Here at Hexxium Creations, our many volunteers are frequently finding new malicious domains, but it is rare that we discover an entire network of malicious domains as well as the source behind them. We recently noticed a tweet from an Electronic Arts developer on Twitter that was exposing a Twitter account that was pretending to be an 'official' account for Rockstar's not yet released game Red Dead Redemption 2

The fake Twitter account (now suspended) was promoting a short link that lead to "livebetaservers[DOT]com", a domain with the intent to trick users into thinking they will get early access to play-test "Red Dead Redemption 2". If a user fell for this trick, they would get sent to endless ads demanding the user's personal information and promising to give them access to this non-existent play-test. As a result of this, our team immediately took action and looked into who was in control of this domain & its hosting.

We quickly discovered that "livebetaservers[DOT]com" was a domain hosted by 1and1 and the content on the website was hosted by "BlueAngelHost" so we sent an abuse report out to both companies, within under a minute, "BlueAngelHost" responded by telling us we need to instead submit an abuse ticket.

Seems simple enough right? So I went and submitted a ticket detailing the abuse and sent it off to their "abuse team"

And from this point on, this is where things began to fall apart regarding reporting this domain, I noticed they proudly display their lack of care for DMCA on their sales page, and BlueAngelHost decided to just mark my abuse ticket as "Closed" with no reason or any response. To which, I responded by attempting to reach out to them on their Skype that was listed via their contact details page.

You might think I'm being a bit pushy based on the above conversation, but it was vitally important that someone at this 'company' address an abuse ticket, so I lightly pressed the issue and subsequently was straight up blocked by their official Skype account.

At this point, I was rather fed-up with how they were handling this report of abuse, so I updated the abuse ticket which causes it to reopen.

After a couple hours, I recieved a reply to my ticket:


kindly provide proof of phishing.

David John
Billing and Abuse Department
BlueAngelHost (Pvt) Ltd.

The odds of someone being named "David John" in a company that is supposed to be based in Pakistan is highly unlikely, but I gave them a fair chance and replied with more than enough proof that this was indeed phishing

Take a moment and go to the domain, check the whois record on it for example. This domain is clearly not owned by the actual developer of this game, Rockstar Studios. Rockstar Studios is owned by Take2Games as you can clearly see by their official domain's whois record: Additionally, on the phishing domain, go to the bottom of the page, read the address, number and contact email they listed. None of those listed there are the actual details of the real game developer, Rockstar Studios. The details listed on that phishing domain are completely made up. If you really need more proof, go ahead and sign up using fake details on the phishing domain, it won't grant you access to the beta it claims to be hosting because no such thing actually exists. Rockstar has not ever held a join-able beta for Red Dead Redemption 2

A short time after sending that long list of examples, I get this generic and undescriptive reply that essentially says, "hey, we don't care if it hurts people on the internet"


its a simple CPA site, not Phishing site.

if you have problem with this site, then I suggest you to report this site to game developers and let them contact us.

PS: we do not find any phishing activity on this site, I have checked all codes of site, all files are checked, there is no user data stolen from any where.
if you still think that the site is stealing user data then provide us proof for that.

CPA sites are not illegal and we allow them.

David John
Billing and Abuse Department
BlueAngelHost (Pvt) Ltd.

Now I was quite upset with their lack of care for hosting illegal and harmful content, so I began to dig into who they were, their WhoIS domain information was unprotected and revealed their domain owner to be "Sunil Shahzad"

I then also attempted to contact them via their Pakistan phone number on their website, Skype immediately revealed that the number did not exist, it was fake. So I dug deeper and found Sunil Shahzad's Pakistan phone number listed in his WhoIS details, so I gave him a call, and to my surprise he actually answered. I informed him of my abuse complaint, to which he looked up and then proceeded to tell me that he would do nothing at all about it. When I informed him that I knew he was the owner, he denied the claim and kept talking over me before eventually hanging up on me. I called him back and received similar results ending with him hanging up on me. At this point, I knew something was fishy about how they were handling hosting illegal and harmful things such as what I was reporting, so I started to dig into who Sunil Shahzad is.

I quickly found other websites detailing allegations of illegal acts that he himself committed, and I was also able to reverseIP trace multiple other active malicious domains to his hosting 'company'. This lead to me also finding various other domains that he is selling hosting services from.

He was smart enough to hide his WhoIS information on the other domains, but he left the admin account enabled for the blogs on them, and he tagged the admin account with his name, Sunil Shahzad. Thus I found them easily in search results. We then found websites that are specifically for people looking to do malicious things where Sunil Shahzad himself was directly marketing his hosting services for illegal use.

As a result of all our findings, we have reached out to the domain authority of "blueangelhost[DOT]com" who happens to be Enom, and informed them as well as Namecheap, the listed reseller for "blueangelhost[DOT]com". We did also reach out to Cloudflare to notify them of the abuse as well as "BlueAngelHost" relies on them to deliver their content worldwide. We have yet to receive any kind of response from either domain authority in regards to our discoveries, but 1and1 has taken down the domain "livebetaservers[DOT]com" promptly after receiving our report. We are actively attempting to shut down all of the malicious domains that are currently hosted by "BlueAngelHost" by notifying the individual domain authorities for each as "BlueAngelHost" is not likely to take down anything illegal anytime soon. We will also pursue every effort to get "BlueAngelHost" and all the other hosting services controlled by Sunil Shahzad shut down to prevent his network of malicious users from growing. Any and all domains owned by Sunil Shahzad as well as any malicious domain in his network has been added to our domain blacklist. We will update this article if we discover any further details.

Thank you for your support,
Andrew Gildner

Malware, News, Threat List, , , ,