- seximalinki.ru/images/ddanchev-sock-my-dick.php - active - 126.96.36.199; Email: Hippacmc@land.ru
- seo.hostia .ru/ddanchev-sock-my-dick.php - active - 188.8.131.52
- HiDancho.mine .nu/login.js - active - 184.108.40.206
The redirector takes the user to antimalwareonlinescannerv3 .com - 220.127.116.11; 18.104.22.168; 22.214.171.124 - Email: firstname.lastname@example.org where the scareware is served.
The campaign is also relying on three more scareware domains antimalware-live-scanv3 .com; antimalwareliveproscanv3 .com ;fastsecurityupdateserver .com, with ns1.futureselfdeeds .com ensuring that the rest of the portfolio remains in tact :
These blackhat SEO-ers have been actively multitasking during the past couple of months. For instance, another campaign maintained by them at Lycos Tripod's is-the-boss.com is using the redirector ntlligent .info/tds/in.cgi?11&seoref=¶meter=$keyword&se=$se&ur=1&HTTP_REFERER= (126.96.36.199), hosted by Layered Technologies, Inc., in order to serve a a Koobface sample located at 188.8.131.52/view/1/1416/0, which upon execution phones back to upr15may .com/achcheck.php; upr15may .com/ld/gen.php (184.108.40.206) as well as to i-site .ph/1/6244.exe; i-site .ph/1/nfr.exe with the second binary phoning back to 85.13.236 .154/v50/?v=71&s=I&uid=1824245000&p=14160&ip=&q=.
Another campaign maintained by them at is-the-boss.com is using three redirectors kurinah.freehostia .com/in.cgi?8&seoref=¶meter=$keyword&se=&ur=1&HTTP_REFERER=; promodomain .info/in.cgi?8&seoref=¶meter=$keyword&se=&ur=1&HTTP_REFERER= - 220.127.116.11 - Email: email@example.com and thetrafficcontrol .net/in.cgi?8&seoref=¶meter=$keyword&se=&ur=1&HTTP_REFERER=, until the user is finally redirected to a fake PornTube portal big-tube-list .com/teens/xmovie.php?id=45048 - 18.104.22.168 - firstname.lastname@example.org where malware is served from my-exe-profile .com/streamviewer.45048.exe - 22.214.171.124 - Email: email@example.com.
Upon execution, streamviewer phones back to reportsystem32 .com/senm.php?data= - 126.96.36.199 -, terradataweb .com/senm.php?data=v22 - 188.8.131.52 -, and dvdisorapid .com/senm.php?data=v22 - 184.108.40.206.
Several related fake codec serving domains parked at 220.127.116.11 are also currently active:
get-mega-tube .com - Email: firstname.lastname@example.org
best-crystal-tube .com - Email: email@example.com
the-lost-tube .com - Email: firstname.lastname@example.org
sunny-tube-house .com - Email: email@example.com
proper-tube-site .com - Email: firstname.lastname@example.org
tube-xxx-work .com - Email: email@example.com
big-tube-list .com - Email: firstname.lastname@example.org
A third campaign is using a single redirector to tangoing .info/cgi-bin/analytics?id=917304&k= - 18.104.22.168 - Email: email@example.com to dynamically redirect visitors to pretty much all the scareware domains listed in part twenty one of the diverse portfolio of fake security software series. Moreover, the very same email used to register the redirecting domain was also used to register a payment processing gateway for scareware transactions in January, 2009.
Yet another blackhat SEO operation maintained by the same group since February, 2009 is fi97 .net/jsr.php?uid=dir&group=ggl&keyword=&okw=&query="+query+" referer="+escape(document.referrer)+"&href="+escape(location.href)+"&r="+rzz+"'><"+"/scr"+"ipt>", which according to publicly obtainable statistics received approximately 138, 000 unique visitors in April, with 30.23% coming from Google.
The traffic hijacking of for the purpose of serving malware, using over a hundred different .us domains was in fact so successful that several webmasters reported loosing their organic search traffic due to the content within the sites. The campaign then switched to a pharmaceutical theme using a Google search engine theme, with several static links to pharma scams, once again using the already established traffic redirections tactics.
The redirectors in question petrenko .biz - 22.214.171.124 - Email: firstname.lastname@example.org and myseobiz .net - 126.96.36.199 - Email: email@example.com remain in operation. The bogus Google front page is advertising the following pharma domains:
theusdrugs .com - 188.8.131.52, parked at the same IP are also more pharma domains:
It gets even more inter-connected and malicious since this very same gang is also the one responsible for the ongoing malware campaign spreading scareware by using Twitter's trending topics. Let's establish a direct connection between the Ukrainian gang and the campaign.
The TinyURL links used redirect to an identical domain - 00freewebhost .cn - 184.108.40.206 - Email: firstname.lastname@example.org, where an iFrame is loading happy-tube-video .com/xplays.php?id=40030 - 220.127.116.11 - Email: email@example.com where Mal/FakeAV-AY (streamviewer.40030.exe) is served, this time from exe-soft-files .com/streamviewer.40030.exe - 18.104.22.168 - Email: firstname.lastname@example.org.
This very same domain (happy-tube-video .com registered to email@example.com) is part of the second PornTube fake codec campaign which I assessed above, this time pushed through the gang's blackhat SEO campaigns.
Moreover, in a typical cybercrime-friendly style, the main malicious domain operated by the gang and used in the Twitter campaign - 00freewebhost .cn - continues to load the malware serving domain despite that it's main index is serving a fake account suspended notice - "This Account Has Been Suspended, This includes, but is not limited to overusing server resources, publishing adult content, or unauthorized posting of copyrighted material. Please contact our Support Team for more information." Which is pretty amusing, since despite the fact that they're using an iFrame to point to a different location, they've left an animated GIF image of a fake codec hosted there - 00freewebhost .cn/shmo/pl.gif.
A second connection between the Ukraininan black SEO gang, Twitter's ongoing campaign and the fake web hosting provider which I profiled yesterday can also be made.
For instance, the URL shortening service used in last week's campaign at Twitter a.gd/2524d9/ redirects to 66.199.229 .253/etds/go.php?sid=43 and then to av-guard .net/?uid=27&pid=3 as well as to fast-antivirus .com which are the scareware domains exposed in the recent "Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot" post. The scareware obtained from it, as well as the scareware from the above-exposed PornTube campaign streamviewer.40030.exe also share the same phone back locations.
Coming across yet another operation managed by them, namely, the ongoing Twitter trending topics hijacking attack, clearly demonstrates the impact this single group of individuals can have while multitasking at different fronts. And despite the numerous traffic acquisition tactics used, the monetization approach remains virtually the same - scareware.