Fraud-as-a-Service, Part 2: ZenithTech
Matt Piscitello and the AA419 Team
In part one of this series, we presented some background on shared infrastructures leveraged by fraudsters, a.k.a., Fraud-as-a-Service (FaaS). In this article, we discuss how investigating one such service revealed competing infrastructures and exposed a high frequency of investment/crypto related scams.
ZenithTech
ZenithTech self=describes as an IT consulting company that offers end-to-end solutions, including staffing, custom software development, and IT project management. During their investigation of Anitahost, AA419 uncovered a cybercrime-as-a-service actor with a different business model and a new type of investment-related scam.
Looking up the domain registration details via a WHOIS client, the AA419 team were able to obtain a registrant email address and partial contact data. They also learned that Anitahost provided nameservers for the scam domain. They used the registrant email at WHOXY to identify Childera Emmanuel Odii, and found a website of owner Chidera Emmanuel at hXXps://www[.]chideraemmanuelodii[.]com[.]ng/.
There, they found additional breadcrumbs to follow:
The domain portfolio obtained from WHOXY also revealed that this registrant had previously owned the domain zenithtech.com[.]ng which had been suspended.
AA419 team pivoted on the nameserver names - ns1.zenithtechhosting[.]org and ns2.zenithtechhosting[.]org) - and determined that:
·Chidera Emmanuel Odii is this scammer’s real name,
He uses an alias ‘Francis Marvin’
He also uses several email addresses including chidexco291 at gmail.com and zenithtechglobal09 at gmail.com
He has used the following domains for hosting purposes and name service:
o zenithtech.com[.]ng
o zenithtechhosting[.]org (ns1.zenithtechhosting[.]org, ns2.zenithtechhosting[.]org)
o zenith-tech[.]online (ns1.zenith-tech[.]online, ns2.zenith-tech[.]online)
o zenithtechhost[.]site (ns5.zenithtechhost[.]site, ns6.zenithtechhost[.]site)
This intel led to the host zenithtechhosting[.]org.
Like other fraud facilitating hosts, Zenith Tech advertises DMCA ignored web hosting. Exploring this site further, AA419 observed that ZenithTech was also a downstream domain reseller and that Odii regularly registers domains for his clients using patently fake registration details.
Looking at domain registration details for one domain, peaceblock[.]net, AA419 was able to determine how Chidera provides scam domains for clients.
The domain peaceblock[.]net was used for an investment scam, The domain registration data is entirely bogus. Chidera is fraudulently using the address of an entirely unrelated domain privacy proxy service without authorization to hide his (and his client’s) identity. The registrar he used to register the domain offers its own, entirely distinct proxy service.
This domain proved to be one of a much larger set of scams and scam types. Exploring domains associated with ZenithTech further, the AA419 team identified 162 associated domains that were used to perpetrate the following scam types:
The AA419 team observed a very similar mix of scam types to those hosted via AnitaHost, with a disproportionately high number of investment-related scams.
More to come
In the third and final article of this series we’ll look at scams that involve spoofing of US registered FINRA brokers.