Love is a Psychedelic Too
0
Compared to a previous example of an over-performing image spammer whose efforts to bypass spam filters make it virtually impossible for someone to fall victim into the pharmaceutical scam, in this example of image spam we have something very interesting, namely a dynamic subdomain generating spamming host running a proxy server every time the central campaign URL gets refreshed via an obfuscated javascript. meds247.org (216.55.70.170) is the public face of abetterlevel.org (221.130.192.17), and here are examples of the "one-time-scams-in-everything" style subdomains :cpv9c5pt.abetterlevel.org:8080/cg/viagra.php
ccj70tjcm.abetterlevel.org:8088/cg/viagra.php
fdbtpju.abetterlevel.org:8080/cg/viagra.php
b80cpno.abetterlevel.org:8088/cg/viagra.php
ffh3rj8zn.abetterlevel.org:8088/cg/viagra.php
Once accessed, a few minutes later the subdomains either stop responding, or start listening on the second port. Moreover, all the subdomains generated at abetterlevel.org resolve to radius.tercernivel.com (200.57.39.20) an indication of an ecosystem operating on three different networks.
About Dancho Danchev
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
0 Comments: