Tuesday, November 16, 2021

Chinese Babysitting and Surveillance Co. Ltd.

Chinese compromise domains ranging from housekeeping and babysitting services to industrial machinery

By Dominic Alvieri

Twitter  @AlvieriD


November 16th, 2021




Nearly every day new domains are acquired with company names like Nehe Maternity Matron's Housekeeping, Wengniu Teqi Housekeeping Services, Co., Ltd. and many others.
 
All are using the same IP Record No of 18dfds740-2. Every domain has a fake company name.


Over 200 domains within a 12 month period all with new fake housekeeping names and all traffic and data heading back to Beijing 






Researching this from many different machines and networks surprisingly only a VPN IP from Northern Virginia was blocked on any sites.





The domains are being acquired through multiple registrars and hosted all over the world. 
Twitter is a group favorite. Twitter has been banned in China since 2009.

Premium short domain names also include variants of Facebook, Amazon, Netflix and others...

TheStock-Exchange[.]com                     TwitterPictures[.]com              
TwitterPhoto[.]com                                 NikeAirMaxRetail[.]com                                                      Wrestlemania2016[.]com                       UrbanExchangeAZ[.]com                      
TwitterCar[.]com                                    CongressOnTwitter[.]com
HotmailSetUp[.]com                              CapiatalOneBank[.]com


Nice link.


Over 200 domains within a 12 month period. They are even using Congress on Twitter dotcom. Many of the hosts and registrars are famous for hosting and deploying malware. The links, files and traffic patterns are discernable. Malspam quickly came to a new research email once registered with one of the shams and traced back to China.


Chinese babysitting and surveillance.

TheStock-Exchange[.]com

The cover for this article is TheStock-Exchange[.]com site which has changed this week from the babysitting/housekeeping platform to a Chinese recruiting agency with several names as well. After several months of searching and countless misdirections the immutable data packets and domain traffic point to Beijing. An office building to be specific. After several contact attempts neither Luminaire, Lightning, any babysitters or communist party agents were available but probably listening. I got hung up on several times. Mention re-education and the call is abruptly over.

The customer service hotline was ice cold. So was everyone else.

Now recruiting in all areas and provinces of China including Xinjiang. 




The extensive network and multiple addresses reek of the panda with traces to Beijing.  All phone numbers are in Beijing with a call center in Germany another favorite asset. Other fake companies are being utilized in different industries and are following the same modus operandi including an industrial packing company which is active in attempting to sell to United States based companies.

I have not been able to locate any of the non-existent packaging equipment export companies but they do respond. All the files, links and traffic patterns are the same. They will respond for a quote but beware of malspam that will follow.





My favorite name so far is Guangzong Multifunctional Pillow Packaging Machine Factory. It is easy to find the air quality in Guangzong, China. Finding information about the packing company is another story. Shenzhen has no listing either.

Guangzong Multifunctional Pillow Packaging Machine Factory is linked to Beijing


Air quality in Guangzong is easy to find.



Hug the Big Panda





None of the industrial packing company names are real or have any listings in any of the major Chinese exporters websites or shipping port transfer agents. One way or another the data points to this one block in Beijing, 

Visitors beware there is a bit of a pattern developing.




Stay safe online and off.






Dominic Alvieri    @AlvieriD

The Cyber Show

No comments:

Post a Comment

Are You Trollin Me?

 Did Black Suit Ransomware just try to troll me? by Dominic Alvieri July 3rd, 2024 @AlvieriD The story goes a little something like this... ...