blog

Endurance International Group, Inc – hacker hosting! (BlueHost + HostGator + more…)

Are you ready for Internet scandal, intrigue and corruption like you haven’t read about before?!  Buckle up…here we go!

I blogged about that stupid website a while back that was phishing for Google accounts:  http://torresramos.com.mx/article/index.php (read about it here)

I’ve been trying to get it shut down for the past 2 weeks.  What’s annoying is this, if you do a whois lookup on the IP address it shows it’s BlueHosts then you call BlueHost (or email and get nowhere) and they say oh that’s not our IP address it’s HostGators.

So…I do this:

Find out what the IP address that dot com dot mx domain is by using ping:  “ping  torresramos.com.mx”

Answer is:

Pinging torresramos.com.mx [50.87.153.39] with 32 bytes of data:
Reply from 50.87.153.39: bytes=32 time=63ms TTL=52

Then I do a whois lookup with this command:

whois 50.87.153.39

Answer is:

NetRange:       50.87.0.0 – 50.87.255.255
CIDR:           50.87.0.0/16
NetName:        UNIFIEDLAYER-NETWORK-9
NetHandle:      NET-50-87-0-0-1
Parent:         NET50 (NET-50-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS46606
Organization:   Unified Layer (BLUEH-2)
RegDate:        2011-01-24
Updated:        2012-11-14
Ref:            https://whois.arin.net/rest/net/NET-50-87-0-0-1

OrgName:        Unified Layer
OrgId:          BLUEH-2
Address:        1958 South 950 East
City:           Provo
StateProv:      UT
PostalCode:     84606
Country:        US
RegDate:        2006-08-08
Updated:        2016-02-10
Ref:            https://whois.arin.net/rest/org/BLUEH-2

ReferralServer:  rwhois://rwhois.unifiedlayer.com:4321

OrgNOCHandle: NETWO5508-ARIN
OrgNOCName:   Network Operations
OrgNOCPhone:  +1-888-401-4678
OrgNOCEmail:  netops@unifiedlayer.com
OrgNOCRef:    https://whois.arin.net/rest/poc/NETWO5508-ARIN

Notice the “BLUEH-2” in the “Organization”.  I chatted with the BlueHost losers and it went down like this:

[Initial Question] Provider: Bluehost – My Domain is: “autopopulated” New accounts inquiry
(14:46) [Douglas] Hello and thank you for contacting Terms of Service! My name is Douglas and I will be happy to assist you today. Please be aware that I am assisting multiple clients at the same time, and some responses may be delayed. I greatly appreciate your patience.
(14:46) [Douglas] May I please have the main domain name on your account?
(14:46) [accounts Chat] It's an IP you guys manage / host that's malicouls.  50.87.153.39
(14:47) [accounts Chat] can you suspend any and all sites on that IP address?
(14:47) [Douglas] 50.87.153.39 isn't an IP address we manage. That is managed by HostGator.
(14:47) [accounts Chat] ping torresramos.com.mx = result is that IP, which according to a whois lookup on that IP address is blueshost
(14:47) [accounts Chat] OrgNOCPhone:  +1-888-401-4678
(14:48) [accounts Chat] taht's your phone number
(14:48) [accounts Chat] NOT hostgator
(14:48) [accounts Chat] whois 50.87.153.39
(14:49) [accounts Chat] shows bluehost as the malware hoster
(14:49) [Douglas] That is for Unified Layer. There are many organizations within Unified Layer including BlueHost and HostGator. We have internal IP lookups to see who an IP address belongs to. That IP is not ours, we have no control over it and we have no way of assisting with shutting down any sites on that IP address as we do not host domains on that IP address. That IP address is for a HostGator reseller. You will need to send an abuse report to abuse [at] hostgator.com for them to look into that.
(14:50) [accounts Chat] call the number, i get bluehost all day long
(14:50) [accounts Chat] what's unified layers noc phone number?
(14:50) [accounts Chat] abuse [at] hostgator = they don't respond nor listen to it.  sites been up 2 weeks malware hosting / phishing
(14:51) [accounts Chat] prove it's not yours.  all public records point to you
(14:51) [Douglas] That doesn't change anything that I have told you. Unified Layers contact information will all go to BlueHost, that does not mean that we manage all IP addresses under Unified Layer.
(14:51) [accounts Chat] what info do you have on the IP?
(14:51) [accounts Chat] so is bluehost unified layer?
(14:51) [Douglas] Unfortunately all information we have is via internal tools that we can not provide any information on.
(14:52) [Douglas] No, we are not. Unified Layer is just an organization under EIG that includes lots of different hosting providers.
(14:52) [accounts Chat] pay no attention to the man behind the curtain.  ok oz…ttyl
(14:52) [accounts Chat] so no noc to unified hacking layer?
(14:52) [accounts Chat] they're black ops secret squirrel?
(14:53) [accounts Chat] on chat with hack gator.  thanks

What we’ve determined is that during this process there has been a lot of finger pointing.  If you “google” for “unified layer” you actually get uniTED Layer as a link in the first position (non-advertisements).  uniTED Layer gets so many calls about abuse daily about uniFIED Layer that the woman I was speaking to said…”oh, you’re looking for unified layer and we’re uniTED layer.  We get a lot of calls for them because when you “google” them we’re the first link.  If you have something to write with I can give you their contact information”.  She said it’s “fastdomain.com” which as it turns out; is not and she also said to email them at their abuse address – abuse@…their domain.  That domain too as it turns out is a loser and was changed to “tos@” from abuse@.  If you email either one you get no reply and no help so it’s all a big circle waste of time.

  1. Emailing abuse@ for pretty much any of the big hosting companies yields little or no help and results.  I also tweated at fastdomain to no avail either!
  2. Using the “whois” command to query ARIN’s database is pointless if the record keeping for whoever is in charge of the man behind the curtains information at Unified Hacking Layer is incompetent and lazy.  Clearly it’s NOT a BlueHost IP it is indeed a HostGator IP so they should label it as such.
  3. Nobody at HostGator is monitoring their network with respect to hacked websites + malware + reported attack websites. If they had been they’d be responsive to my emails going to abuse@, they’d have an auto responder to abuse@ with a ticket number or they’d have just taken it down.
  4. Unified Layer is impossible to get a hold of.  As far as I know and can tell it’s a conglomerate of companies as the BlueHost guy said.  Their phone numbers on all their IP’s always point to BlueHost so with that I’d have to guess that BlueHost OWNS Unified Layer or vice versa (stay with me…you’ll find out!).
  5. When you go to the URL of Unified Layer you see this:  “For abuse issues related to the unifiedlayer.com domain, please email your complaint with any relevant logs to abuse@unifiedlayer.com” and that’s all you get.  How dumb is that?!  How frustrating is that?!  It doesn’t work you derps!

I suspect at its core that all the “major” hosting providers are under one roof.  Why might you ask how it is I might have determined that the same losers who own BlueHost also own HostGator and are also at the core of Unified Hacking Layer plus many many more companies?

The Hosting Conspiracy:

This is another blog opportunity but if you call both BlueHost and HostGator guess what option 5 is after you select 2 for technical support?  Yep – both have phone trees in the same voice that say…”For security questions press 5“.  Hmmm, that’s odd.  OK, I’ll push 5.  You’re immediately transferred to a 3rd party group of uber losers called “Site Lock“.  I called several times off the phone tree’s of both Blue Host and Host Gator (option 5) and after about 10 rings they finally pick the phone up.  When they pick the phone up it sounds like you kicked them out of bed.  Then, they try to get you to purchase remediation for your hacked website (even though I keep telling them it’s not my website). As a side, their staff knows nothing about hacking remediation – the one guy I spoke with said oh “I just started and I’m trying to figure out the screens“.  I know I know…it’s ok, I’ll wait till your sales script loads because that’s what it is!  Anyway…  Conflict of interest anyone?  Hello!  McFly! Does Site Lock kick back any money for a referral?  Is Site Lock somehow owned by the same overall mothership company? How is it Site Lock has all the major hosting companies on their website listed as “partners”…?  Pause here for a moment and re-read my last two sentences asking you serious questions.

Well it turns out the “web” of intrigue continues (pun intended!).  The conflict of interest is mapped out like this!  Are you ready for this?  Do you think it’s possible to extort more money out of an existing customer base?  The answer is NO, not impossible at all or if you’re dyslexic YES!  It is possible!

United Web owns Site Lock (the one’s you get transferred to when hitting 5 on the phone tree & that want you to pay for monitoring, hacking help, website cleanup, etc).  United Web is based in Scottsdale, AZ as is Site Lock (Reference Link) > United Web also owns iPower (Reference Link) > according to Wikipedia iPower is owned by “Endurance International Group” (Reference Link) also known as “EIG”…where have we seen that before?  See my chat with the BlueHost guy:  “No, we are not. Unified Layer is just an organization under EIG that includes lots of different hosting providers

…ok…still with me?  So…Unified Layer is “under” EIG, who owns Site Lock, who owns hosting companies that get hacked…who they then refer to Site Lock for stacks of cash!

E – to the – I to the – G…EIG – according to the Wiki on EIG it says (Reference Link):  “In April 2014, a major network issue at the data center in Provo, Utah, affected customers of Bluehost, HostMonster and JustHost, and took down many of the dedicated servers owned by HostGator customers.”

Hmmmm…where was the original whois lookup on that hacked / phishing website from Unified Layer?  Oh…Provo, Utah!

OrgName:        Unified Layer
OrgId:          BLUEH-2
Address:        1958 South 950 East
City:           Provo
StateProv:      UT
PostalCode:     84606
Country:        US
RegDate:        2006-08-08
Updated:        2016-02-10
Ref:            https://whois.arin.net/rest/org/BLUEH-2

So it turns out that EIG owns HostGator, BlueHost, a lot of the major hosting companies that sell hosting for pennies on the dollar, they also own “Site Lock” which they give direct referrals to from servers they don’t really monitor for security.  If they do find something on the off chance their part time security team comes into work sober they probably refer them back to site lock which charges you a fee to cleanup and then further “monitor” your website, etc.

It’s one big web of extortion controlled by the man behind the curtain – the great and powerful OZ at EIG.  EIG is the problem with major conflicts of interest and they have no incentive to “fix” or “secure” anything in hopes they can drive traffic to their site lock company or other properties that do security work. That of course isn’t their sole business goal, they want to provide hosting services but with a weak network and customers calling in for help because their sites got hacked it is and has become another source of tremendous revenue for them…”them” being EIG the mothership.

Shame on EIG!  If this were the banking industry they’d be shut down or broken up. If your credit card company also owned the credit reporting agency and the credit counseling service…game over.  Unfortunately the horse has left the barn and EIG is running, making millions…almost a billion dollars if not more and a percentage of it is bilked from unsuspecting customers.

 

Other blogs of interest discussing similar issues:

SCAM ALERT: How HostGator Attempted To Extort >$200 Out of Me for SiteLock

A funny YouTube’r neckbeard bitching about Site Lock:  Link

Same neckbeard who blogs about his stuff and tells you how to cancel your account:  Link

* They don’t know how deep the conspiracy goes!!!

The “extortion” trick is mentioned by several posters on forums and other blogs.  EIG’s hosting companies do directory scanning, any “malware” found flags system admins who then locks your account out.  The locked out account holders eventually see that their site has been “suspended” and call the hosting company (BlueHost, HostGator, etc) and start asking questions.  The hosting companies say, we can’t unlock your account until you buy Site Lock.  You have NO ACCESS to your website, website files, etc – you’re “site locked” LOL (funny but not funny). That’s how their criminal enterprise extorts money from you – holding your website hostage.  Many of the locked sites are false positives as the neckbeard complained about. I read an article about Site Lock on some press release or local rag from their town about Site Lock growing “10 fold” (Here’s the link).

“Scottsdale-based SiteLock, named this month as one of the nation’s fastest-growing technology companies, is among the firms who are fighting back, countering hackers with software designed to keep websites clean, fast and safe.”

It’s no wonder that company grew 10 fold! Identifying customer websites as malicious (whether they are or aren’t doesn’t matter) but then holding them ransom until they pay the extortion money to regain access to their websites is absolutely the ultimate “ransomware”. EIG is a cyber terrorist.  I don’t know if anyone has connected the dots fully until now.  They aren’t “fighting back” they’re terrorizing!

 

Help support us:

Please support WhackersForHackers with a donation today:  https://www.gofundme.com/29dqxfhw

Interested in our firewall product?  Check it out!  Free Hardware!  http://firewallz.net

6 thoughts on “Endurance International Group, Inc – hacker hosting! (BlueHost + HostGator + more…)

  1. You are the hero of the cause for pushing back on the criminals who are ruining our lives and threatening our future

  2. I just came to the same conclusion and in a search trying to find out more found your blog! You said everything I wanted to say and sooo much more! Many thanks for your effort, your contact page is down or I would have sent you a email… I swear they hack themselves and get you to pay for it… It happened right after they tried to sell me site lock, I turned it down and then my website vanished! LOL now I have to Pay for them to clean it up! What a SCAM. You guys need a Facebook page…. I bet it would get HUGE!

  3. I’ve been getting an increasingly large amount of spam that when reported via spamcop does come back as pointing to bluehost.com. Of course those reports fall on deaf ears as it’s apparently been happening for about 8 months now. So I started digging this morning… yup.

    I don’t know if it’s intentional deceit, flat out incompetence or a result of too many layers though. I suspect it’s the latter 2 rather than the first option. Either way, I’m on the fence if I just want to start blacklisting their IPs as I see them spamming or not.

    1. I block all their CIDR networks in our IPBL. On the firewalls that use the lists with customers who happen to bump into a web resource they need we put that IP onto our white list that lets them past the CIDR block and all is well. We practice err on the side of caution. EIG properties, RackSpace, GoDaddy, lately Microsoft, Charter, Comcast are all hacked constantly. I have also seen RoadRunner start getting hacked and trying to brute force their way into my systems. I’m not 100% sure people realize how much of a security disaster the Internet has become. In my view practically all of the Internet is crap, can’t be trusted and not only are they brute forcing, spamming, phishing and trying to pull data from you BUT companies like Microsoft, Amazon, Social Media Giants and Google are all trying to spy on you. I digress BUT Windows 10 is a masterpiece of an OS that was built to data collect…it’s malware in my view!

Leave a Reply

Your email address will not be published. Required fields are marked *

*