Thursday, June 04, 2009

From Ukrainian Blackhat SEO Gang With Love

UPDATE: My name is now an integral part of the scareware business model.

Yet another redirector used in the ongoing blackhat SEO campaign is using it, this time saying just "hi" - hidancho.mine .nu/login.js redirects to privateaolemail .cn/go.php?id=2010-10&key=b8c7c33ca&p=1 and then to antimalwareliveproscanv3 .com where the scareware is served -- catch up with the Diverse Portfolio of Fake Security Software series.

What's next? The release of Advanced Pro-Danchev Premium Live Mega Professional Anti-Spyware Online Cleaning Scanner 2010?

You know you have a fan club, as well as positive ROI out of your research, when one of the most active blackhat SEO groups for the time being starts cursing you in its multiple redirectors, in this particular case that's seo.hostia .ru/ddanchev-sock-my-dick.php.

Back in 2007, it used to be the polite form of get lost or "ai siktir vee" courtesy of the New Media Malware Gang, a customer of the Russian Business Network.

Upon hijacking legitimate traffic and verifying that the visitor is coming from var se = new Array("google.","msn.","yahoo.","comcast.","aol", the redirector then takes us to macrosoftwarego .com; live-payment-system .com - Email:, and to antimalware-live-scanv3 .com -;;;; Email: where the scareware is served.

Scareware domains (delegated) part of their campaigns which as of recently diversity to Lycos owned
anti-spyware-scan-v1 .com - ns1.futureselfdeeds .com (
malware-live-pro-scanv1 .com
premiumlivescanv1 .com
malwareliveproscanv1 .com
antiviruspcscannerv1 .com
malwareliveproscannerv1 .com
freeantispywarescan2 .com
antiviruspremiumscanv2 .com
proantivirusscanv2 .com
antiviruspaymentsystem .com
macrosoftwarego .com
advanedmalwarescanner .com
advanedpromalwarescanner .com
futureselfdeeds .com
allinternetfreebies .com
liveinternetupdates .com
momentstohaveyou .cn

Rephrasing the Cardigans Love Fool song - Common sense tells me I shouldn't bother, and I ought to stick to another blackhat SEO campaign, a blackhat SEO campaign that surely deserves me, but I think you folks do.

Thanks to Sean-Paul Correll from PandaLabs for the tip.