Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Friday, July 03, 2009

A Diverse Portfolio of Fake Security Software - Part Twenty Two

Part twenty two of the diverse portfolio of fake security software series will summarize the typosquatted scareware serving domains currently in circulation, pushed through the usual distribution channels, but will also emphasize on the "money trail", namely the payment processing gateways used in the scareware campaigns.

In this particular case the scareware front-ends ultimately leading to ChronoPay, which Germany-based Pandora Software has been abusing since 2008 under its countless number of aliases such as Meyrocorp for instance.

The scareware domains are as follows:
atomscan6 .info - 38.105.19.27 - Email: donboset@gmail.com
listscan6 .com - Email: loiskiltz@gmail.com
goscanedge .com - Email: subtenda@gmail.com
goscanfine. com - Email: chirelqas@gmail.com
in6ch .com - Email: relgetn@gmail.com
goscanrich .com - Email: pathstals@gmail.com
goscanrank .com - Email: alcnafuch@gmail.com
ina6sk .com - Email: equatelepi@gmail.com
in6sk .com - Email: thomas.truby@gmail.com
goscanslim .com - Email: chinrfi@gmail.com
gowidescan .com - Email: alcnafuch@gmail.com
goedgescan .com - Email: subtenda@gmail.com
gofinescan .com - Email: alcnafuch@gmail.com
goelitescan .com - Email: funully@gmail.com
gorichscan .com - Email: pathstals@gmail.com
goslimscan .com - Email: chinrfi@gmail.com
gosoonscan .com - Email: aloxier@gmail.com
goironscan .com - Email: aloxier@gmail.com
goflexscan .com - Email: alcnafuch@gmail.com
gomanyscan .com - Email: alcnafuch@gmail.com
goscaniron .com - Email: aloxier@gmail.com
ina6co .com - Email: equatelepi@gmail.com
in6co .com - Email: thomas.truby@gmail.com
goscantop .com - Email: funully@gmail.com
ina6iq .com - Email: equatelepi@gmail.com
goscanstar .com - Email: stgeyman@gmail.com
goscanflex .com - Email: chirelqas@gmail.com
goscanmany .com - Email: chirelqas@gmail.com
scantrue6 .info - Email: jokinzer@gmail.com
scantool6 .info - Email: jokinzer@gmail.com
scanzoom6 .info - Email: jokinzer@gmail.com
litescan6 .info - Email: litescan6.info
truescan6 .info - Email: jokinzer@gmail.com
toolscan6 .info - Email: jokinzer@gmail.com

atomscan6 .info - Email: donboset@gmail.com
genscan6 .info - Email: imendegal@gmail.com
luxscan6 .info - Email: donboset@gmail.com
wayscan6 .info - Email: jokinzer@gmail.com
scanuser6 .info - Email: jokinzer@gmail.com
scanway6 .info - Email: jokinzer@gmail.com
scan6line .info - Email: jokinzer@gmail.com
scan6note .info - Email: jokinzer@gmail.com
scan6true .info - Email: jokinzer@gmail.com
scan6tool .info - Email: jokinzer@gmail.com
true6scan .info - Email: jokinzer@gmail.com
tool6scan .info - Email: jokinzer@gmail.com
top6scan .info - Email: jokinzer@gmail.com
user6scan .info - Email: jokinzer@gmail.com
list6scan .info - Email: jokinzer@gmail.com
way6scan .info - Email: jokinzer@gmail.com
scan6user .info - Email: jokinzer@gmail.com
scan6list .info - Email: jokinzer@gmail.com
scan6fix .info - Email: jokinzer@gmail.com
scan6way .info - Email: jokinzer@gmail.com

It's pretty obvious case demonstrating the dynamics of the underground ecosystem. A thousand bogus accounts purchased for $10 used in a bulk registration of scareware serving domains on a revenue sharing affiliate model ends up in a win-win-win situation for the cybercriminals involved in these processes. The practice is becoming rather popular not only due to their interest in less centralization of the domain control under a single email address -- cross checking reveals the entire portfolio managed under it -- but due to the availability of the service.

clean-pc-now .net - 94.75.233.162 - Email: robertsimonkroon@gmail.com
fast-spyware-cleaner .org - Email: robertsimonkroon@gmail.com
spyware-scaner .com - Email: robertsimonkroon@gmail.com
scan-pc-now .com - Email: robertsimonkroon@gmail.com
free-tube-porn .biz - Email: robertsimonkroon@gmail.com
spyware-killer .biz - Email: robertsimonkroon@gmail.com

softportal-extrafiles .com - 64.20.38.172
exe-profile .com - Email: kimwerner92@yahoo.com
extrafiles-softportal .com - Email: opipkl@googlemail.com
softportal-files .com - Email: kimwerner92@yahoo.com
softportal-extrafiles .com
load-exe-soft .com - Email: kimwerner92@yahoo.com
exe-box .com - Email: normtroup@yahoo.com
hot-exe-area .net - Email: josepetie@gmail.com

spywarecomputerscanv2 .com - 69.10.59.35 - Email: huang@bark.edu.hk
1live-antimalware-pro-scan .com - Email: hongkong@campusparis.org
1live-antimalware-scanner .com - Email: hongkong@campusparis.org
folderantispywarescanner .com - Email: xinhuawuhan@yahoo.com
antivirushelpscanner .com - Email: info@brandturkey.com
fastfolderscanner .com - Email: info@brandturkey.com
mycomputerscanner .com - Email: vanmullem@yahoo.com

restricteddomainhelp .com - 83.133.124.81 - Email: franklinnig@yahoo.com
msncoreupdate .com - Email: jen@parallelslive.cn
world-payment-system .com - Email: info@yashitaindian.com
liveinternetupdates .com - Email: kuzya77@freebbmail.com
onlineantivirusmarket .com Email: podbisb@hotmail.com

threats-scanner .com - 69.4.230.204 - Email: vanmullem@yahoo.com
securitypcscanner2 .com - Email: office@actionaidinusa.org
anti-virussecurity3 .com - Email: office@actionaidinusa.org
private-online-scan .com - Email: info@kianah.org
liveantivirusproscan .com - Email: second@freebbmail.com
no1virusscan .com - Email: info@kianah.org
my-private-protection .com - Email: info@kianah.org
scanmyfolders .com - Email: info@kianah.org
scanmycomputerforvirus .com - Email: vanmullem@yahoo.com

onlinescan-ultraantivirus2009 .com - 206.53.61.76
relevantwebsearches .com
virussweeper-scanvirus .com
guardincorp .info
mainsecsys .info - Email: andrew.fbecket@gmail.com
guardsecurity .info - Email: poljaykop@gmail.com
virusalarm-scanvirus .net

best-protect .info - 174.142.113.205 - Email: chainadmin@gmail.com
best-protect-av1 .info - Email: chainadmin@gmail.com
best-antivirus-pc .info - Email: chainadmin@gmail.com
best-av1-protect .info - Email: chainadmin@gmail.com
av1-protect .info - Email: chainadmin@gmail.com
av1-best-protect .info - Email: chainadmin@gmail.com
best-protect .info - Email: chainadmin@gmail.com
best-av .info - Email: chainadmin@gmail.com

pay-virusshield .cn - 64.213.140.70 - Email: unitedisystems@gmail.com
shieldinc .info
systemprotectinc .info
ironshield .info
myofficeguard .info
protectionurl .info
my-protection .info
antivirus09 .net
fast-antivirus.net

virusshieldpro .com - 64.86.16.127 - Email: unitedisystems@gmail.com
prestotuneup .com - Email: hycderxvur@whoisservices.cn
virussweeper-scanvirus .com
virusmelt .com - Email: nuhuarrczq@whoisservices.cn
systemsec .info
shieldinc .info
myofficeguard .info
protect-online .info
protectionlol .info
protectionurl .info
virussweeper-scan .net

advanced-virus-remover2009 .com - 92.241.176.188 - Email: masle@masle.kz
trucount3005 .com - Email: chen.poon1732646@yahoo.com
antivirus-scan-2009 .com - Email: cheng2009@yahoo.com
antivirusxppro-2009 .com - Email: u@sochi.ru
advanced-virusremover2009 .com - Email: giogr@ua.fm
bestscanpc .com
trucountme .com - Email: valentin@gergiea.kz
vs-codec-pro .com - Email: bhtjnjhggn@googlemail.com
vscodec-pro .com - Email: cyber38462@hotmail.com
antivirus-2009-ppro .com - Email: cheng2009@yahoo.com
onlinescanxppro .com - Email: chen.poon1732646@yahoo.com
downloadavr .com - Email: gorbun@ua.fm
bestscanpc .net

activation-antivirus-software .com - 208.43.124.83 - Email: matlee@fsuk.edu
fxantispy .com - Email: TycoonMichael@googlemail.com
my-protection .info - 64.213.140.70 - Email: hop.davis@gmail.com
protectonline .info - 64.86.17.47 - Email: hop.davis@gmail.com
safetywwwtools .com - 209.44.126.36 - Email: martin.s.johnson@spambob.com
defenderupdates2 .com - 89.248.168.46 - Email: china@seban.se
securitytoolsdirect .com - 209.44.126.22 - Email: RuthMMarcotte@text2re.com
best-antivirus-security .com - 84.16.237.52 - Email: valentinyermolaev@gmail.com
malwaresdestructor .com - 206.53.61.74
suprotect .com - 89.149.212.218 - uuuuu@ua.fm
threatpcscanner .com - 63.223.110.177 ; 78.47.132.216 ; 78.47.172.66 - Email: vanmullem@yahoo.com
antimalwareliveproscannerv3 .com - Email: vanmullem@yahoo.com
antivirus-online-pro-scan .com - Email: vanmullem@yahoo.com
avpro-labs .com - 213.182.197.229
avprotectionstat .com - 74.50.99.236
explorerfilescan .com - 63.223.110.178; 78.47.132.221; 78.47.172.68 Email: xinhuawuhan@yahoo.com
antivirushelpscanner .com A 83.133.125.116; 69.10.59.35; 83.133.125.116 - Email: info@brandturkey.com
fastfolderscanner .com - Email: info@brandturkey.com
mycomputerscanner .com - Email: info@brandturkey.com
mal-warexls .net - 72.9.108.26 - Email: joehugardo@ya.ru
internetware-safe .com - Email: candikeller@ya.ru

scanonlinesite .info - 66.148.74.126
scanonlineblog .info
scanonlineshop .info
scanonlinenow .info

youravprotection .com - 74.50.98.162 - Email: armandgregory3@gmail.com
registerantivirus .com Email: ed.areyra@gmail.com
avprotectionstat .com

avagent-pro .com - 83.133.126.46 - Email: dwrdcardenas95@gmail.com
downloads-123 .com - Email: dwrdcardenas95@gmail.com
soft-process .com - Email: dwrdcardenas95@gmail.com
download-123 .cn - Email: dwrdcardenas95@gmail.com
actupdate .net - Email: dwrdcardenas95@gmail.com

Now the emphasis on the payment gateways, currently active and processing the scareware transactions:
softwaresecuredbilling .com - 209.8.45.122 - TemchenkoViktor@googlemail.com
softsales-discount .com - Email: daunrwwciq@whoisservices.cn
best-internet-payments .com - 209.8.45.148 - Email: specsupport@gmail.com
adioro .com - 213.174.152.32 - Email: xyhsbjlrl@whoisprivacyprotect.com
secure-plus-payments .com - 209.8.25.204 - Email: sparck000@mail.com
secure.pnm-software .com - 209.8.45.124 - Email: pnm-software.com@liveinternetmarketingltd.com
soft-process .com - 83.133.126.46 - Email: XtPbtP@privacypost.com
privatesecuredpayments .com - 78.46.216.238 - Email: TemchenkoViktor@googlemail.com

Wednesday, July 01, 2009

Summarizing Zero Day's Posts for June

The following is a brief summary of all of my posts at ZDNet's Zero Day for June.

You can also go through previous summaries for May, April, March, February, January, December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles include: Microsoft study debunks profitability of the underground economy; Overall spam volume unaffected by 3FN/Pricewert's ISP shutdown and Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites.

01. Email service provider: 'Hack into our CEO's email, win $10k'
02. 419 scammers using NYTimes.com 'email this feature'
03. Microsoft study debunks profitability of the underground economy
04. Malware poses as fake Yellowsn0w iPhone unlocker
05. Cybercriminals hijack Twitter trending topics to serve malware
06. Overall spam volume unaffected by 3FN/Pricewert's ISP shutdown
07. Mac OS X malware posing as fake video codec discovered
08. Researchers demo wireless keyboard sniffer for Microsoft 27Mhz keyboards
09. China confirms security flaws in Green Dam, rushes to release a patch
10. Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites
11. Fake Microsoft patches themed malware campaigns spreading
12. Remote code execution exploit for Green Dam in the wild
13. Secunia: Average insecure program per PC rate remains high
14. Michael Jackson's death themed malware campaigns spreading

Wednesday, June 24, 2009

A Peek Inside the Managed Blackhat SEO Ecosystem

Ever wondered how are thousands of bogus accounts across multiple Web services, automatically generated with built-in monetization channels consisting of scareware, malware to the use of legitimate affiliate links from major ad networks?

Through several clicks or if complete automation and experience count, through outsourcing the process to a managed blackhat SEO provider that wouldn't charge you for the product, but for the service offered. Let's take a peek at some of the currently available DIY tools, and what a managed blackhat SEO service provider has to offer.

Take for instance the "professional blackhat SEO" expert featured here. His ongoing Twitter spam campaigns are in fact so successfully hijacking trending topics that at first they looked like your typical scareware serving campaign. What both sides have in common are spamming techniques used.

However, the tactics vary and indicate an interesting shift from the typical outsourcing of CAPTCHA recognition for the purpose of storing the blackhat SEO content on the legitimate provider's services. In order to scale more efficiently, several currently active managed blackhat SEO providers that have vertically integrated to the point where they manage their own blackhat SEO friendly ISP.

By doing so, their bogus account generating platforms are capable of achieving speeds that would be otherwise either impossible or impractical to set as objectives through outsourced CAPTCHA-recognition - 2,931 bogus Wordpress accounts with template based blackhat SEO content generated in 1 second using their own managed infrastructure. The following screenshots provide an inside peek into one of the products offered by the "professional blackhat SEO expert" :

What took place in one second, was the generation of thousands of bogus accounts with descriptive blackhat SEO subdomains, with the bogus content pulled/scrapped from legitimate and real-time news providers, with the entire operation run as a managed service, or the tool itself offered for sale. As in every other managed underground service, customization plays a major role that is often the key benchmark for judging a particular product next to another. Customization in respect to this particular tool comes under the form of numerous Wordpress templates that can be randomly used during the registration process:

Static customization is one thing, dynamic customization is entirely another. The product, and consequently the managed service are offering the ability to automatically add Ebay and Amazon listings with the user's unique affiliate code posted within the bogus content:

The practice of affiliate network fraud -- excluding the cybersquatting as a prerequisite for it success -- was recently mentioned as a much more lucrative fraudulent practice than the pay-per-click model, which entirely depends on the fraudster's knowledge of which is the monetization model with the highest pay-out rates:

"Some companies offer legitimate affiliate programs that allow third-party Web site owners to post links and banners with the company’s branded content on their site or to send traffic to the company’s site directly through domain forwards. In return, the owner of the site hosting the link receives a commission for every click-through that results in a purchase. This lucrative commission structure has enticed cybercriminals to take advantage of affiliate programs by registering typo domains that redirect to legitimate content and enable them to collect affiliate fees."

Next to the malware/scareware serving Twitter campaigns, affiliate network fraud is also very common at the ever-growing micro-blogging service, whose lack of common sense account registration practices -- Twitter doesn't require a valid email, neither does it require an email confirmation upon registrating an account -- makes the practice of generating bogus accounts a child's play.

The bottom line - is the managed blackhat SEO hosting service ($500 per month and $5000 for one year for unlimited domains/subdomains/traffic/disk space package) the future, or are we going to continue seeing the systematic abuse of legitimate service's infrastructure through outsourced CAPTCHA recognition? I'd go for the second due to a simple reason - it's more cost-effective than the managed service at least for the time being. In the long term, once it achieves its logical "malicious economies of scale" the hosting and process would become cheaper thereby attracting more customers.

Recommended reading -
Outsourced CAPTCHA recognition:
Community-driven Revenue Sharing Scheme for CAPTCHA Breaking
The Unbreakable CAPTCHA
Spammers attacking Microsoft's CAPTCHA -- again
Spam coming from free email providers increasing
Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers
Microsoft’s CAPTCHA successfully broken
Vladuz's Ebay CAPTCHA Populator
Spammers and Phishers Breaking CAPTCHAs
DIY CAPTCHA Breaking Service
Which CAPTCHA Do You Want to Decode Today?

Managed Cybercrime-facilitating services/tools:
Commercial Twitter spamming tool hits the market
Zeus Crimeware as a Service Going Mainstream
Managed Fast-Flux Provider
Managed Fast Flux Provider - Part Two
76Service - Cybercrime as a Service Going Mainstream
Inside (Yet Another) Managed Spam Service
Inside a DIY Image Spam Generating Traffic Management Kit
Quality Assurance in a Managed Spamming Service
Managed Spamming Appliances - The Future of Spam
Dissecting a Managed Spamming Service
Inside a Managed Spam Service
Spamming vendor launches managed spamming service

Cybersquatting/Per Pay Click Fraud:
Exposing a Fraudulent Google AdWords Scheme
Botnets committing click fraud observed
Click Fraud, Botnets and Parked Domains - All Inclusive
Cybersquatting Security Vendors for Fraudulent Purposes
Cybersquatting Symantec's Norton AntiVirus
The State of Typosquatting - 2007

This post has been reproduced from Dancho Danchev's blog.

Wednesday, June 17, 2009

From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms

UPDATE: In less than half an hour upon notification, Twitter and LinkedIn have already removed the bogus accounts.

UPDATE2: Forty five minutes later Scribd removes the bogus accounts.

As usual, persistence must be met with persistence. A single blackhat SEO group -- if well analyzed and monitored -- has the potential to provide an insight into some of the current monetization tactics which cybecriminals use, as well as directly demonstrate the (automatic) impact they have across different Web 2.0 services.

What is my "fan club" up to anyway? Covering up their weekend's Twitter campaign that was serving scareware by using a new template, and once again diversifying - this time by managing a bogus LinkedIn accounts campaign, another one on Scribd, followed by another another currently active one on Twitter, in between increasing the size of their blackhat SEO farm at is-the-boss.com.

Moreover, for the first time ever, the group is starting to serve live exploits based on a bit.ly URL shortening service referrer, like the ones used in the latest Twitter campaign. The use of Arbitrary file download via the Microsoft Data Access Components (MDAC) exploits is done to ultimately drop a new Koobface variant, making this the second time the group is pushing Koobface variants beyond Facebook.

Let's summarize their activities during the past six days starting with the weekend's campaign across Twitter.

Upon clicking on the TinyURL, the user is redirected through their well known 66.199.229 .253/etds (66.199.229 .253/etds/go.php?sid=41; 66.199.229 .253/etds/got.php?sid=41; 66.199.229 .253/etds/go.php?sid=43; 66.199.229 .253/etds/got.php?sid=43) traffic management location, to end up at the scareware av4best .net (64.86.17.47) with a new template is served (FakeAlert-EA).

Parked on the same IP are also well known scareware domains known from their previous campaigns, namely fast-antivirus .com and viruscatcher .net. The scareware message used in the new template takes you back to the good old school MS-DOS days :

"A problem has been detected and windows has been shut down to prevent damage to your computer.

Initialization_failed C:\WINDOWS\system32\himem.sys

If this is the first time you've seen this Stop error screen, restart the computer. If this screen appears again, read information below: The reason why this might happen is the newest malicious software which blocks access to the system libraries. Check to make sure any new antivirus software is properly installed. We suggest you to download and install antivirus, new up-to-date software which specializes on detection and removal of malicious and suspicious software."

The messaged used in the weekend's Twitter campaign, as well as a graph on the peaks and downds for a particular keyword:

"Competitions video; What do you think about video; I know why Percent Of Accounts; Between food and gay; movie Trailler!; Sun eclipce free; Air France extreem; Tetris long and sweet; Take sex under control; alcohol long and sweet; Between food and SATs; What do you think about Autotune; Gotcha!, Palm Pre!; Goodnight high in the sky; What do you think about Hangover; Death of Autotune crack addict; Amazing. movie from MSFT; Amazing. Air France from MSFT; Sims 3, It's Cool!; video, It's Cool!; Manage Air France; Amazing. porn from MSFT; alcohol unbroken; Them girls Honduras; Between food and phish; Between food and Detroit; Tetris high in the sky; I know why iPhone; Futurama unbroken; Balls to the Woman Who Missed Air; alcohol high in the sky; follow the video"

Sample (now suspended) automatically registered accounts used in the weekend's campaign:
twitter .com/wenning351
twitter .com/ula475
twitter .com/escher338
twitter .com/ochs40
twitter .com/karlen131
twitter .com/cordes904
twitter .com/hecker905
twitter .com/bohl566
twitter .com/sattler649
twitter .com/hildegard115
twitter .com/andreas281
twitter .com/wassermann38
twitter .com/rummel980
twitter .com/guilaine896
twitter .com/orlowski781
twitter .com/rupette972
twitter .com/holzner473
twitter .com/dumke576
twitter .com/hilgers465
twitter .com/heese157
twitter .com/meier679
twitter .com/habel896
twitter .com/holzinger567
twitter .com/wilhelm578
twitter .com/dearg450
twitter .com/habicht717
twitter .com/ferde373
twitter.com/hass323
twitter .com/heckmann918
twitter .com/bruna555
twitter .com/wilbert25
twitter .com/eckart412
twitter .com/sperlich374
twitter .com/jahn562
twitter .com/ludvig30
twitter .com/bing274
twitter .com/fett628
twitter .com/brock93
twitter .com/mally981
twitter .com/merle752
twitter .com/axmann101
twitter .com/pelz478
twitter .com/renaud687
twitter .com/wienke879
twitter .com/hartinger619
twitter .com/chriselda988
twitter .com/kloos267
twitter .com/dreyer15
twitter .com/herta740
twitter .com/brauer427
twitter .com/nadina732
twitter .com/wenda245
twitter .com/rieken434
twitter.com/reinhard192
twitter .com/plath132
twitter .com/bick497
twitter .com/johannsen747
twitter .com/tacke432

Besides the TinyURL links used, they've also returned to temporarily using their original .us domains such as twitter .8w8.us - 82.146.51.126 - Email: ambersurman@gmail.com; 5us .us - 82.146.51.25 - Email: elchip0707@mail.ru, and girlstubes .cn 82.146.52.158 - Email: alexvasiliev1987@cocainmail.com with Alex Vasiliev's emails first noticed in the Diverse Portfolio of Fake Security Software - Part Nine and again in Part Twenty.

Now it's time to assess their currently active campaigns across Twitter, LinkedIn and Scribd, and connect the dots in the face of the single URL acting as a counter across all the campaigns - counteringate .com (194.165.4.77) which has already been profiled in their original massive blackhat SEO campaign, and still remains active.

The automatically registered and currently active Twitter accounts participating in the campaign are as follows, it's also worth pointing out that compared to their previous campaigns, in this way they've included relevant backgrounds and avatars to the Twitter accounts:

twitter .com/AshleyTisdal1
twitter .com/AnnaNicoleSmit
twitter .com/ParisHiltonjpg1
twitter .com/ParisHiltonmov1
twitter .com/ParisHiltonNake
twitter .com/ParisHiltonSex1
twitter .com/ParisHiltonNud2
twitter .com/ParisSexTape2
twitter .com/Britneynipslip1
twitter .com/Britneywomani
twitter .com/Britneystrip1
twitter .com/BritneySex
twitter .com/Britneycomix
twitter .com/Britneywomaniz
twitter .com/BritneyNaked2
twitter .com/britneysextape
twitter .com/BritneyxSpears1
twitter .com/Britneydesnuda1

twitter .com/LopezAss
twitter .com/jennifermorriso
twitter .com/JenniferTilly2
twitter .com/AnistonSexscen
twitter .com/AnistonBangs
twitter .com/JenniferTilly1
twitter .com/Jennifernude
twitter .com/JenniferConnel
twitter .com/JenniferGarner1
twitter .com/LopezNaked
twitter .com/AnistonSexiest
twitter .com/JenniferAnisto4
twitter .com/JenniferToastee

twitter .com/JenniferAnisto2
twitter .com/LoveHewitt1
twitter .com/JenniferLoveH1
twitter .com/JenniferGreyn
twitter .com/1JenniferAnisto
twitter .com/2JenniferAnisto
twitter .com/1JenniferLopez
twitter .com/Lopedesnuda1
twitter .com/ElishaCuthbert3

twitter .com/ElishaCuthbert1
twitter .com/AlysonHannigan2
twitter .com/AliciaMachado
twitter .com/AliLarterNaked
/twitter .com/AliLarterNude
twitter .com/MelissaJoanha
twitter .com/AishwaryaRaiN1

Upon clicking on bit .ly/Je2Sd, the user is redirected to oymomahon .com/mirolim-video/3.html - 216.32.86.106 Email: StaceyGuerreroSF@gmail.com, redirecting to myhealtharea .cn/in.cgi?13 and then to oymoma-tube .freehostia.com/x-tube.htm where the fake codec/scareware is served, downloaded from totalsitesarchive .com/error.php?id=62 - Trojan.Win32.FakeAV.nz which once executed phones back to bestyourtrust .com/in.php?url=5&affid=00262 (209.44.126.241) parked at the same IP are also the following scareware domains:

uniqtrustedweb .com
hortshieldpc .com
securetopshield .com
gisecurityshield .com
ourbestsecurityshield .com
intellectsecfind .com
thesecuritytree .com
godsecurityarchive .com
besecurityguardian .com
thefirstupper .com
securityshieldcenter .com
bitsecuritycenter .com
joinsecuritytools .com
hupersecuritydot .com
bestyourtrust .com
thetrueshiledsecurity .com
souptotalsecurity .com
scantrustsecurity .com

The second bit .ly/1a5ZsY link used in the Twitter campaign, is redirecting to showmealltube .com/paqi-video/7.html - 64.92.170.135 Email: zbestgotterflythe@gmail.com.

From there, the redirector myhealtharea .cn/in.cgi?12 - 216.32.83.110 - zbest2008@mail.ru again loads oymoma-tube.freehostia .com/tube.htm and most importantly the counter counteringate .com/count.php?id=186 which is using an IP known from their previous campaign (194.165.4.77).

Time to move on to the LinkedIn campaign, and establish a direct connection with the Twitter one, both maintained by the same group of cybercriminals.

Currently active and participating LinkedIn accounts:
linkedin .com/in/rihannanude
linkedin .com/in/rihannanude2
linkedin .com/in/nudecelebs
linkedin .com/in/britneyspearsnudee
linkedin .com/in/pamelaandersonnudee
linkedin .com/in/nudepreteen2
linkedin .com/in/tilatequilanudee
linkedin .com/pub/beyonce-nude/14/b/952
linkedin .com/pub/child-nude/13/b4b/a16
linkedin .com/in/nudemodels

linkedin .com/in/preteennude
linkedin .com/in/mariahcareynude3
linkedin .com/in/nudeboys
linkedin .com/in/evamendesnude2
linkedin .com/in/nudebeaches
linkedin .com/in/nudebabes

linkedin .com/in/nudewomen2
linkedin .com/pub/ashley-tisdale-nude/13/b4b/762
linkedin .com/pub/mila-kunis-nude/13/b4a/b99
linkedin .com/pub/nude-kids/13/b4b/aa
linkedin .com/pub/young-nude-girls/13/b4a/6a

The LinkedIn campaign is linking to the delshikandco .com, from where the user is redirected to the same domains used in the Twitter campaign, sharing the same celebrity theme - delshikandco .com/mirolim-video/3.html/delshikandco .com/paqi-video/1.html - 216.32.83.104 leads to myhealtharea .cn/in.cgi?12 to finally serve the codec at ymoma-tube.freehostia.com/xxxtube.htm or at tubes-portal.com/xplaymovie.php?id=40012 - 216.240.143.7, another IP that has already been profiled part of their previous campaigns.

Yet another nude themed campaign is operated by the same group at Scribd, linking to the already profiled delshikandco .com, used in both, Twitter's and LinkedIn's campaigns.

Currently active and participating Scribd accounts:
scribd .com/Stacy%20Keibler-nude
scribd .com/Vanessa_Hudgens%20nude
scribd .com/Jessica%20%20Simpson%20%20nude
scribd .com/MileyCyrus%20nude
scribd .com/KimKardashian%20%E2%80%98nude%E2%80%99
scribd .com/Carmen%20%20Electra%20nude
scribd .com/Jennifer%20Anistonnude
scribd .com/Paris-Hilton-nude3
scribd .com/Vida%20%20Guerra%20%20nude
scribd .com/nude2
scribd .com/Kim%20%20Kardashian%20nude
scribd .com/ZacEfron%20nude
scribd .com/BritneySpears%20nude
scribd .com/Hilary-Duff-nude%202
scribd .com/Angelina-Jolie-nude11
scribd .com/Vanessa-Hudgens-nude2
scribd .com/Natalie-Portman-nude2
scribd .com/JessicaAlba%20nude
scribd .com/Jennifer-Love-Hewitt-nude11

scribd .com/Kim-Kardashian-nude2
scribd .com/Jessica-Alba-nude11s
scribd .com/JENNIFER%20LOPEZ%20NUDE3
scribd .com/Elisha%20%20Cuthbert%20%20nude
scribd .com/Paris-Hilton-nude1
scribd .com/HilaryDuff%20nude
scribd .com/Megan-Fox-nude2
scribd .com/Britney-Spears-nude1
scribd .com/Candice%20%20Michelle%20nude
scribd .com/Lindsay-Lohan-nude3
scribd .com/Mila-Kunis-nude2
scribd .com/Miley%20Cyrus%20nude
scribd .com/Vanessa%20%20Anne%20%20Hudgens%20nude
scribd .com/rihanna-nude2
scribd .com/Jenny%20Mccarthy%20nude
scribd .com/Kim%20%20Kardashian%20%20nude
scribd .com/Olsen-Twins-nude2
scribd .com/Brooke-Hogan-nude2

scribd .com/DeniseRichardsnude2
scribd .com/Scarlett%20Johansson%20nude
scribd .com/miley-cyrus-nude
scribd .com/Celebrity%20%20nude
scribd .com/Lindsay-Lohan-nude2
scribd .com/Tila%20Tequila%20nude
scribd .com/Ashley%20Tisdale%20nude
scribd.com/Angelina-Jolie-nude2
scribd .com/Denise-Richards-nude-2
scribd .com/Britney%20Spears%20nude
scribd .com/Hayden%20Panettiere%20nude
scribd .com/Carmen-Electra-nude1
scribd .com/Brooke-Burke-nude2
scribd .com/Megan%20Fox%20nude
scribd .com/JessicaSimpson%20nude
scribd .com/Kendra-Wilkinson-nude2
scribd .com/DeniseRichardsnude
scribd.com/AngelinaJolie%20nude
scribd.com/Kate%20Mara%20nude
scribd .com/Eva%20Green%20nude
scribd .com/Mariah%20Carey%20nude

scribd .com/Britney-Spears-nude2
scribd .com/Paris%20Hilton%20nude
scribd .com/CHristina%20Applegate%20nude
scribd .com/Billie%20Piper%20nude
scribd .com/Rosario%20Dawson%20nude
scribd .com/Anna%20Kournikova%20nude
scribd .com/Jennifer-Love-Hewitt-nude2
scribd .com/Kate%20Winslet%20nude
scribd .com/Carmen%20Electra%20nude
scribd .com/Jennifer%20Love%20Hewitt%20nude
scribd .com/Vida%20Guerra%20nude
scribd .com/AnneHathaway%20nude
scribd .com/JenniferLopez_nude
scribd .com/Trish%20Stratus%20nude
scribd .com/Lindsay_Lohannude
scribd .com/Pamela%20Anderson%20nude3
scribd .com/Jessica-Simpson-nude3

scribd .com/JENNIFER%20LOPEZ%20NUDE
scribd .com/CHristina%20Aguilera%20nude
scribd .com/hilary%20duff%20nude
scribd .com/MariahCarey%20nude
scribd .com/JohnCena%20nude
scribd .com/Halle%20Berry%20nude
scribd .com/Amanda%20%20Beard%20%20nude
scribd .com/Patricia%20%20Heaton%20%20nude
scribd .com/Madonna%20nude
scribd .com/JenniferLopez%20nude
scribd .com/DeniseRichards%20nude

scribd .com/PatriciaHeaton%20nude
scribd .com/Celebrity%20nude
scribd .com/TilaTequila_nude
scribd .com/Hayden-Panettiere-nude2
scribd .com/Brenda-Song-nude2
scribd .com/Demi%20Moore%20nude
scribd .com/celebrity%20nude%201
scribd .com/JenniferLove%20Hewitt%20nude
scribd .com/Ashley_Harkleroad%20nude
scribd .com/AudrinaPatridge%20nude
scribd .com/PamelaAnderson%20nude
scribd .com/Anna%20Nicole%20Smithnude
scribd .com/Meg%20Ryan%20nude
scribd .com/Kate%20Hudsonnude

Now that all the campaigns are exposed in the naked fashion of their themes, it's worth emphasizing on the live exploits serving Koobface samples based on a bit.ly referrer - in this case the process takes place through myhealtharea .cn/in.cgi?13, which instead of redirecting to scareware domain as analyzed above, is redirecting to fast-fluxed set of IPs serving identical Koobface binary - myhealtharea .cn/in.cgi?13 loads r-cg100609 .com/go/?pid=30455&type=videxp (92.38.0.69) which redirectss to the live exploits/Koobface.

Parked on 92.38.0.69 are also the following domains:
er20090515 .com
upr0306 .com
cgpay0406 .com
r-cgpay-15062009 .com
r-cg100609 .com
trisem .com
uprtrishest .com
upr15may .com
rd040609-cgpay .net

Dynamic redirectors from r-cg100609 .com/go/?pid=30455&type=videxp on per session basis:
92.255.131 .217/pid=30455/type=videxp/?ch=&ea=
92.255.131 .217/pid=30455/type=videxp/setup.exe
76.229.152 .148/pid=30455/type=videxp/?ch=&ea=
76.229.152 .148/pid=30455/type=videxp/?ch=&ea=/setup.exe
189.97.106 .121/pid=30455/type=videxp/?ch=&ea=
189.97.106 .121/pid=30455/type=videxp/setup.exe
117.198.91 .99/pid=30455/type=videxp/?ch=&ea=
117.198.91 .99/pid=30455/type=videxp/setup.exe
79.18.18 .29/pid=30455/type=videxp/?ch=&ea=
79.18.18 .29/pid=30455/type=videxp/setup.exe
85.253.62 .53/pid=30455/type=videxp/?ch=&ea=
85.253.62 .53/pid=30455/type=videxp/setup.exe
79.164.220 .170/pid=30455/type=videxp/?ch=&ea=
79.164.220 .170/pid=30455/type=videxp/setup.exe
59.98.104 .129/pid=30455/type=videxp/?ch=&ea=
59.98.104 .129/pid=30455/type=videxp/setup.exe
78.43.24 .211/pid=30455/type=videxp/?ch=&ea=
78.43.24 .211/pid=30455/type=videxp/setup.exe
62.98.63 .254/pid=30455/type=videxp/?ch=&ea=
62.98.63 .254/pid=30455/type=videxp/setup.exe
84.176.74 .231/pid=30455/type=videxp/?ch=&ea=
84.176.74 .231/pid=30455/type=videxp/setup.exe
panmap .in/html/3003/25ee551429fcbfd75fe7bcfeba4a9cb8/ - 114.80.67.32 - charicard@googlemail.com

Parked on 114.80.67.32 are also:
managesystem32.com
napipsec.in
trialoc.in
pbcofig.in
pclxl.in
ifxcardm.in
ifmon.in
panmap.in
moricons.in
oeimport.in
ncprov.in

The served setup.exe (Win32/Koobface.BC; Worm:Win32/Koobface.gen!D;) samples phone back to a single location:- upr15may .com/achcheck.php; upr15may .com/ld/gen.php - 92.38.0.69; 61.235.117 .71/files/pdrv.exe

To further demonstrate the group's involvement in these campaigns, two active campaigns at is-the-boss.com indicate that they're also using the newly introduced counteringate.com, however, parked on the same IP as a previously analyzed redirector maintained bot the group.

A sample campaign is using the engseo .net/sutra/in.cgi?4&parameter=bravoerotica - 84.16.230.38 - Email: popkadyp@gmail.com as well as the warwork .info/cgi-bin/counter?id=945706&k=independent&ref= - 91.207.61.48 redirectors to load free-porn-video-free-porn .com/1/index.php?q=bravoerotica - 84.16.230.38 - Email: popkadyp@gmail.com serving a fake codec, and is also using the universal counter serving maintained by group counteringate .com/count.php?id=308.

A second sampled campaign at is-the-boss.com points to a new domain that is once again parked at a well known IP mainted by the gang - goldeninternetsites .com/go.php?id=2022&key=4c69e59ac&p=1 - 83.133.123.140 - known from previous campaigns.

The redirectors lead to anti-virussecurity3 .com - 69.4.230.204; 69.10.59.34; 83.133.115.9; 91.212.65.125 with more typosquatted "Personal Antivirus" scareware parked at these multiple IPs aimed to increase the life cycle of the campaign:
bestantiviruscheck2 .com
securitypcscanner2 .com
fastpcscan3 .com
goodantivirusprotection3 .com
antimalware-online-scanv3 .com
anti-malware-internet-scanv3 .com
antimalwareinternetproscanv3 .com
antimalwareonlinescannerv3 .com
anti-virussecurity3 .com
bestantispywarescanner4 .com
fastsecurityupdateserver .com

Personal Antivirus then phones back to startupupdates .com - 83.133.123.140 where more scareware is parked, with the domains known from previous campaigns:
bestwebsitesin2009 .com
live-payment-system .com
bestbuysoftwaresystem .com
antiviruspaymentsystem .com
bestbuysystem .com
homeandofficefun .com
advanedmalwarescanner .com
allinternetfreebies .com
goldeninternetsites .com
primetimeworldnews .com
liveavantbrowser2 .cn
momentstohaveyou .cn
worldofwarcry .cn
awardspacelooksbig .us

The affected services have been notified, blacklisting and take down of the participating domains is in progress.

This post has been reproduced from Dancho Danchev's blog.

Tuesday, June 16, 2009

Iranian Opposition DDoS-es pro-Ahmadinejad Sites

By utilizing the people's information warfare concept, Iranian opposition has managed to successfully organize a cyber attack against Tehran's regime (complete analysis) by using Twitter, web forums, and localization (translation) of the recruitment messages in order to seek assistance from foreigners.

So far, their rather simplistic denial of service tools has managed to disrupt access to key government web sites, and the intensity of the attacks is prone to increase since the opposition appears to be in a "learning mode".

What does "learning mode" stand for here? It's their current stage of experimentation clearly indicating their inexperience with such campaigns and DDoS attacks in general. The opposition's de-centralized chain of command isn't even speculating on the use of botnets, since the primitive multi-threaded Iranian connections hitting Iranian sites seems to achieve their effect.

From a strategic perspective, this internal unrest resulting in the disruption of key government web sites, the de-facto propaganda vehicles of the current government, is directly denying their ability to influence the population and the media, which on its way to find information is inevitably going to visit the working opposition web sites.

Moreover, the majority of people's information warfare driven cyber attacks we've seen during the past two years, have all been orbiting around the scenario where a foreign adversary is attacking your infrastructure from all over the world. But in the current situation, it's Iran's internal network that's self-eating itself, where the trade off for denying all the traffic would be the traffic which could be potentially influenced through PSYOPs (psychological operations).

What has changed since yesterday's real-time OSINT analysis? The web based "Page Rebooter" tool heavily advertised by the opposition has decided to stop offering the service due to the massive abuse:

"Unfortunately I have had to take the site down temporarily. The site was being used to attack other websites, until I can determine the source of these attacks, I have decided to keep it offline. My apologies to everyone who uses this site for it's intended purpose, hopefully we'll be back soon. I have now received several emails regarding this. Unfortunately, last night's spike in traffic cost me a lot of money in server costs, I therefore cannot afford to keep it online - even if the use is just. I have therefore decided to release the code for this site, so that you may create your own copies."

Meanwhile, the opposition has come up with a segmented targets list including hardline news portals, official Ahmadinejad sites, Iranian law enforcement sites, banks, judiciary and transportation sites, aiming to recruit international supporters:

"ALL PEOPLE AROUND THE WORLD:

Please help us in a full-scale cyberwar againts the dictatorial brutal government of Ahmadinjead! Help Iranians to earn back their votes per instructions below:

Simply click on few of the following links (better too choose your selections from different categories); it opens the site in a new tab. It will not stop you from browsing but by sending a refresh signal to the target site will saturate it. By doing so, we can block Ahmadinjead's governments flow of information in many of its key components as shown below. Please help us and yourself from this lunatic who will push the world to world war III."

Following the updated list of targets, a new LOIC.exe DoS tool is being advertised. The tool is however, anything but sophisticated (it's been around since 6 Jul 2008) compared to even the average Russian DDoS bot. Combined, the simplistic nature of the opposition's attack tools indicates the lack of any in-depth understanding of information warfare principles, in times when other countries are already going beyond cyber warfare and aiming for the unrestricted warfare stage.

The Conspiracy Theory and the Facts
How is the Iranian government/regime responding to these attacks, is it striking back to the fullest extend speculated in a countless number of cyber warfare research papers? Moreover, can it actually attack the "adversaries" which in this case reside within the country's own network? Can we easily compare this unpleasant situation from an information warfare perspective to the ongoing discussions whether or not the Should the US Go Offensive In Cyberwarfare?, and "go offensive" against who at the first place? The hundreds of thousands of U.S based malware infected hosts operated by a foreign entity as the adversary while using the targeted country's infrastructure as a human shield?

That's a dilemma that Iran's government is currently facing, but let's connect the dots and prove that the Fars News Agency which is pro-Ahmadinejad, and maintains ties to the Iranian judiciary, has in fact participated in this "cyber warfare attack with sticks and stones".

The Fars News Agency has been under attack since the beginning of the campaign, approximately 48 hours ago, prompting the site -- just like many others -- to switch to "lite" versions taking into consideration the ongoing attacks wasting the sites' bandwidth.

In a desperate attempt to influence the outcome of the DDoS attack, Fars News included iFrames pointing to opposition and anti-Ahmadinejad news sites (balatarin.com; ghalamnews.com and mirhussein.com) in order to redirect some of the attack traffic to them. The campaigners noticed the change, but upon confirming that the opposition's web sites remain online even with the iFrames in place, decided to continue the attack.

The bottom line - when your very own infrastructure hates you, you become nothing else but an observer to the declining propaganda exposure projections that you've once set, failing to anticipate the fully realistic scenario when the adversary that you've been fortifying to protect from, or have build sophisticated offensive capabilities to deal with, is in fact residing within your own infrastructure. Attempting to attack him or shut him down will only multiply the effect of his original campaign.

The net is vast and infinite.

Recommended reading:
A CCDCOE Report on the Cyber Attacks Against Georgia
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
The Russia vs Georgia Cyber Attack
Pro-Israeli (Pseudo) Cyber Warriors Want your Bandwidth
People's Information Warfare Concept
Combating Unrestricted Warfare
The Cyber Storm II Cyber Exercise
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attacks Against CNN.com
China's Cyber Espionage Ambitions
North Korea's Cyber Warfare Unit 121
Chinese Hackers Attacking U.S Department of Defense Networks
Electronic Jihad v3.0 - What Cyber Jihad Isn't

Electronic Jihad's Targets List

A Cyber Jihadist DoS Tool

Teaching Cyber Jihadists How to Hack

Empowering the Script Kiddies

OSINT Through Botnets

Corporate Espionage Through Botnets

Malware Infected Hosts as Stepping Stones

Hacktivism Tensions - Israel vs Palestine Cyberwars

The Current, Emerging, and Future State of Hacktivism

Internet PSYOPS - Psychological Operations

Tuesday, June 09, 2009

From Ukrainian Blackhat SEO Gang With Love - Part Two

It seems that the portfolio of redirectors using my name part of an ongoing Ukrainian blackhat SEO is expanding, with seximalinki .ru/images/ddanchev-sock-my-dick.php, as the latest addition. This brings up the number of redirectors to three, at least for the time being:

seximalinki.ru/images/ddanchev-sock-my-dick.php - active - 74.54.176.50; Email: Hippacmc@land.ru

seo.hostia .ru/ddanchev-sock-my-dick.php - active - 213.155.2.37

HiDancho.mine .nu/login.js - active - 64.21.86.16

Let's dissect the latest campaigns, including several related ones not necessarily serving scareware, moreover, let's also establish a connection between this gang and the ongoing hijacking of Twitter trending topics for malware serving purposes, shall we?

The redirector takes the user to antimalwareonlinescannerv3 .com - 83.133.115.9; 91.212.65.125; 69.4.230.204 - Email: immigration.beijing@footer.cn where the scareware is served.

The campaign is also relying on three more scareware domains antimalware-live-scanv3 .com; antimalwareliveproscanv3 .com ;fastsecurityupdateserver .com, with ns1.futureselfdeeds .com ensuring that the rest of the portfolio remains in tact :

premiumlivescanv1 .com
advanedmalwarescanner .com
advanedpromalwarescanner .com
antiviruspcscannerv1 .com
antiviruspremiumscanv2 .com
malware-live-pro-scanv1 .com
malwareliveproscanv1 .com
malwareliveproscannerv1 .com
malwareinternetscannerv1 .com
anti-spyware-scan-v1 .com
antimalwarescanner-v2 .com
freeantispywarescan2 .com
antivirus-scanner-v1 .com
internetotherwise .com
macrosoftwarego .com
world-payment-system .com

paymentonlinesystem .com
livewwwupdates .com
liveinternetupdates .com
livesecurityupdate .com
securitysoftwarepayments .com
antiviruspaymentsystem .com
systemsecurityupdates .com
networksecurityadvice .com
systeminternetupdates .com
protectionsystemupdates .com
updateinternetserver2 .com
protectionupdates2 .com
proantivirusscannerv2 .com
proantivirusscanv2 .com
powerantivirusscanv2 .com

These blackhat SEO-ers have been actively multitasking during the past couple of months. For instance, another campaign maintained by them at Lycos Tripod's is-the-boss.com is using the redirector ntlligent .info/tds/in.cgi?11&seoref=&parameter=$keyword&se=$se&ur=1&HTTP_REFERER= (72.232.163.171), hosted by Layered Technologies, Inc., in order to serve a a Koobface sample located at 91.212.65.35/view/1/1416/0, which upon execution phones back to upr15may .com/achcheck.php; upr15may .com/ld/gen.php (119.110.107.137) as well as to i-site .ph/1/6244.exe; i-site .ph/1/nfr.exe with the second binary phoning back to 85.13.236 .154/v50/?v=71&s=I&uid=1824245000&p=14160&ip=&q=.

Another campaign maintained by them at is-the-boss.com is using three redirectors kurinah.freehostia .com/in.cgi?8&seoref=&parameter=$keyword&se=&ur=1&HTTP_REFERER=; promodomain .info/in.cgi?8&seoref=&parameter=$keyword&se=&ur=1&HTTP_REFERER= - 66.40.52.63 - Email: support@ruler-domains.com and thetrafficcontrol .net/in.cgi?8&seoref=&parameter=$keyword&se=&ur=1&HTTP_REFERER=, until the user is finally redirected to a fake PornTube portal big-tube-list .com/teens/xmovie.php?id=45048 - 216.240.143.7 - isaacdonn@gmail.com where malware is served from my-exe-profile .com/streamviewer.45048.exe - 66.197.171.6 - Email: michalevd@gmail.com.

Upon execution, streamviewer phones back to reportsystem32 .com/senm.php?data= - 216.240.146.119 -, terradataweb .com/senm.php?data=v22 - 66.199.229.229 -, and dvdisorapid .com/senm.php?data=v22 - 64.27.5.202.

Several related fake codec serving domains parked at 216.240.143.7 are also currently active:
get-mega-tube .com - Email: raymgnw95@gmail.com
best-crystal-tube .com - Email: raymgnw95@gmail.com
the-lost-tube .com - Email: hilachow@gmail.com
sunny-tube-house .com - Email: hilachow@gmail.com
proper-tube-site .com - Email: hilachow@gmail.com
tube-xxx-work .com - Email: hilachow@gmail.com
big-tube-list .com - Email: isaacdonn@gmail.com

A third campaign is using a single redirector to tangoing .info/cgi-bin/analytics?id=917304&k= - 91.207.61.48 - Email: dophshli@gmail.com to dynamically redirect visitors to pretty much all the scareware domains listed in part twenty one of the diverse portfolio of fake security software series. Moreover, the very same email used to register the redirecting domain was also used to register a payment processing gateway for scareware transactions in January, 2009.

Yet another blackhat SEO operation maintained by the same group since February, 2009 is fi97 .net/jsr.php?uid=dir&group=ggl&keyword=&okw=&query="+query+" referer="+escape(document.referrer)+"&href="+escape(location.href)+"&r="+rzz+"'><"+"/scr"+"ipt>", which according to publicly obtainable statistics received approximately 138, 000 unique visitors in April, with 30.23% coming from Google.

The traffic hijacking of for the purpose of serving malware, using over a hundred different .us domains was in fact so successful that several webmasters reported loosing their organic search traffic due to the content within the sites. The campaign then switched to a pharmaceutical theme using a Google search engine theme, with several static links to pharma scams, once again using the already established traffic redirections tactics.

The redirectors in question petrenko .biz - 88.214.200.150 - Email: olegoff@yandex.ru and myseobiz .net - 67.225.158.16 - Email: 3bd864dddbe4421ab1112a6ebc6df4fb.protect@whoisguard.com remain in operation. The bogus Google front page is advertising the following pharma domains:

theusdrugs .com - 78.140.132.11, parked at the same IP are also more pharma domains:

medscompany .org
canadian-rxpill .com
bestyourpills .com
rx-drugs-support .com
payment-rx .com
genericdrugs .in
mendrugsshop .com
healthrefill .com

It gets even more inter-connected and malicious since this very same gang is also the one responsible for the ongoing malware campaign spreading scareware by using Twitter's trending topics. Let's establish a direct connection between the Ukrainian gang and the campaign.

The TinyURL links used redirect to an identical domain - 00freewebhost .cn - 211.95.79.115 - Email: louisgreenfield@gmail.com, where an iFrame is loading happy-tube-video .com/xplays.php?id=40030 - 216.240.143.7 - Email: isaacdonn@gmail.com where Mal/FakeAV-AY (streamviewer.40030.exe) is served, this time from exe-soft-files .com/streamviewer.40030.exe - 66.197.171.6 - Email: michalevd@gmail.com.

This very same domain (happy-tube-video .com registered to isaacdonn@gmail.com) is part of the second PornTube fake codec campaign which I assessed above, this time pushed through the gang's blackhat SEO campaigns.

Moreover, in a typical cybercrime-friendly style, the main malicious domain operated by the gang and used in the Twitter campaign - 00freewebhost .cn - continues to load the malware serving domain despite that it's main index is serving a fake account suspended notice - "This Account Has Been Suspended, This includes, but is not limited to overusing server resources, publishing adult content, or unauthorized posting of copyrighted material. Please contact our Support Team for more information." Which is pretty amusing, since despite the fact that they're using an iFrame to point to a different location, they've left an animated GIF image of a fake codec hosted there - 00freewebhost .cn/shmo/pl.gif.

A second connection between the Ukraininan black SEO gang, Twitter's ongoing campaign and the fake web hosting provider which I profiled yesterday can also be made.

For instance, the URL shortening service used in last week's campaign at Twitter a.gd/2524d9/ redirects to 66.199.229 .253/etds/go.php?sid=43 and then to av-guard .net/?uid=27&pid=3 as well as to fast-antivirus .com which are the scareware domains exposed in the recent "Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot" post. The scareware obtained from it, as well as the scareware from the above-exposed PornTube campaign streamviewer.40030.exe also share the same phone back locations.

Coming across yet another operation managed by them, namely, the ongoing Twitter trending topics hijacking attack, clearly demonstrates the impact this single group of individuals can have while multitasking at different fronts. And despite the numerous traffic acquisition tactics used, the monetization approach remains virtually the same - scareware.

Monday, June 08, 2009

GazTransitStroy/GazTranZitStroy Rubbing Shoulders with Petersburg Internet Network LLC

Following the GazTransitStroy/GazTranZitStroy (gaztranzitstroyinfo.ru; 67.15.253.241) coverage, the gang behind the bogus gas company drilling for insecure PCs across the Web has returned to its roots - St. Petersburg, Russia, with routing services courtesy of PIN-AS Petersburg Internet Network LLC (AS44050) (internet-spb.ru) :

"descr: Petersburg Internet Network LLC
address: Sedova 80
address: St.-Petersburg, Russia
e-mail:         support@internet-spb.ru
phone:          +7 812 4483863
fax-no:         +7 812 4483863
person:         Metluk Nikolay Valeryevich
address:        korp. 1a 40 Slavy ave.,
address:        St.-Petersburg, Russia
e-mail:         nm@internet-spb.ru
phone:          +7 812 4483863
fax-no:         +7 812 2683113
PIN LLC
Sedova 80
+7 812 4483863
support@internet-spb.ru

Metluk Nikolay Valeryevich
korp. 1a 40 Slavy ave.,
St.-Petersburg, Russia
+7 812 4483863
nm@internet-spb.ru

Ladoha Anton Vladimirovich
korp. 1a 40 Slavy ave.,
St. Petersburg, Russia
+7 812 4483863
admin@internet-spb.ru

Strukov Evgeny Olegovich
korp. 1a 40 Slavy ave.,
St.-Petersburg, Russia
+7 812 4483863
admin2@internet-spb.ru
e.strukov@pinspb.ru

Prefixes 91.212.41.0/24; 95.215.0.0/22; 194.11.16.0/24; 194.11.20.0/23; 195.2.240.0/23"

What's also worth pointing out that is a huge number of of domains operated by GazTransitStroy's customers, and, of course, GazTranzitStroy themselves not only traceroute back to Petersburg Internet Network LLC's network, but also, there's an evident migration to the legitimate NETDIRECT-NET - 89.149.206.0 - 89.149.207.255 - AS2875, as well as to CHINANET-SH CHINANET shanghai province network - 222.64.0.0 - 222.73.255.255.

Combined with the fact that EUROHOST-NET/Eurohost LLC (eurohost.biz.ua) 91.212.65.0 - 91.212.65.255 - AS48841 remain an inseparable part of GazTransitStroy's info, clearly indicates the presence of a well known cybercrime powerhouse - the RBN itself.

The following domains (crimeware, live exploits, scareware, you name it they engage in it) maintained by GazTranzitStroy have migrated as follows. From 91.212.41.96 to CHINANET-SH CHINANET shanghai province network - 222.64.0.0 - 222.73.255.255:

loshadinet .com
roselambda .cn
use-sena .cn
peopleopera .cn
forexsec .cn
symphonygold .cn
dreamlitediamond .cn
vilihood .cn
bookadorable .cn
drawingstyle .cn
housedomainname .cn
roomsme .cn
vilasse .cn
workfuse .cn
stakeshouse .cn
financeimprove .cn
lifenaming .cn
travetbeach .cn
schoolh .cn
rainfinish .cn
housevisual .cn
kvk.housevisual .cn
xfln.housevisual .cn
worksean .cn
blogtransaction .cn
liteauction .cn
seamodern .cn
smilecasino .cn
newtransfer .cn
oceandealer .cn
pub.oceandealer .cn
musicdomainer .cn
wowregister .cn
websiteflower .cn
travets .cn
designroots .cn
teamwows .cn
startgetaways .cn
moulitehat .cn
caxf.moulitehat .cn
islandtravet .cn
weekendtravet .cn
resorttravet .cn
litefront .cn
palaceyou .cn
youbonusnew .cn
clubmillionswow .cn
rainjukebox .cn
xuyxuyxuy .cn

From 91.212.41.114 to NETDIRECT-NET - 89.149.206.0 - 89.149.207.255 - AS28753, interestingly, the DNS servers for the following domains ns1.pubilcnameserver7.com/ns1.pubilcnameserver7.com are diversifying at 89.149.207.56 and 91.212.41.114:

freeantivirusplus09 .com
realantivirusplus09 .com
getantivirusplus09 .com
smartantivirusplus09 .com
addedantivirusonline .com
addedantivirusstore .com
addedantiviruslive .com
addedantiviruspro .com
countedantiviruspro .com
plusantiviruspro .com
myplusantiviruspro .com
addedantivirus .com
youraddedantivirus .com
bestaddedantivirus .com
easyaddedantivirus .com
yourcountedantivirus .com
bestcountedantivirus .com
yourplusantivirus .com
easyplusantivirus .com
yourguardonline .cn
easydefenseonline .cn
bestprotectiononline .cn
freecoveronline .cn
atioqe .cn
yourguardstore .cn
mycheckdiseasestore .cn
examinepoisonstore .cn
freecoverstore .cn
myexaminevirusstore .cn
bestexaminedisease .cn
yourfriskdisease .cn
easyfriskdisease .cn
friskdiseaselive .cn
bestdefenselive .cn
bigprotectionlive .cn
bigcoverlive .cn
examineillnesslive .cn
exodih .cn
suxpymi .cn
aciazi .cn
yourfriskinfection .cn
easyserviceprotection .cn
easyincomeprotection .cn
easypersonalprotection .cn
easybestprotection .cn
myascertainpoison .cn
yourguardpro .cn
refugepro .cn
mycheckdiseasepro .cn
ascertaindiseasepro .cn
yourcheckpoisonpro .cn
easycheckpoisonpro .cn
yourfriskviruspro .cn
myascertainviruspro .cn
fegbywo .cn
feptuaq .cn
myexamineillness .cn
exousyt .cn
newguard2u .cn
freedefense2u .cn
bigdefense2u .cn
bestcover2u .cn
newguard4u .cn
mydefense4u .cn
bestcover4u .cn
newguard4you .cn
mydefense4you .cn
bestcover4you .cn
yourguardforyou .cn
newguardforyou .cn
myguardforyou .cn
freedefenseforyou .cn
mydefenseforyou .cn
bestcoverforyou .cn

The ongoing affiliation with EUROHOST-NET/Eurohost LLC (eurohost.biz.ua) 91.212.65.0 - 91.212.65.255 - AS48841, and the migration of domains (scareware, live exploits, crimeware etc.) as follows. From 91.212.41.119 to 91.212.65.7 EUROHOST-NET/Eurohost LLC:

nicdaheb .cn
sehmadac .cn
ralcofic .cn
bikpakoc .cn
xidsasuc .cn
koqsuyod .cn
tozxiqud .cn
bowselaf .cn
cuzlumif .cn
porgacig .cn
hifgejig .cn
rogkadej .cn
sipcojeq .cn
silzefos .cn
popyodiw .cn
hayboxiw .cn
peskufex .cn
ridmoyey .cn
cakpapaz .cn

What kind of an ISP be maintaining a permanent Under Construction page and engage in Zeus and live exploit serving activities on the same IP as its web server? EUROHOST-NET/Eurohost LLC is one of them:

"person: Mikhail Ignatyev
address: off. 1, 81 Frunze str.,
phone: +38 093 079 00 32
address: Evpatoria, Crimea, Ukraine
e-mail: ipadmin@eurohost.biz.ua"

At eurohost.biz.ua (91.212.65.5) we also have parked 123-service.ru, serving a deja-vu account suspended message - "This account has been suspended. Either the domain has been overused, or the reseller ran out of resources." as well as ramshanabc.ru, with another account suspended message despite its previous involvement in Zeus crimeware campaigns in January, 2009 (ramshanabc .ru/ferrari/main.bin; ramshanabc .ru/ferrari/main.bin).

Besides these domains, several others, again registered to kirilboltovnet@yandex.ru are known to have been maintaining running Zeus crimeware campaigns as well:

grafjasqq .ru/kiew/kiew.cfg
heliskamm .ru/kiew5.cfg
mamaloki .ru/dir2.cfg489
mamaloki .ru/kiew3.cfg
nionalku .ru/dir5.cfg
nionalku .ru/kiew6.cfg

Still not convinced in how malicious their intentions really are? The phone number (+7 928 7867612) used in the registrations of these domains was most recently used in a spammed Zeus crimeware campaign impersonating Western Union.

Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

Just like GazTranzitStroyInfo's case, what we've got here is failure to understand that the efforts put into building legitimacy of front-ends to cybercrime, is prone to get undermined upon closer examination of the particular web hosting provider.

Who, and what is Life4you .info - Free Hosting for Live (dirsite .com; 65.98.15.80; Dennis Linkor Email: admin@dirsite.com)?

"We are pleased to announce the launch of dirsite.com, the best ASP.NET host on the web. We currently offer one plan. This plan is entirely free! Free ASP.NET 2.0 hosting*! Unfortunately we have hit our quota for ad free accounts. Every new signup is now required to display a 460x60 banner ad on their content pages. We will be running another ad free promotion soon, so be sure to check back! We are currently experiencing some technical issues that are out of our control. We are suffering some server problems and as a result, slight delays in processing signups. We are working on it, and will have everything resolved as soon as possible. Thank you for your patience."

What's so special about them? Well, for starters, they've got no customers but the cybercriminals themselves maintaining a portfolio of over 7,000 adult related keywords which they have been using for blackhat SEO campaigns across thousands of automatically registered -- CAPTCHA recognition outsourced -- Blogspot accounts since February, 2009.

With the Blogspot campaign still ongoing, let's assess it and expose all the participating scareware domains. Upon automatic generation of the Blogspot accounts, links like the following are included next to the bogus content, all using dirsite.com's pseudo-legitimate hosting services:

goto.dirsite .com/go.php?sid=2&tds-key=erotic+bikini+babes
goto.dirsite .com/go.php?sid=2&tds-key=sexe+amateur+on+my+space
goto.dirsite .com/go.php?sid=2&tds-key=aunt+judy+older+women
goto.dirsite .com/go.php?sid=2&tds-key=view+private+profiles+on+myspace
goto.dirsite .com/go.php?sid=2&tds-key=fullmetal+alchemist+porn
goto.dirsite .com/go.php?sid=2&tds-key=Asian+style+bed+throws
goto.dirsite .com/go.php?sid=2&tds-key=cheerleader+candid+pictures
goto.dirsite .com/go.php?sid=2&tds-key=desisexstories
goto.dirsite .com/go.php?sid=2&tds-key=Hey+Arnold+porno
goto.dirsite .com/go.php?sid=2&tds-key=warcraft+henrai

Upon clicking the users are redirected to tdncgo2009 .com/?uid=68&pid=3 (trdatasft .com; fra22 .net; Email: ) 64.86.17.47, Email: hmlragnsky@whoisservices.cn, where the scareware domains are randomly loaded:

virusdoctor-onlinedefender .com - 64.213.140.69 Email: sebarinvert.ivus@gmail.com
onlinescan-ultraantivirus2009 .com - 206.53.61.76
virussweeper-scan .net - 206.53.61.76
virusalarm-scanvirus .net - 206.53.61.76
viruscatcher .net - 64.213.140.71 Email: jeannemcpeters@gmail.com
fast-antivirus .com - 64.213.140.68

The scareware attempts to phone back to update1.virusshieldpro .com/ReleaseXP.exe - 206.53.61.75 - Email: unitedisystems@gmail.com and to updvmfnow .cn - 64.86.17.9 Email: oijfsd.sd@gmail.com. ReleaseXP.exe then phones back to the following locations, naturally earning profit for the cybecriminal -

pay-virusshield .cn - 64.213.140.70; Email: unitedisystems@gmail.com; Returning the following message: "Sorry, the operation is currently unavailable, please email our support team from product's site (Error Code #150)"
updvmfnow .cn - 64.86.17.9
updvmfnow .cn/reports/install-report.php (64.86.17.9)
updvmfnow .cn/reports/soft-report.php
updvmfnow .cn/reports/minstalls.php

The phone back location is also hosting more active scarewaredomains:
ultraantivirus2009 .com - 64.86.17.9
virusalarmpro .com
vmfastscanner .com
mysuperviser .com
pay-virusdoctor .com
virusmelt .com
payvirusmelt .com

Not only is life4info .info or dirsite .com a bogus free hosting provider, but the campaigns hosted by them are interacting with our "dear friends" at AS30407; VELCOM .com which Spamhaus describes as "N. American base of Ukrainian cybercrime spammers" - and with a reason.

Friday, June 05, 2009

A Diverse Portfolio of Fake Security Software - Part Twenty One

The ongoing abuse of AS10929; NETELLIGENT Hosting Services Inc. for scareware distribution purposes is peaking once again, which combined with the well-proven traffic acquisition tactics the campaigners take advantage of, prompts me to proactively undermine the effectiveness of the campaigns by ruining the monetization factor.

Next to listing the scareware domains currently in circulation, in part twenty one of the Diverse Portfolio of Fake Security Software series, it's time we put the spotlight on the so called payment processors mainted by phony in-house operations.

The following scareware domains are parked exclusively within AS10929; NETELLIGENT Hosting Services Inc's network, 209.44.126.102 in particular :

fanscan4 .com 209.44.126.102 Email: brmargul@gmail.com

rayscan4 .com Email: brmargul@gmail.com
scantop4 .com Email: ansouthe@gmail.com
scanlist6 .com Email: metamant@gmail.com
goscanfine .com Email: chirelqas@gmail.com
goscanone .com Email: canrcnad@gmail.com
scan4note .com Email: ansouthe@gmail.com
in4ck .com Email: taboussybr@gmail.com
goscanwork .com Email: govemati@gmail.com
in4tk .com Email: skeltonrw@gmail.com
goscanatom .com Email: gleyersth@gmail.com
top4scan .com Email: ansouthe@gmail.com
slot6scan .com Email: metamant@gmail.com
gometascan .com Email: ricboin@gmail.com
gopagescan .com Email: tanehen@gmail.com
gofinescan .com Email: alcnafuch@gmail.com
goelitescan .com Email: funully@gmail.com
gorankscan .com Email: canrcnad@gmail.com
goworkscan .com Email: govemati@gmail.com
gogoalscan .com Email: chinrfi@gmail.com
gogenscan .com Email: tanehen@gmail.com
goautoscan .com Email: tanehen@gmail.com
goflexscan .com Email: alcnafuch@gmail.com
goscanauto .com Email: canrcnad@gmail.com
scan6slot .com Emaik: telerdomb@gmail.com
in4st .com Email: skeltonrw@gmail.com
scan6list .com Email: telerdomb@gmail.com
goscanflex .com Email: chirelqas@gmail.com

goscankey .com Email: ricboin@gmail.com
scanmeta4 .info Email: sitintu@gmail.com
scannote4 .info Email: sitintu@gmail.com
metascan4 .info Email: finewnrk@gmail.com
zonescan4 .info Email: mexnacc@gmail.com
notescan4 .info Email: finewnrk@gmail.com
miniscan4 .info Email: finewnrk@gmail.com
rankscan4 .info Email: mexnacc@gmail.com
atomscan4 .info Email: finewnrk@gmail.com
fanscan4 .info Email: finewnrk@gmail.com
genscan4 .info Email: finewnrk@gmail.com
autoscan4 .info Email: sitintu@gmail.com
topscan4 .info Email: finewnrk@gmail.com
starscan4 .info Email: finewnrk@gmail.com
fixscan4 .info Email: sitintu@gmail.com
mixscan4 .info Email: finewnrk@gmail.com
luxscan4 .info Email: finewnrk@gmail.com
rayscan4 .info Email: finewnrk@gmail.com
keyscan4 .info Email: sitintu@gmail.com
scangen4 .info Email: sitintu@gmail.com
scanauto4 .info Email: mexnacc@gmail.com

scantop4 .info Email: finewnrk@gmail.com
scanflex4 .info Email: mexnacc@gmail.com
scan4meta .info Email: finewnrk@gmail.com
scan6meta .info Email: donboset@gmail.com
scan4fine .info Email: mexnacc@gmail.com
meta4scan .info Email: finewnrk@gmail.com
note4scan .info Email: finewnrk@gmail.com
gen4scan .info Email: finewnrk@gmail.com
flex4scan .info Email: mexnacc@gmail.com
fix4scan .info Email: sitintu@gmail.com
key4scan .info Email: mexnacc@gmail.com
meta6scan .info Email: donboset@gmail.com
note6scan .info Email: donboset@gmail.com
scan4gen .info Email: finewnrk@gmail.com
scan6gen .info Email: donboset@gmail.com
scan4auto .info Email: sitintu@gmail.com
scan4top .info Email: finewnrk@gmail.com
scan4fix .info Email: sitintu@gmail.com
scan4key .info Email: sitintu@gmail.com
fine4scan .info Email: beelriel@gmail.com
scanmega4 .info Email: bnntnkmn@gmail.com
zonescan4 .info Email: mexnacc@gmail.com
rankscan4 .info Email: mexnacc@gmail.com
scanauto4 .info Email: mexnacc@gmail.com
scan4fine .info Email: mexnacc@gmail.com
way4scan .info Email: bnntnkmn@gmail.com
key4scan .info Email: mexnacc@gmail.com
scan4fan .info Email: myscarbe@gmail.com

Exceptions out of AS10929; NETELLIGENT Hosting Services Inc.:

ia-pro .com - 194.165.4.41; 200.63.45.224; 209.44.126.104; 200.63.45.224 Email: abuse@domaincp.net.cn
generalantivirus .com Email: compalso@gmail.com
genpayment .com Email: seeingrud@gmail.com
livestopbadware .com Email: producergrom@gmail.com
av-payment .com Email: abuse@domaincp.net.cn
antimalware-live-scanv3 .com - 38.99.170.9; 78.47.91.153; 83.133.115.9; 89.47.237.52;91.212.65.125; Email: immigration.beijing@footer.cn
antivirus-scanner-v1 .com Email: tareen@yahoo.com
proantivirusscannerv2 .com Email: ecindia@hotmail.com

Who's processing the payments made by the scammed customers? These are the major payment processors of scareware software that have been changing aliases for a while now, with Pandora Software being the most persistent one:

easybillhere .com - 200.63.45.221; Email: myerysin@gmail.com
secure.softwaresecuredbilling .com - 209.8.45.122; Viktor Temchenko Email: TemchenkoViktor@googlemail.com
secure.propayments .org - 78.46.152.8; Oleg Bajenov Email: oleg.bajenov@gmail.com
secure.soft-transaction .com - 77.91.228.155; Riabokon, Igor; rw6rr69n7z2@networksolutionsprivateregistration.com
secure-plus-payments .com - 209.8.25.204; John Sparck; Email: sparck000@mail.com
secure.pnm-software .com - 209.8.45.124; Live Internet Marketing Limited; pnm-software.com@liveinternetmarketingltd.com
secure.thepaymentonline .com Email: Sergey Ryabov director@climbing-games.com

What is Pandoware Software, and who's behind Pandora Software (pandora-software .com; pandora-software .info; pandoraxxl .com - 209.8.45.121; Live Internet Marketing Limited; Email: pandoraxxl.com@liveinternetmarketingltd.com)?

The payment processor describes itself as :

"PandoraXXL is a company which provides the best adult entertainment online and is the managing company of the adult websites of the group. The concept itself is the carefull creation of websites which are different from the average vanilla adult production. We create them, we run them and we provide customer care to our customers!If You are a customer and would like to know more about our websites please click on Our Websites above. PandoraXXL.com and all sites which listed on PandoraXXL.com owned by Oleg Dvoretskiy Varzinerstr. 127, 44369 Dortmund, Germany"

Upon "doing business" with them they include their very latest domain within the the credit card statement:

"Your credit card statement may show any of the following names: WWW.PANDORAXXL.COM If so , than You have made a purchase on one of our websites! This form on the right will help You to locate these transactions! Absolutely sure You have never ever purchased anything with us? Contact us immediately then! Due to our knowledge we are one of a VERY few adult paysites companies out there providing INHOUSE live support along with telephone support. Please call only when You are sure that this site was not ab to help You with Your transactions. You may call with technical questions as well but You must read all our site's FAQs first."

Going through the terms of service for several scareware domains, there's a contact support image saying "Copyright 2008 Oleg Dvorezky, Dortmund, Germany". Why an image and not a text? Cybercriminals sometimes ensure that sensitive info potentially undermining their OPSEC doesn't get crawled by public search engines. It's gets even more interesting as Oleg Dvorezky, whose activities as payment processor for scareware go beyond the support desk has also included his address - Varzinerstr. 127. 44369 Dortmund, Germany and another phone, again as an image +1(636)549-8103, followed by two more numbers +18669997851 (USA) +33179972633 (France) listed as contact details.

Moreover, despite the fact that they've active affiliates distribution scareware and earning money in the process, next to managing the processing of payments, one should not exclude the possibility that they may also be engaging in customer relationship management for other scareware affiliate partners. For instance, the following support emails are all managed by them :

support@supportdeska.com
support@msantispyware2009.com
support@pandora-software.com
support@pandoraxl.com
support@data-saver.org
support@generalantivirus.com

Fo the time being, scareware remains the single most efficient, managed and high liquidity asset used for monetization cybercrime campaigns.

Thursday, June 04, 2009

From Ukrainian Blackhat SEO Gang With Love

UPDATE: My name is now an integral part of the scareware business model.

Yet another redirector used in the ongoing blackhat SEO campaign is using it, this time saying just "hi" - hidancho.mine .nu/login.js redirects to privateaolemail .cn/go.php?id=2010-10&key=b8c7c33ca&p=1 and then to antimalwareliveproscanv3 .com where the scareware is served -- catch up with the Diverse Portfolio of Fake Security Software series.

What's next? The release of Advanced Pro-Danchev Premium Live Mega Professional Anti-Spyware Online Cleaning Scanner 2010?

You know you have a fan club, as well as positive ROI out of your research, when one of the most active blackhat SEO groups for the time being starts cursing you in its multiple redirectors, in this particular case that's seo.hostia .ru/ddanchev-sock-my-dick.php.

Back in 2007, it used to be the polite form of get lost or "ai siktir vee" courtesy of the New Media Malware Gang, a customer of the Russian Business Network.

Upon hijacking legitimate traffic and verifying that the visitor is coming from var se = new Array("google.","msn.","yahoo.","comcast.","aol", the redirector then takes us to macrosoftwarego .com; live-payment-system .com - 83.133.123.140 Email: fabian@ingenovate.com, and to antimalware-live-scanv3 .com - 38.99.170.9; 78.47.91.153; 83.133.115.9; 89.47.237.52; 91.212.65.125 Email: immigration.beijing@footer.cn where the scareware is served.

Scareware domains (delegated) part of their campaigns which as of recently diversity to Lycos owned is-the-boss.com:
anti-spyware-scan-v1 .com - ns1.futureselfdeeds .com (78.47.88.217)
malware-live-pro-scanv1 .com
premiumlivescanv1 .com
malwareliveproscanv1 .com
antiviruspcscannerv1 .com
malwareliveproscannerv1 .com
freeantispywarescan2 .com
antiviruspremiumscanv2 .com
proantivirusscanv2 .com
antiviruspaymentsystem .com
macrosoftwarego .com
advanedmalwarescanner .com
advanedpromalwarescanner .com
futureselfdeeds .com
allinternetfreebies .com
liveinternetupdates .com
momentstohaveyou .cn

Rephrasing the Cardigans Love Fool song - Common sense tells me I shouldn't bother, and I ought to stick to another blackhat SEO campaign, a blackhat SEO campaign that surely deserves me, but I think you folks do.

Thanks to Sean-Paul Correll from PandaLabs for the tip.

Tuesday, June 02, 2009

Summarizing Zero Day's Posts for May

The following is a brief summary of all of my posts at ZDNet's Zero Day for May.

You can also go through previous summaries for April, March, February, January, December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles include: Inside the botnets that never make the news - a gallery; China's 'secure' OS Kylin - a threat to U.S offsensive cyber capabilities? and The Web's most dangerous keywords to search for.

01. Cybercriminals promoting malware-friendly search engines
02. New Mac OS X email worm discovered
03. China's 'secure' OS Kylin - a threat to U.S offsensive cyber capabilities?
04. Spammers harvesting emails from Twitter - in real time
05. 56th variant of the Koobface worm detected
06. Study: password resetting 'security questions' easily guessed
07. D-Link router's CAPTCHA flawed, WPA passphrase retrieved
08. Inside the botnets that never make the news - a gallery
09. The Web's most dangerous keywords to search for

Dating Spam Campaign Promotes Bogus Dating Agency - Part Two

Your future template-based wife is here, waiting not only for you, but also, for the hundreds of thousands of spammed gullible future husbands.

Our "dear friends" at Confidential Connections are at it again - spamming out bogus dating profiles, introducing new domains and inevitably exposing the phony company's connections with managed spam services operated by money mules, and sharing DNS servers with more cybercrime-facilitating parties.

As in their previous campaigns, they're spamming from LRouen-152-82-6-202.w80-13.abo.wanadoo.fr [80.13.101.202], and here's the most recent portfolio of domains used in the spam campaigns parked at 62.90.136.207:

dating-forin-loved .com - Email: deolserdo@safe-mail.net
matchwithworld .com - Email: esheodin@safe-mail.net
love-f-emale .com - Email: lo3664570460504@absolutee.com
i-amsingle .com - Email: i-3685838623704@absolutee.com
for-you-from-me .com - Email: PabloStantonXW@gmail.com
love-me-long-time .com - Email: lo3685839114104@absolutee.com
destinycombine .com - Email: esheodin@safe-mail.net
you-isnot-alone .com - Email: SamNilsenson@gmail.com
find-some-love .com - Email: SamNilsenson@gmail.com
find-thereal-love .com - Email: deolserdo@safe-mail.net

all-hot-love .com - Email: sup3portne3west@safe-mail.net
find-the-reallove .com - Email: fi3653005547304@absolutee.com
sweet-hearts-dating .com - Email: SamNilsenson@gmail.com
my-great-dating .com - Email: SamNilsenson@gmail.com
yourmatchwith .com - Email: esheodin@safe-mail.net
loking-for-aman .com - Email: lo3653004406804@absolutee.com
myloving-heart .com - Email: my3685835605504@absolutee.com
beautiful-prettywoman .com - Email: JosiahMillerTP@gmail.com
buildyour-happylove .net - Email: bu3664569267104@absolutee.com
adorelovewon .com - Email: supportnewest@safe-mail.net
andiloveyoutoo .com - Email: enorst10@yahoo.com

myloveamour .com - Email: supportnewest@safe-mail.net
luckyheatrs .com - Email: neujelivsamomdeli@gmail.com
just-waiting-foryou .com - Email: SamNilsenson@gmail.com
dreams-about-lady .com - Email: JosiahMillerTP@gmail.com
inspiredlove .net - Email: antonkovalchukk@gmail.com
make-family .net - Email: JosiahMillerTP@gmail.com
createyourlove .net
fillinglove .net

Let's connect the dots, shall we? Notice some of the registrant's emails, namely supportnewest@safe-mail.net and sup3portne3west@safe-mail.net. It gets even more interesting taking into consideration the fact that the money laundering group's botnet command and control domain was registered to supp3ortnewest@safe-mail.net. Moreover, among the unique usernames used exclusively by this botnet, was in fact the one used in Confidential Connections spam campaigns, confirming their connection.

Naturally, Confidential Connections are also rubbing shoulders with more cybercrime facilitating domains sharing the same DNS infrastructure (ns1.srv .com).

For instance, superfuturebiz .com/maingovermnfer5 .com (Trojan-Spy.Win32.Zbot.uyn) where a Trojan-Spy.Win32.Zbot.uyn is hosted at maingovermnfer5 .com/anyfldr/demo.exe which once executed attempts to download Zeus crimeware from maingovermnfer5 .com/anyfldr/cfg.bin.

Moreover, carder-shop .com which is an ex-Atrivo darling, yourmagicpills .com which is a typical pharmaceutical scam, zaikib .in a malware command and control, and eefs .info which is a phony "East Europe Financial System" and looks like a typical money mule recruitment operation.

Wednesday, May 27, 2009

3rd SMS Ransomware Variant Offered for Sale

The concept of ransomware is clearly making a comeback. During the past two months, scareware met the ransomware business model in the face of File Fix Professional 2009 and FakeAlert-CO or System Security, followed by two separate SMS-based ransomware variants Trj/SMSlock.A and a modified version of it.

The very latest one is once again offered for sale, with a social engineering theme attempting to trick the infected user that as of 1st of May Microsoft is launching a new anti-pirates initiative, and that unless a $1 SMS is sent in order to receive the deactivation code back, their copy of Windows will remain locked.

Key features:
Support for Windows 98/Vista
- Blocks the entire desktop
- Locks system key combinations attempting to remove it
- Copied to the system folder (the file is almost impossible to find)
- Can be put in the startup
- Launches the blocking system before the desktop appears upon reboot
- Blocks all windows including the Task Manager
- Upon entering the secret code, the ransomware is removed from the system folder and autorun

The price for a custom-made version with the customer's own SMS data is $10, with $5 per new (undetected) copy, as well as the complete source code available for $50 again from the same vendor.

From a "visual social engineering" perspective, the one that make scareware what it is as product -- a product which would have scaled so fast if it wasn't the distribution channel in the form of web site compromises and blackhat SEO at the first place -- the latest SMS ransomware variant lacks any significant key visual features which can compete with for instance, the DIY fake Windows XP activation trojan and its 2.0 version.

With the emerging localization on demand services offering translations for phishing, spam and malware campaigns into popular international languages, it wouldn't take long before the SMS ransomware starts targeting English-speaking users next to the hardcoded Russian speaking ones for the time being.

Tuesday, May 26, 2009

Inside a Money Laundering Group's Spamming Operations

UPDATE: The command and control domain has been taken care of courtesy of the brisk response of OC3 Networks Abuse Team.

Next to the efficiency and cost-effectiveness centered cybercriminals having anticipated the outsourcing (Cybercrime-as-a-Service) model a long time ago, there are those self-serving groups of cybercriminals which engage in literally each and every aspect of cybercrime - money mule recruiters in this very specific case.

What do the known money laundering aliases such as Value Trans Financial Group, Inc. (valuetrans.biz); Advance Finance Group LLC (af-g.net); ABP Capital (abpcapital.com); Premium Financial Services (advance-financial-products.org); eTop Group Inc. (etop-groupli.cc); Liberty Group Inc. (libertygroup.cc); Eagle Group Inc. (eaglegroupmain.cn); Star Group Inc. (eagle-group.net); DBS Group Inc. (dbs-group.cn); FB&B Group Inc. (fbb-groupli.cc); Advance Finance Group LLC (af-g.net); DC Group Inc. (dc-group.cn); IBS Group Inc. (ibsgroup.cc; ibsgroupli.cn) and FCB Group Inc. (fcb-group.cc) have in common?

It's a 31,000 infected hosts botnet which they use exclusively for spamming.

The money laundering organization describes itself as:
"The company was set up in 1990 in New York, the USA by three enthusiasts who have financial education. The head of the company was Karl Schick. At the very beginning of its business activity the company provided fairly narrow range of services at the investment market. Within 15 years of hard work the company has acquired international standing and managed to develop into a global financial holding with the staff of 3,000 people and headquarters in more than 100 countries of the world."

Interestingly, on the majority of occasions cybercriminals tend to undermine the level of operational security that they could have achieved at the first place, and this is one of those cases where their misconfigured botnet command and control allows other cybercriminals to hijack their botnet, and security researchers to shut it down effectively.

The people behind this money laundering organization are either lazy, or ignorant to the point where the botnet's command and control interface would be using the very same web server that they use for recruitment purposes.

Here are some screenshots of their command and control interface used exclusively for spam campaigns:

The domain is registered to supp3ortnewest@safe-mail.net and the DNS services are courtesy of one.goldwonderful9.info; ns.partnergreatest8.net; back.partnergreatest8.net; two.goldwonderful9.info which are the de-facto DNS servers for a huge number of related and separate money laundering brand portfolios (the quality of the historical CYBERINT on behalf of Bobbear is the main reason why commissioned DDoS attacks were hitting the site last year).

Taking down the group's command and control domain is in progress.

Tuesday, May 19, 2009

GazTranzitStroyInfo - a Fake Russian Gas Company Facilitating Cybercrime

"In gaz we trust"? I'd rather change GazTranzitStroyInfo's vision to HangUp Team's infamous - "in fraud we trust". It is somehow weird to what lengths would certain cybercriminals go to create a feeling of legitimacy of their enterprise.

AS29371 - gaztranzitstroyinfo LLC - 91.212.41.0/24 based in Russia, Sankt Peterburg, Kropotkina 1, office 299, is one of them. Let's "drill" for some malicious activity at GazTranzitStroyInfo, and demonstrate how cybercriminals are converging different hosting providers to increase the lifecycle of their campaigns.

The recent peak of fake codecs (for instance video-info .info and sex-tapes-celebs .com serving softwarefortubeview.40018.exe) puts the spotlight on GazTranzitStroyInfo and its connections with another rogue hosting provider in the face of AS48841, EUROHOST-AS Eurohost LLC, which was providing hosting infrastructure to the scareware domains part of Conficker's Scareware Monetization strategy, and continues to do so for a great deal of exploits/malware serving domains, next to AS10929 NETELLIGENT Hosting Services Inc. where the infrastructure of the three hosting providers has converged.

Let's detail some malicious activity found at GazTranzitStroyInfo. The following are redirectors to live exploits/zeus config files/scareware found within AS29371 and pushed through blackhat SEO and web site compromises:

peopleopera .cn - 91.212.41.96
forexsec .cn
vitamingood .cn
bookadorable .cn
drawingstyle .cn
housedomainname .cn
workfuse .cn
schoolh .cn
rainfinish .cn
housevisual .cn
worksean .cn
liteauction .cn
newtransfer .cn
oceandealer .cn
musicdomainer .cn
websiteflower .cn
designroots .cn
islandtravet .cn
litefront .cn
clubmillionswow .cn

softwaresupport-group .com - 91.212.41.91
bestfindahome .cn
dastrealworld .ru
elantrasantrope .ru
borishoffbibi .ru
sandiiegoexpo .ru
nightplayauto .ru
startdontstop .ru

nicdaheb .cn - 91.212.41.119
sehmadac .cn
vavgurac .cn
tixleloc .cn
xidsasuc .cn
cuzlumif .cn
teyrebuf .cn
hifgejig .cn
tukhemaj .cn
rogkadej .cn
wuhwasum .cn
sipcojeq .cn
tixwagoq .cn
silzefos .cn
popyodiw .cn
cakpapaz .cn

Rogue security software:
addedantivirusonline .com - 91.212.41.114
addedantivirusstore .com
addedantiviruslive.com
addedantiviruspro.com
countedantiviruspro.com
myplusantiviruspro.com
easyaddedantivirus.com
yourcountedantivirus.com
bestcountedantivirus.com
yourplusantivirus.com

For instance, a sampled domain such as housedomainname .cn/in.cgi?6 redirects us to securityonlinedirect .com/scan.php?affid=02083 which is serving scareware with hosting courtesy of AS10929 Netelligent Hosting Services Inc, which in case you remember popped-up in the Diverse Portfolio of Fake Security Software - Part Twenty. At securityonlineworld .com (209.44.126.22) we also have a portfolio of scareware domains:

thestabilityweb .com
securityonlineworld .com
websecuritypolice .com
wwwsafeexamine .com
dynamicstabilityexamine .com
networkstabilityexamine .com
safetyscansite .com
onlinesafetyscansite .com
securityscansite .com
stabilityonlineskim .com
socialsecurityscan .com
securityexamination .com
internetsecuritymetrics .com
onlinebrandsecuritys .com
securityonlinedirect .com
scanstabilityinternet .com
stabilityaudit .com
websecuritybureau .com
safewebsecurity .com
webbrowsersecurity .com
futureinternetsecurity .com
superiorinternetsecurity .com

The fake codec at video-info .info (AS29371 - gaztranzitstroyinfo LLC) is in fact downloaded from kir-fileplanet .com - 91.212.65.54 (AS48841; EUROHOST-NET) where more malicious activity is easily detected at:

downloadmax .org - 91.212.65.19
hd-codec .com
shotgol .com
kauitour .com
coecount .com
countbiz .com
videoaaa .net
7stepsmedia .net
ispartof .net
amoretour .net
browardcount .net

trucount3000 .com - 91.212.65.10; 91.212.65.29
trucount3001 .com
trucount3002 .com
antivirus-xppro-2009.com
onlinescanxppp .com
onlinescanxpp .com
onlinescanxp .com
free-webscaners .com

In cybercriminals I don't trust.

Related posts:
Fake Codec Serving Domains from Digg.com's Comment Spam Attack
Lazy Summer Days at UkrTeleGroup Ltd
Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software
Massive Blackhat SEO Campaign Serving Scareware
EstDomains and Intercage VS Cybercrime
The Template-ization of Malware Serving Sites
The Template-ization of Malware Serving Sites - Part Two
Malware campaign at YouTube uses social engineering tricks
Poisoned Search Queries at Google Video Serving Malware
Syndicating Google Trends Keywords for Blackhat SEO

Related Russian Business Network coverage:
The New Media Malware Gang - Part Four
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
Rogue RBN Software Pushed Through Blackhat SEO
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network

Thursday, May 14, 2009

A Diverse Portfolio of Fake Security Software - Part Twenty

Has the cloudy economic climate hit the scareware business model, the single most efficient and high-liquidity monetization practice that's driving the majority of blackhat SEO and malware attacks? The affiliate networks are either experiencing a slow Q2, or are basically experimenting with profit optimization strategies.

Following the "aggressive" piece of scareware with elements of ransomware discovered in March, a new version of the rogue security software is once again holding an infected system's assets hostage until a license is purchased.

This tactic is however a great example of the dynamics of underground ecosystem (The Dynamics of the Malware Industry - Proprietary Malware Tools; The Underground Economy's Supply of Goods; 76Service - Cybercrime as a Service Going Mainstream; Zeus Crimeware as a Service Going Mainstream; Will Code Malware for Financial Incentives; The Cost of Anonymizing a Cybercriminal's Internet Activities - Part Two; Using Market Forces to Disrupt Botnets; E-crime and Socioeconomic Factors; Price Discrimination in the Market for Stolen Credit Cards; Are Stolen Credit Card Details Getting Cheaper?).

Despite the fact that it's the network of cybercriminals that pays and motivates other cybercriminals to SQL inject legitimate sites, send spam, embedd malicious code through compromised accounts and launch blackhat SEO campaigns, it cannot exist without the traffic that they provide, and is therefore competing with other affiliate networks for it.

For your blacklisting, case-building and cross-checking pleasure, currently active blackhat SEO and Koobface campaigns monetize the traffic through the following rogue domains:

yourpcshield .com (209.44.126.14) - AS10929 NETELLIGENT Hosting Services Inc. Email: bershkapull@gmail.com
virustopshield .com
totalvirushield .com
pcguardscan .com
topwinsystemscan .com
basevirusscan .com
systemvirusscan .com
bastvirusscan .com
myfirstsecurityscan .com
fastviruscleaner .com
allvirusscannow .com

freeforscanpc .com (209.44.126.241) - AS10929 NETELLIGENT Hosting Services Inc.
truevirusshield .com
totalvirusshield .com
hypersecurityshield .com
scanyourpconline .com
allowedwebsurfing .com
xvirusdescan .com
securitytrustscan .com
fullsecurityaction .com
fullvirusprotection .com
fullsecuritydefender .com
hupersecuritydot .com
trustedwebsecurity .com
greatscansecurity .com
updateyoursecurity .com

antimalware-scannerv2 .com (78.46.88.202) - AS16265 LeaseWeb AS Amsterdam, Netherlands Email: basni@lewispr.com
onlinevirusbusterv2 .com
xpvirusprotection2009 .com
total-malwareprotection .com
total-virusprotection .com
xpvirusprotection .com
bestbillingpro .com
truconv .com

safeinternettoolv1 .com (212.117.165.126; 38.99.170.9; 69.4.230.204; 78.47.91.153) - AS36351 SOFTLAYER Technologies Inc; AS24940 HETZNER-AS Hetzner Online AG RZ-Nuernberg; AS44042 ROOT-AS root eSolutions; AS174 COGENT /PSI Email: info@dmf.com.tr
antivirusquickscanv1 .com
computerscanv1 .com
antivirusbestscannerv1 .com
antiviruslivescanv3 .com
proantivirusscanv3 .com
fullantispywarescan .com
webscannertools .com
approved-payments .com

Tuesday, May 12, 2009

SMS Ransomware Source Code Now Offered for Sale

Remember the ransomware variant that was locking down user's PCs and demanding a premium SMS in order for them to receive the unlocking code?

In an attempt to further monetize the "innovative" practice of converging Windows-based malware and premium SMS numbers operated by the cybercriminals, a do-it-yourself version of the ransomware is currently offered for sale for a mere $15.

Here are some of its features:
- When executed presents the uset with a Blue Screen of Death style error message
- A simple auto-loading feature ensuring it will load every time the host is rebooted, completely disables the startup shell in order to become the first application to appear upon reboot
- Disables Windows Task Manager, Registry Editor, default shortcuts for terminating a program

The vendor would also like to remind its customers that "the application is for educational purposes only", next to a comment on how all of their current customers are fully satisfied with the money they're making by locking infected user's PCs. This piece of ransomware has been spreading across the Russian web space since April, and with its source code now offered for sale, it's only a matter of time before the error messages get localized to multiple languages courtesy of localization on demand cybercrime-friendly services breaking any language barrier for a spam/malware campaign.

However, from an operational security (OPSEC) perspective which I often emphasize on in order to demonstrate how efficient cybercrime facilitating tactics increase the probability of successfully tracking down the people behind a particular attack, this premium SMS based ransomware tactic is exposing the people behind the campaign much easily due to its reliance on a mobile operator, compared to GPCode's virtual money exchange approach (Who's behind the GPcode ransomware?) which given they put enought efforts, the process can be virtually untraceable.

Despite the fact that vendors have already released unlock code generators for the SMS ransomware, taking into consideration the potential for widespread ransomware campaigns through the now ubiqitous revenue generator in the form of scareware (Scareware meets ransomware: "Buy our fake product and we'll decrypt the files"), the concept is not going away anytime soon.

Related posts:
Mobile Malware Scam iSexPlayer Wants Your Money
New mobile malware silently transfers account credit
New Symbian-based mobile worm circulating in the wild

Wednesday, May 06, 2009

Dating Spam Campaign Promotes Bogus Dating Agency

From Sweet Sugar Anastasia, Svetlana, Angela, Marino4ka, Irina, Hot Julia, Ane4ka, Nastya, and Yulia, to the Lonely Polina and the malware and exploits serving girls, Russian/Ukrainian dating scams are still pretty active these days.

A recently spammed dating campaign exposes the fraudulent practices of a well known such agency (Confidential Connections) that has been changing its name, typosquatting new domains in order to remain beneath the radar, a bit of an awkward practice given their noisy spamming approach of attracting visitors.

The spam's message:

"Good day, my gentleman!

All love is probationary, a fact which frightens women and exhilarates men. I believe that unarmed truth and unconditional love will have the final word in reality. I was born in a friendly, cultured family and would like to have the same family in my own life. I love nature, flowers, music, dancing. I like to receive guests at home and spend time with friends. I always try to use opportunity to travel and see new places in the world. I have a good, quite and merry character, don't like argues and rows. I hope to meet a white man, Christian, clever. Besides I would like to meet a good person with a good sense of humor, who wants to create a good strong family. If you would be loved, love and be lovable. I am waiting for you http://iam-waiting4love .com/infinity/

Waiting for your mail
Sveetlana B."

The user is then asked to register at hifor-you .com/register.php followed by an email confirmation explaining how the agency/scam at ualadys .com (76.74.250.239 Email: Tyom13@aol.com) works:

"We view ourselves as more of MATCHMAKERS than a mere Introduction Company. We DO NOT BUY OR SELL addresses of Ladies from other agents. Rather, we take the time and effort to meet each Lady referred to us in person, interview her at length, checkout her credentials to make sure her intentions are proper, before she gets hosted as our client. It is this knowledge of the Ladies that allows us to select the right persons to introduce to each man.

Compatibility is the KEY. Our formula is simple, yet highly productive:
1. You fill out our profile, same as the Ladies
2. Select the Ladies you would like to meet
3. Until you have a predetermined amount of Ladies reply with a yes
4. During your trip meetings are scheduled on a private, one-on-one setting, with an interpreter to assist you (if you require one) We know that your time is limited when you go on trip. This is a very efficient selections process that saves your time and, in fact, allows you the extra time to really get to know the Ladies.

All meetings are one-on-one. We do not organize socials that do not work. Our service is usually based upon a male clients access to time and his available budget. The normal procedure is for a client to look through our gallery of Ladies, select the Ladies for pre-qualification, and correspond with them by e-mail or phone, than arrange a one-on-one visit. Still others, after viewing the Ladies, decide that the best overall approach would be to simply go there and meet as many women as we can arrange for them to meet, and spend time with them before making a decision.

Also experiencing first-hand their environment and culture gives the man a future understanding of his future bride. OUR PERSONAL INTRODUCTION TRIP HAS BEEN YEILDING A 95% SUCCESS RATE! Again, the reason for this is the growing frustration among the Ladies about the lack of follow through the men, Consequently, many Ladies do not respond to letters, knowing that few ever follow through. They simply wait to meet the men who go there. THUS, THE SITUATION HAS BECOME A DREAM FOR THE MAN WHO ARE SERIOUS.

During our Special Photoshoot Trips (e-mail for dates); you will get an opportunity to watch and meet new Ladies. Many times, clients pick these new Ladies because they are fresh and no one has ever met them before. We have quite a few Ladies who have never made it to the gallery because they got engaged immediately to the men who went no trips."

The agency is also reserving the right to forward the responsibility for any fraudulent activities to the girls, the majority of which do not exist at the first place in the following way:

All scam patterns have similarities that are very easy to spot if you know what to watch out for:

Usually the contact originates from a personals site where anyone can place his/her ad for free. Most often it was not you who initiated the acquaintance; you received a letter from a lovely Russian female who was interested in you. *Her* description of the partner is always very broad that will fit anybody - "kind intelligent man, age and race don't matter".

Sometimes *she* places a real nice discription and lovely, INNOCENT pictures, with honest eyes and kind smile. You will initiate the acquaintance.

It is always email correspondence; and letters are sent regularly, often every day; a new picture is sent with almost every letter.

This is very entertaining since the agency is driving traffic to its domains through spamming. The full list of spammed domains part of the campaign :
love-f-emale .com - 62.90.136.207
i-amsingle .com
for-you-from-me .com
destinycombine .com
with-hope-for-love .com
iam-waiting4love .com
allisloveandlove .com
amourwedding .com
adorelovewon .com
andiloveyoutoo .com
attractive-ladies .com
luckyheatrs .com
sunwants .com
myloving-heart .com
touchmy-heart .com
dreams-about-lady .com
fillinglove .net
createyourlove .net
buildyour-happylove .net
tender-woman .net
make-family .net

There's something "ingenious" about this type of dating scams, since the bogus dating agency can forward the scam responsibility to the non-existent girls at the first place. Moreover, despite the countless number of email credits, flowers and photos that you've purchased by using the agency's commercial services, the non-existent girl can always reserve the right not to meet or interact with you in any way. And even if there are actual girls working for the ad agency on a revenue-sharing basis, the agency silently makes money by reserving its right to ruin your return on investment no matter how much and what you spend on their site.

Now, that's a business model scamming the gullible and the lonely, which from a legal perspective -- excluding the spamming -- can in fact be legal in the country of operation due to the eventual mis-matching of characters.

UPDATE:
The people from "Confidential Connections" have a long history of spamming/scamming activities. Here are more related resources:

A first-person account:

"..ualadies... I work as a guide and translator for guys seeking a wife in Ukraine, and a client just came to me who was due to meet a girl from this agency. Im so wound up by the actions of this agency that i am going to post this thread in every scam forum i know about. Here is a short list of what they did:

1) Put him in a taxi to pick up the girl and take her to the restaurant, then charged him $80 for what should have been a $10 journey
2) Charged him $60 for a one hour translation, saying that they take a minimum charge of 4 hours ($15 an hour)..this they told him only after the meeting
3) After my client had payed (a very steep $50) to meet the girl, he got her address and decided to send her some flowers (at the local rate of 2 dollars for 1 rose, as apposed to 10 dollars a rose at the agency). The agency, upon finding out about this, called him up and shouted at him for daring to send her roses not through them (!)

4) It turned out that the girl hadn't written most of the letters the client had shared with her over a period of a year, and in fact that the agency themselves had written them, earning good money in the proccess!
5) The agency lied about the upper age limit for a guy the girl was willing to meet - they put down 60 when she had indicated 40.
6) There is more!...but i think ive written enough for you to get the idea.

Be aware of this agency! In all my time as a guide/translator i have never seen an agency that works so shambolicaly. Agencies like this ruin the reputation of the business, in which there are number of hard working honest agencies that suffer as a result."

More comments from the same person, presumably working there:
"Beware of ualadys. I live in Ukraine and know someone who works in one of the branches. Word has it that they churn out letters factory-style and often write themselves. They do not allow their girls to turn down a man who has requested to communicate with them, even if they dont want to. They did not allow me to go to their office to check them out and ask them questions. They scare the girls so that they dont get in personal contact with a guy or go to another agency. Beware!"

Exclusive photo gallery from what appears to be a scammed customer -- wedding rings are in place. The guy was initially spammed:

"On June 23rd of 2008 (that was 5 months after I gave up my relationship with my ex girlfriend), I received one email from UAladys which stated it was translated for a lady in Ukraine. Her name is Anastasia R. (ID 5008) Her introduction letter went as follows"

Thankfully, he's preserved the achive of the correspondence, exposing their practices.

Dissecting a Swine Flu Black SEO Campaign

Remember the Ukrainian group of cyber criminals that was responsible for last week's massive blackhat SEO campaign that was serving scareware, followed by the timely hijacking of Mickeyy worm keywords a week earlier to once again serve rogue security software?

They are back with new blackhat SEO farms which they continue monetizing through rogue security software. Time to dissect their latest campaign and expose their malicious practices.

Once having most of their previous domains blacklisted/shut down, the group naturally introduced new ones, and changed the search engine optimization theme to swine flu, in between a variation of their previous one relying on catchy titles such as USA News; BBC News; CNN News as well as Hottest info!; HOT NEWS; Official Website and Official Site.

Upon visiting the site, an obfuscated iFrame statically hosted on all of the participating domains in the form of 2qnews.07x .net/images/menu.js redirects the user to sexerotika2009 .ru/admin/red/en.php (74.54.176.50; Email: rebsdtis@land.ru). Are you noticing the directory structure similarities? Appreciate my rhetoric, it's last month's blackhat SEO gang with a new portfolio of domains.

What follows is the usual referrer check : "var ref,i,is_se=0; var se = new Array("google.","msn.","yahoo.","comcast.","aol.");" from where the user is redirected to liveavantbrowser2 .cn/go.php?id=2022&key=4c69e59ac&p=1 (83.133.123.140) acting as central redirection point to the typosquatted portfolio of rogue security software domains.

The original scareware domain vrusstatuscheck .com/1/?id=2022&smersh=a9fd94859&back=%3DjQ51TT1MUQMMI%3DN - (69.4.230.204; 38.99.170.209; 78.47.172.66; 78.47.91.153; 94.76.212.239; 94.102.48.28) is exposing the rest of the scareware (detection rate) portfolio with the following domains parked at these IPs:

antivirusbestscannerv1 .com
antivirus-powerful-scanv2 .com
antivirus-powerful-scannerv2 .com
virusinfocheck .com
vrusstatuscheck .com
adware-removal-tool .com
1quickpcscanner .com
1spywareonlinescanner .com
1computeronlinescanner .com
1bestprotectionscanner .com
securityhelpcenter .com
antivirus-online-pro-scan .com
securedonlinecomputerscan .com
antispywarepcscanner .com
securedvirusscanner .com
virusinfocheck .com
antivirusbestscannerv1 .com
antispywareupdateservice .com
platinumsecurityupdate .com
antispywareupdatesystem .com
onlineupdatessystem .com
softwareupdatessystem .com
securedpaymentsystem .com
infosecuritycenter .com
antispywareproupdates .com
securedsoftwareupdate .cn
securedupdateslive .cn
thankyouforinstall .cn
securityupdatessystem .cn
securedsystemresources .cn
securedosupdates .cn
windowssecurityupdates .cn

Once executed it downloads Microsoft's original thank you note (update.microsoft.com/windowsupdate/v6/thanks.aspx), and confirms the installation so that the blackhat SEO campaigners will receive a piece of the pie at securedliveuploads .com/?act=fb&1=0&2=0&3=kfddnffaffihlcoemdkedcaefcfaffedhfmdmboc&4=eebajfjafekaifnbddghoclg&5=22&6=1&7=63&8=31&9=0&10=1

Related phone-back locations:
liveavantbrowser2 .cn - (83.133.123.140)
securedliveuploads .com
liveavantbrowser2 .cn
awardspacelooksbig .us
crytheriver .biz
softwareupdatessystem .com
securedsoftwareupdate .cn
securedupdateslive .cn
securedosupdates .cn

Blackhat SEO subdomains at the free web site hosting services:
2qnews.07x .net
2rnews.07x .net
1news.07x .net
1knews.07x .net
1xnews.07x .net
gerandong.07x .net
kort.07x .net
30newsx.07x .net
4dnews.07x .net
4dnews.07x .net
laptop.07x .net
30newsf.07x .net

Blackhat SEO domains participating in the second multi-theme campaign:
01may2009 .us
m1m18test .us
m1m17test .us
m1m21test .us
m1m11test .us
m1m16test .us
m1m20test .us
m1m15test .us
m1m14test .us
m1m13test .us
m1m11test .us
m1m15test .us
m1m19test .us
f9o852test .us
f9o851test .us
f9o87test .us
f9o86test .us
f9o5test .us
f9o8test .us
ff7test5 .us
g2g1test .us

Blackhat SEO domains participating in the third campaign:
greg-page-boxing.6may2009 .com - 212.95.58.156
dualsaw.06may2009 .com
craigslist-killer.5may2009 .com

Upon clicking, the user is redirected to berusimcom .com/t.php?s=18&pk=, then to the SEO keyword logger at berusimcom .com/in.cgi?18&seoref=&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=nfl-draft.5may2009 .com&ppckey=, and then exposed to another portfolio of rogue security software (detection rate) at hot-porn-tubes.com/promo3/?aid=1361&vname=antivirus - 78.129.166.166; 91.212.132.12, with the following domains parked at the same IPs:

xxxtube-for-xxxtube .com
youporn-for-free .com
xtube-xmovie .com
free-xxx-central .com
xtube-downloads .com
porn-tube-movies .com
my-fuck-movies .com
niche-tube-videos-here .net
free-tube-video-central .net
tubezzz-boobezzz .net
hot-tube-tuberzzz .net

Persistence must be met with persistence.

Friday, May 01, 2009

Summarizing Zero Day's Posts for April

The following is a brief summary of all of my posts at ZDNet's Zero Day for April. You can also go through previous summaries for March, February, January, December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles include: Google's CAPTCHA experiment and the human factor; Conficker's estimated economic cost? $9.1 billion and Twitter hit by multiple variants of XSS worm.

01. Conficker worm's copycat Neeris spreading over IM
02. Paul McCartney's official site serving malware
03. Fake "Conficker Infection Alert" spam campaign circulating
04. Twitter hit by multiple variants of XSS worm
05. Scareware pops-up at FoxNews
06. Waledac botnet spamming fake SMS spying tool
07. Twitter worm author gets a job at exqSoft Solutions
08. Google's CAPTCHA experiment and the human factor
09. Hackers hijack DNS records of high profile New Zealand sites
10. New ransomware locks PCs, demands premium SMS for removal
11. Conficker's estimated economic cost? $9.1 billion
12. Swine flu email scams circulating
13. Online broker CommSec criticised for weak passwords, lack of SSL
14. Survey: 37% of employees would become insiders given the right incentive
15. French hacker gains access to Twitter's admin panel

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Friday, July 03, 2009

Wednesday, July 01, 2009

Wednesday, June 24, 2009

Wednesday, June 17, 2009

Tuesday, June 16, 2009

Tuesday, June 09, 2009

Monday, June 08, 2009

Friday, June 05, 2009

Thursday, June 04, 2009

Tuesday, June 02, 2009

Wednesday, May 27, 2009

Tuesday, May 26, 2009

Tuesday, May 19, 2009

Thursday, May 14, 2009

Tuesday, May 12, 2009

Wednesday, May 06, 2009

Friday, May 01, 2009

About Me

Add Feed to RSS Reader

FeedBurner FeedCount

Readers Online

Subscribe to this Blog

Blog Archive

Featured Publications/Articles

Infowar Blogosphere

Jiglu - Topical Tag Cloud

Random Infowar Videos