Wednesday, April 22, 2009

Massive Blackhat SEO Campaign Serving Scareware

Over the past couple of days, I've been monitoring yet another massive blackhat SEO campaign consisting of the typical hundreds of thousands of already crawled bogus pages serving scareware/fake security software.

Later on Google detected the campaign and removed all the blackhat SEO farms from its index, which during the time of assessment were close to a hundred domains with hundreds of subdomains, and thousands of pages within.

And despite that the abuse notifications for some of the central redirection domains proved effective,  it took the cybercriminals approximately 24 hours to catch up, and once again start hijacking search queries, in a combination of scareware, and pay per click redirections.

It's worth pointing out that this very latest campaign is directly related to last's week's keywords hijacking blackhat SEO campaign, with both campaigns relying on identical redirection domains, and serving the same malware. Who's behind these search engine poisoning attacks? An Ukranian gang monetizing the hijacked traffic through the usual channels - scareware and reselling of the anticipated traffic.

The first stage of the campaign was relying on mainstream media titles within its pages such as USA News; BBC News; CNN News as well as Hottest info!; HOT NEWS; Official Website and Official Site, thereby making it fairly easy to expose their portfolio of domains.

Interestingly, the cybercriminals appear to have detected the activity -- certain traffic management kits can log attempts of wandering around -- and removed the titles, which combined with the typical referrer checking made the campaign a bit more evasive :

""var ref,i,is_se=0; var se = new Array("google.","msn.","yahoo.","comcast.","aol.","dead"); if(document.referrer)ref=document.referrer; else ref=""; for(i=0;i<5;i++""

Once the user visits any of the domains within the portfolio, with a referrer check confirming he used a search engine to do so, two javascripts load, one dynamically redirecting to the portfolio of fake security software, and the other logging the visit using an Ukrainian web site counter service (')

The most recent list of of domains on popular DNS services is as follows. Sub-domains within are excluded since there are several hundred currently active per domain:
0kfzzl .us - -  Email:
52ubih .us - - Email:
5nw8b3 .us - - Email:
60mptk .us - - Email:
6ry4nv .us - - Email:
77m8uh .us - - Email:
axnwpy .us - - Email:
bumgli .us - Email:
cqxuhk .us - - Email:
dfkghdf .us - - Email:
dfwdowrly .us - Email:
edtbcm .us - - Email:
edu4life .us - Email -

fc4oih .us - - Email:
fcbcwo .us - - Email:
fpq58z .us - - Email:
fzjt82 .us - -
gfor8g .us - Email:
gotpig .us - Email:
hhjsuuy .us - - Email:
hk2april .us - - Email:
hk3april .us - - Email:
hno6sh .us - - Email:
i2u6nr .us - - Email:
ik3trends .us - - Email:
itn92j .us -  Email:
j4vre4 .us -
kzq2i2 .us - - Email:

l5ykp6 .us - - Email:
lh85uk .us - - Email:
lp24april .us - - Email:
m9nvzp .us - - Email:
mm00april .us - - Email:
mm99april .us - - Email:
n5y3m8 .us - - Email:
na8nw2 .us - - Email:
oag3h8 .us - - Email:
po1april .us - - Email:
po3april .us - - Email:
pp6sqo .us - - Email:
pr061r .us - - Email:
qdhccy .us - Email:
qq338p .us - - Email:

repszp .us - - Email:
rrgtnm .us - - Email:
rt658y .us - - Email:
rzi6rj .us - - Email:
scsrn8 .us - - Email:
t9xu44 .us - - Email:
trfddp .us - - Email:
up3xv7 .us - Email:
vecy5r .us - Email:
vlj5jn .us - - Email:
vr31qo .us - - Email:
wk7iie .us - - Email:
x2ar3e .us - Email:
xe24py .us - - Email:
xecuk8 .us - - Email:
yl8ais .us - - Email:
yqfvp4 .us - - Email:
zvlewrms .us - Email: 
zxe11d .us - - Email:
zy7itf .us - - Email:

13news.doesntexist .com
13news.hobby-site .com
17news.endofinternet .net
18news.homeftp .org
19news.blogdns .com
19news.dnsdojo .org
19news.gotdns .com
19news.kicks-ass .org
19news.servebbs .com
22news.blogdns .com
isa-geek .org

The rotated scareware/fake security software domains include: scan-antispyware-4pc .com - parked at the same portfolio of fake security software domains which I warned that by blocking you would proactively protect your customers from black hat SEO campaigns - like this one for instance 
pcvistaxpcodec .com
onlinevirus-scannerv2 .com
av-antispyware .com
scan-antispy-4pc .com
fastviruscleaner .com
securityhelpcenter .com
scan-antispy-4pc .com
scanner-work-av .com
scanner-antispy-av-files .com
adwarealert .com
proantispyware .com

Download locations/related fake codec redirections:
winpcdown10 .com (
suckitnow1 .com
winpcdown99 .com
loyaldown99 .com
codecxpvista .com
wincodecupdate .com
velzevuladmin .com

tubeloyaln .com
wedare.tubeloyaln .com
lamer.tubeloyaln .com
billingpayment.netcodecs.tubeloyaln .com
videosz.tubeloyaln .com

loyal-porno .com - the same domain was recently exposed in the same blackhat  SEO campaign
win-pc-defender .com
codecvistaz .com
loyalvideoz .com

Sample detection rates:
litetubevideoz .net/codec/277.exe - detection rate
winpcdown99 .com/pcdef.exe - detection rate
winpcdown99 .com/file.exe - detection rate
setup.adwarealert .com/setupxv.exe - detection rate
files.scanner-antispy-av-files .com/exe/setup_200093_1_1.exe - detection rate

Monitoring of the campaign would continue.

Related posts:
Dissecting the Bogus LinkedIn Profiles Malware Campaign
Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software
Blackhat SEO Redirects to Malware and Rogue Software
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Rogue RBN Software Pushed Through Blackhat SEO
Massive Blackhat SEO Targeting Blogspot
Blackhat SEO Campaign at The Millennium Challenge Corporation