Monday, July 14, 2008

Monetizing Compromised Web Sites

Despite that pure patriotic hacktivism is still alive and kicking, compromised sites are largely getting monetized these days, starting from hosting blackhat SEO junk pages, to redirecting to live exploit URLs and fake codecs where revenue is earned through their participation in an affiliate business model.

With The Africa Middle Market Fund's site monetized by web site defacers who defaced it "in between" the blackhat SEO infrastructure they were hosting internally, in this I'll comment on the currently compromised and redirection to a fake porn sites, Camara Municipal de Amparo ( Basically, it's homepage is heavily linking to the Zlob variant ( video.exe) in between loading an IFRAME to index.php. As always, upon uploading their redirector, they've build enough confidence into their new hosting provider that the link to the redirector was instantly spammed across the web. The site is so heavily linking to the internal redirector itself, that upon clicking on the majority of links the user will inevitably come across it.

Speaking of fake porn sites redirecting to Zlob variants, here are the very latest additions spammed across the web through blackhat SEO practices :

just-tube .com

mypornmovies .net

moms-galls .net

porntubefilms .com

porntubedot .com

hot-porntube .com

landmovieblog .com

sexvidtube .com

freelifevideo .com

getyourfreemovie .com

iubat .com

sweetyjoly .com

hardbizarre .com

freeworldvideo .net

hot-porntube .net

qualitymovies .net

porntube1con .net

video-info .net

videocityblog .com

fuckedolder  .com

highpro1 .com .pl

grandsupertds .info

hot-porn-tube .net

hot-porntube .com

terryschulz .com

show-sextube .com

qualitymovies .net

clubvideos .net

No matter the high profile site that's been exploited in order to participate in such malicious operations, for the time being, crunching out new domain names and using the hosting services of the well known ISPs neglecting their removal, seems to be the tactic of choice. The long tail of SQL injected sites is however, clearly replacing the plain simple blackhat SEO web spamming, so that traffic to these rogue sites is driven through redirection of the the traffic from legitimate sites.