Tuesday, June 09, 2009

From Ukrainian Blackhat SEO Gang With Love - Part Two

It seems that the portfolio of redirectors using my name part of an ongoing Ukrainian blackhat SEO is expanding, with seximalinki .ru/images/ddanchev-sock-my-dick.php, as the latest addition. This brings up the number of redirectors to three, at least for the time being:
  • seximalinki.ru/images/ddanchev-sock-my-dick.php - active -; Email: Hippacmc@land.ru
  • seo.hostia .ru/ddanchev-sock-my-dick.php - active -
  • HiDancho.mine .nu/login.js - active -
Let's dissect the latest campaigns, including several related ones not necessarily serving scareware, moreover, let's also establish a connection between this gang and the ongoing hijacking of Twitter trending topics for malware serving purposes, shall we?

The redirector takes the user to antimalwareonlinescannerv3 .com -;; - Email: immigration.beijing@footer.cn where the scareware is served.

The campaign is also relying on three more scareware domains antimalware-live-scanv3 .com; antimalwareliveproscanv3 .com ;fastsecurityupdateserver .com, with ns1.futureselfdeeds .com ensuring that the rest of the portfolio remains in tact :

premiumlivescanv1 .com
advanedmalwarescanner .com

advanedpromalwarescanner .com
antiviruspcscannerv1 .com
antiviruspremiumscanv2 .com
malware-live-pro-scanv1 .com
malwareliveproscanv1 .com
malwareliveproscannerv1 .com
malwareinternetscannerv1 .com
anti-spyware-scan-v1 .com
antimalwarescanner-v2 .com
freeantispywarescan2 .com
antivirus-scanner-v1 .com
internetotherwise .com
macrosoftwarego .com
world-payment-system .com

paymentonlinesystem .com
livewwwupdates .com
liveinternetupdates .com
livesecurityupdate .com
securitysoftwarepayments .com
antiviruspaymentsystem .com
systemsecurityupdates .com
networksecurityadvice .com
systeminternetupdates .com
protectionsystemupdates .com
updateinternetserver2 .com
protectionupdates2 .com
proantivirusscannerv2 .com
proantivirusscanv2 .com
powerantivirusscanv2 .com

These blackhat SEO-ers have been actively multitasking during the past couple of months. For instance, another campaign maintained by them at Lycos Tripod's is-the-boss.com is using the redirector ntlligent .info/tds/in.cgi?11&seoref=&parameter=$keyword&se=$se&ur=1&HTTP_REFERER= (, hosted by Layered Technologies, Inc., in order to serve a a Koobface sample located at, which upon execution phones back to upr15may .com/achcheck.php; upr15may .com/ld/gen.php ( as well as to i-site .ph/1/6244.exe; i-site .ph/1/nfr.exe with the second binary phoning back to 85.13.236 .154/v50/?v=71&s=I&uid=1824245000&p=14160&ip=&q=.

Another campaign maintained by them at is-the-boss.com is using three redirectors kurinah.freehostia .com/in.cgi?8&seoref=&parameter=$keyword&se=&ur=1&HTTP_REFERER=; promodomain .info/in.cgi?8&seoref=&parameter=$keyword&se=&ur=1&HTTP_REFERER= - - Email: support@ruler-domains.com and thetrafficcontrol .net/in.cgi?8&seoref=&parameter=$keyword&se=&ur=1&HTTP_REFERER=, until the user is finally redirected to a fake PornTube portal big-tube-list .com/teens/xmovie.php?id=45048 - - isaacdonn@gmail.com where malware is served from my-exe-profile .com/streamviewer.45048.exe - - Email: michalevd@gmail.com.

Upon execution, streamviewer phones back to reportsystem32 .com/senm.php?data= - -, terradataweb .com/senm.php?data=v22 - -, and dvdisorapid .com/senm.php?data=v22 -

Several related fake codec serving domains parked at are also currently active:
get-mega-tube .com - Email: raymgnw95@gmail.com
best-crystal-tube .com - Email: raymgnw95@gmail.com
the-lost-tube .com - Email: hilachow@gmail.com
sunny-tube-house .com - Email: hilachow@gmail.com
proper-tube-site .com - Email: hilachow@gmail.com
tube-xxx-work .com - Email: hilachow@gmail.com
big-tube-list .com - Email: isaacdonn@gmail.com

A third campaign is using a single redirector to tangoing .info/cgi-bin/analytics?id=917304&k= - - Email: dophshli@gmail.com to dynamically redirect visitors to pretty much all the scareware domains listed in part twenty one of the diverse portfolio of fake security software series. Moreover, the very same email used to register the redirecting domain was also used to register a payment processing gateway for scareware transactions in January, 2009.

Yet another blackhat SEO operation maintained by the same group since February, 2009 is fi97 .net/jsr.php?uid=dir&group=ggl&keyword=&okw=&query="+query+" referer="+escape(document.referrer)+"&href="+escape(location.href)+"&r="+rzz+"'><"+"/scr"+"ipt>", which according to publicly obtainable statistics received approximately 138, 000 unique visitors in April, with 30.23% coming from Google.

The traffic hijacking of for the purpose of serving malware, using over a hundred different .us domains was in fact so successful that several webmasters reported loosing their organic search traffic due to the content within the sites. The campaign then switched to a pharmaceutical theme using a Google search engine theme, with several static links to pharma scams, once again using the already established traffic redirections tactics.

The redirectors in question petrenko .biz - - Email: olegoff@yandex.ru and myseobiz .net - - Email: 3bd864dddbe4421ab1112a6ebc6df4fb.protect@whoisguard.com remain in operation. The bogus Google front page is advertising the following pharma domains:

theusdrugs .com -, parked at the same IP are also more pharma domains:
medscompany .org
canadian-rxpill .com
bestyourpills .com
rx-drugs-support .com
payment-rx .com
genericdrugs .in

mendrugsshop .com
healthrefill .com

It gets even more inter-connected and malicious since this very same gang is also the one responsible for the ongoing malware campaign spreading scareware by using Twitter's trending topics. Let's establish a direct connection between the Ukrainian gang and the campaign.

The TinyURL links used redirect to an identical domain - 00freewebhost .cn - - Email: louisgreenfield@gmail.com, where an iFrame is loading happy-tube-video .com/xplays.php?id=40030 - - Email: isaacdonn@gmail.com where Mal/FakeAV-AY (streamviewer.40030.exe) is served, this time from exe-soft-files .com/streamviewer.40030.exe - - Email: michalevd@gmail.com.

This very same domain (happy-tube-video .com registered to isaacdonn@gmail.com) is part of the second PornTube fake codec campaign which I assessed above, this time pushed through the gang's blackhat SEO campaigns.

Moreover, in a typical cybercrime-friendly style, the main malicious domain operated by the gang and used in the Twitter campaign - 00freewebhost .cn - continues to load the malware serving domain despite that it's main index is serving a fake account suspended notice - "This Account Has Been Suspended, This includes, but is not limited to overusing server resources, publishing adult content, or unauthorized posting of copyrighted material. Please contact our Support Team for more information." Which is pretty amusing, since despite the fact that they're using an iFrame to point to a different location, they've left an animated GIF image of a fake codec hosted there - 00freewebhost .cn/shmo/pl.gif.

A second connection between the Ukraininan black SEO gang, Twitter's ongoing campaign and the fake web hosting provider which I profiled yesterday can also be made.

For instance, the URL shortening service used in last week's campaign at Twitter a.gd/2524d9/ redirects to 66.199.229 .253/etds/go.php?sid=43 and then to av-guard .net/?uid=27&pid=3 as well as to fast-antivirus .com which are the scareware domains exposed in the recent "Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot" post. The scareware obtained from it, as well as the scareware from the above-exposed PornTube campaign streamviewer.40030.exe also share the same phone back locations.

Coming across yet another operation managed by them, namely, the ongoing Twitter trending topics hijacking attack, clearly demonstrates the impact this single group of individuals can have while multitasking at different fronts. And despite the numerous traffic acquisition tactics used, the monetization approach remains virtually the same - scareware.