Wednesday, April 22, 2009

Massive Blackhat SEO Campaign Serving Scareware

Over the past couple of days, I've been monitoring yet another massive blackhat SEO campaign consisting of the typical hundreds of thousands of already crawled bogus pages serving scareware/fake security software.

Later on Google detected the campaign and removed all the blackhat SEO farms from its index, which during the time of assessment were close to a hundred domains with hundreds of subdomains, and thousands of pages within.

And despite that the abuse notifications for some of the central redirection domains proved effective,  it took the cybercriminals approximately 24 hours to catch up, and once again start hijacking search queries, in a combination of scareware, and pay per click redirections.

It's worth pointing out that this very latest campaign is directly related to last's week's keywords hijacking blackhat SEO campaign, with both campaigns relying on identical redirection domains, and serving the same malware. Who's behind these search engine poisoning attacks? An Ukranian gang monetizing the hijacked traffic through the usual channels - scareware and reselling of the anticipated traffic.

The first stage of the campaign was relying on mainstream media titles within its pages such as USA News; BBC News; CNN News as well as Hottest info!; HOT NEWS; Official Website and Official Site, thereby making it fairly easy to expose their portfolio of domains.

Interestingly, the cybercriminals appear to have detected the activity -- certain traffic management kits can log attempts of wandering around -- and removed the titles, which combined with the typical referrer checking made the campaign a bit more evasive :

""var ref,i,is_se=0; var se = new Array("google.","msn.","yahoo.","comcast.","aol.","dead"); if(document.referrer)ref=document.referrer; else ref=""; for(i=0;i<5;i++""

Once the user visits any of the domains within the portfolio, with a referrer check confirming he used a search engine to do so, two javascripts load, one dynamically redirecting to the portfolio of fake security software, and the other logging the visit using an Ukrainian web site counter service (c.hit.ua/hit?i=6058&g=0&x=2&s=1&c=1&t=420&w=1024&h=768&d=24&0.5505934176708958&r=&u=http%3A//13news.hobby-site.com/counter.js')


The most recent list of of domains on popular DNS services is as follows. Sub-domains within are excluded since there are several hundred currently active per domain:
0kfzzl .us - 95.168.172.202 -  Email: diannefostergcei@yahoo.com
52ubih .us - 95.168.172.198 - Email: joeminoryhjb@yahoo.com
5nw8b3 .us - 95.168.172.193 - Email: carolynfosteruwwi@yahoo.com
60mptk .us - 95.168.172.192 - Email: bernadettehockadayfedt@yahoo.com
6ry4nv .us - 95.168.172.191 - Email: markpackvesa@yahoo.com
77m8uh .us - 95.168.172.190 - Email: miguelbellhyes@yahoo.com
axnwpy .us - 95.168.172.204 - Email: hungsandfordoehx@yahoo.com
bumgli .us - Email: coobybrown3@gmail.com
cqxuhk .us - 95.168.172.203 - Email: michaelkoontzutae@yahoo.com
dfkghdf .us - 212.95.58.49 - Email: umora@live.com
dfwdowrly .us - Email: orest@hotmail.ru
edtbcm .us - 95.168.172.198 - Email: warrenskinnerumpi@yahoo.com
edu4life .us - Email - joh.n.ebrilo@gmail.com

fc4oih .us -  95.168.172.187 - Email: florencemclaughlinovpp@yahoo.com
fcbcwo .us - 89.149.216.146 - Email: dorisnaupkou@yahoo.com
fpq58z .us - 95.168.172.205 - Email: thomassoileautysz@yahoo.com
fzjt82 .us -  95.168.172.188 - maryevansarpl@yahoo.com
gfor8g .us - Email: christopherdockinsptdg@yahoo.com
gotpig .us - Email: BeatriceJBrown@text2re.com
hhjsuuy .us - 217.20.117.198 - Email: jarovv@gmail.com
hk2april .us - 78.159.122.123 - Email: zainez@gmail.com
hk3april .us - 78.159.122.137 - Email: zainez@gmail.com
hno6sh .us - 89.149.238.12 - Email: alfredmeadenzcy@yahoo.com
i2u6nr .us -  95.168.172.202 - Email: jameshendricksxuwg@yahoo.com
ik3trends .us -  88.214.198.14 - Email: akililewis@gmail.com
itn92j .us -  Email: nicholasmanoicdmg@yahoo.com
j4vre4 .us -  bettyfavorsiqzv@yahoo.com
kzq2i2 .us - 89.149.229.157 - Email: robertmitchellrswv@yahoo.com

l5ykp6 .us - 95.168.172.195 - Email: chrishuntpjzc@yahoo.com
lh85uk .us - 95.168.172.200 - Email: susannelsonggyp@yahoo.com
lp24april .us - 89.149.228.129 - Email: ramerod@gmail.com
m9nvzp .us -  89.149.216.50 - Email: jenniferduncanakcq@yahoo.com
mm00april .us - 212.95.55.115 - Email: brevno3@gmail.com
mm99april .us - 78.159.122.91 - Email: brevno3@gmail.com
n5y3m8 .us - 89.149.243.86 - Email: imogenegreenrqqr@yahoo.com
na8nw2 .us - 89.149.216.146 - Email: jeremyfitchcupl@yahoo.com
oag3h8 .us - 95.168.172.200 - Email: susanspidelesig@yahoo.com
po1april .us - 212.95.55.138 - Email: preadzz@gmail.com
po3april .us - 78.159.122.93 - Email: preadzz@gmail.com
pp6sqo .us - 95.168.172.197 - Email: connierobertsolni@yahoo.com
pr061r .us - 89.149.216.146 - Email: shirleywardauof@yahoo.com
qdhccy .us - Email: shark@nightmail.ru
qq338p .us - 89.149.221.36 - Email: debragonzalezyplu@yahoo.com

repszp .us - 89.149.221.36 - Email: christinamerrillzzhd@yahoo.com
rrgtnm .us - 95.168.172.203 - Email: josephelliskozc@yahoo.com
rt658y .us - 89.149.207.33 - Email: luannamcgeeiqwb@yahoo.com
rzi6rj .us - 95.168.172.189 - Email: leatriceporterlhbz@yahoo.com
scsrn8 .us - 95.168.172.201 - Email: donnabrownpgpa@yahoo.com
t9xu44 .us - 95.168.172.194 - Email: robertbissettezeub@yahoo.com
trfddp .us - 89.149.243.89 - Email: davidwilliamsqljt@yahoo.com
up3xv7 .us - Email: dennismontantecoco@yahoo.com
vecy5r .us - Email: merlynsmithsqxm@yahoo.com
vlj5jn .us - 95.168.172.196 - Email: angelostewartqfoq@yahoo.com
vr31qo .us - 95.168.172.199 - Email: christinearcherzhqz@yahoo.com
wk7iie .us - 95.168.172.204 - Email: jewellnakashimalgny@yahoo.com
x2ar3e .us - Email: bobbielopezeits@yahoo.com
xe24py .us - 89.149.243.138 - Email: johnbarberprfi@yahoo.com
xecuk8 .us - 95.168.172.194 - Email: lutheralfaronloz@yahoo.com
yl8ais .us - 89.149.216.147 - Email: meredithflackflub@yahoo.com
yqfvp4 .us - 78.159.96.84 - Email: julierussellnnro@yahoo.com
zvlewrms .us - Email: ygovoruhin@list.ru 
zxe11d .us -  95.168.172.195 - Email: christopherlewisxghb@yahoo.com
zy7itf .us - 89.149.207.244 - Email: cindyruizixqr@yahoo.com

13news.doesntexist .com
13news.hobby-site .com
17news.endofinternet .net
18news.homeftp .org
19news.blogdns .com
19news.dnsdojo .org
19news.gotdns .com
19news.kicks-ass .org
19news.servebbs .com
22news.blogdns .com
creditratingguide. hobby-site.com
disneyearrings .hobby-site.com
flatbellydiet .hobby-site.com
hydrangacutflowers .hobby-site.com
isa-geek .org
mxzsaw .hobby-site.com
mysteryterms .hobby-site.com

The rotated scareware/fake security software domains include: scan-antispyware-4pc .com - parked at 195.88.81.93 the same portfolio of fake security software domains which I warned that by blocking you would proactively protect your customers from black hat SEO campaigns - like this one for instance 
pcvistaxpcodec .com
onlinevirus-scannerv2 .com
av-antispyware .com
scan-antispy-4pc .com
fastviruscleaner .com
securityhelpcenter .com
scan-antispy-4pc .com
scanner-work-av .com
scanner-antispy-av-files .com
adwarealert .com
proantispyware .com


Download locations/related fake codec redirections:
winpcdown10 .com (194.165.4.77)
suckitnow1 .com
winpcdown99 .com
loyaldown99 .com
codecxpvista .com
wincodecupdate .com
velzevuladmin .com

tubeloyaln .com
wedare.tubeloyaln .com
lamer.tubeloyaln .com
billingpayment.netcodecs.tubeloyaln .com
videosz.tubeloyaln .com

loyal-porno .com - the same domain was recently exposed in the same blackhat  SEO campaign
win-pc-defender .com
codecvistaz .com
loyalvideoz .com

Sample detection rates:
litetubevideoz .net/codec/277.exe - detection rate
winpcdown99 .com/pcdef.exe - detection rate
winpcdown99 .com/file.exe - detection rate
setup.adwarealert .com/setupxv.exe - detection rate
files.scanner-antispy-av-files .com/exe/setup_200093_1_1.exe - detection rate

Monitoring of the campaign would continue.

Related posts:
Dissecting the Bogus LinkedIn Profiles Malware Campaign
Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software
Blackhat SEO Redirects to Malware and Rogue Software
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Rogue RBN Software Pushed Through Blackhat SEO
Massive Blackhat SEO Targeting Blogspot
Blackhat SEO Campaign at The Millennium Challenge Corporation

No comments:

Post a Comment