one but -two- U.S. federal regulatory agencies of late, specifically the SEC and the CFTC, both of which appear to have taken serious issue with this Mr. Jay Passerino's business practices, along with those of several of his cohorts: CFTC Press Release: https://www.cftc.gov/PressRoom/PressReleases/7807-18 SEC Press Release: https://www.sec.gov/news/press-release/2018-216 As you can see, both the SEC and the CFTC elected to take issue... on the exact same day, by the way... with this Mr. Jay Passerino's activities on the Internet, and specifically relating to "pump and dump" email scams. Returning now to the subject of the two /22 sub-allocations that were made by this Polish outfit, Marton Media, to this apparently non-existant corporate entity called "Hostermatrix LLC", i hope that it will not escape anoyone's notice that whereas the IPv4 blocks in question have been provided... seemingly to an Internet crook named Jay Passerino... by a Polish company, the actual -routing- of each of these blocks shows the participation of some other actors within two more (different) European countries: 91.149.232.0/22 - routed by AS51765 (Oy Creanova Hosting Solutions Ltd. - Finland) 91.149.252.0/22 - routed by AS24768 (ALMOUROLTEC SERVICOS DE INFORMATICA E INTERNET LDA - Portugal) The only observation I can offer with respect to all of the forgoing, is the rather obvious one: All of this is, to say the least, rather suspicious. But wait! There's more! It appears that Mr. Passerino's IPv4 assets are not strictly limited to RIPEland. Theres also a Direct Allocation block of ARIN IPv4 space (138.128.224.0/22) that is explicitly registered to Sender Matrix LLC of Miami, Florida: https://pastebin.com/raw/cZcsPYrL This block is routed by AS62519, Netrouting Inc., also, according to ARIN records, of Miami, Florida: https://pastebin.com/raw/mJKnJX6w Curiously, the one and only route being announced by AS62519 is for the /22 registered to Mr. Passerino's Sender Matrix LLC:
