Thursday, July 16, 2009

From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts

Could a dysfunctional abuse department facilitate cybercrime? Appreciate my rhetoric with an emphasis on Layered Technologies, Inc.

Exactly one month ago, the Ukrainian gang that I've been extensively monitoring due to their apparent involvement in literally each and every malware campaign targeting Web 2.0 properties -- that's of course next to the Koobface connection in general -- intensified their automatic abuse of Twitter, Scribd and LinkedIn using plain simple social engineering tactics.

Since the campaign seems to be ongoing, it's time to spill some coffee on their latest scareware domains, see how the campaign's quality degraded upon notifying the affected parties, and emphasize on the fact that since Layered Technologies, Inc. abuse department wasn't available for comment prior to this post, the Ukrainian "fan club" continues using their services.

Bogus Twitter accounts serving scareware part of their campaign:
twitter .com/carmenelectrapn
twitter .com/LilKimUncensord
twitter .com/KimKardashian11
twitter .com/KateWinsletNude
twitter .com/DeniseRichardsK
twitter .com/KendraWilkinso1
twitter .com/CHristinaRicciN
twitter .com/Shakira_nude

twitter .com/BritneySpears11
twitter .com/PamelaAnderson0
twitter .com/kimkardashian3
twitter .com/BritneySpearse
twitter .com/LindsayLohannn
twitter .com/KatieHolmesNud
twitter .com/LilKimUncensord
twitter .com/britneyspearst
twitter .com/LindsayLohanee
twitter .com/JenniferLovew
twitter .com/AnnaFarisNnude
twitter .com/MileyCyrusnud
twitter .com/carmenelectrasx
twitter .com/adulttrishstrat


As in previous campaign, their redirectors continue working -- excluding oymomahon .com which is down -- and serving newly typosquatted scareware domains. For instance showmealltube .com/fathulla/13.html (64.92.170.135; 216.32.83.110) which is exclusively used on all the bogus accounts redirects to myhealtharea .cn/in.cgi?14 (64.92.170.135; 216.32.83.110), again Layered Technologies, Inc.

The same goes for the second domain, delshikandco .com/paqi-video/30.html (216.32.83.104) Email: alexeyvas@safe-mail.net (multiple scareware domains registered under the same email) as well as another redirector maintained by them used in previous campaign, ntlligent .info/tds/in.cgi (72.232.163.171) also both hosted at Layered Technologies, Inc..

The new scareware domains used in the first redirection:
nusecurityshields .com - 91.213.29.252 - FakeAlert-WinwebSecurity.gen
besecurepctrue .com
wesecurepcs .com
securityverpcs .com
allsecuredpcshields .com
myrealsecuritys .com
realsecurityspot .com
allentruesecurity .com


The second redirection leads to thetubesmovie .com/xplaymovie.php?id=40012 - 216.240.143.7 - Email: queeziegl@gmail.com where onlinemovies.40012.exe (Trojan.Crypt.ZPACK.Gen) is served, which upon execution phones back to myart-gallery .com/senm.php?data= (64.27.5.202) Email: jnthndnl@gmail.com; robert-art .com/senm.php?data= (66.199.229.229) Email: robesha@gmail.com; and superarthome .com/senm.php?data= (216.240.146.119) Email: chucjack@gmail.com. Yet another redirector at showmeall-tube-xx .com/xtube.htm - 78.159.98.70 - Email: crashtestdanger@mail.ru attempts to download more scareware from showmeall-tube-xx .com/setup.exe - Trojan:Win32/Winwebsec.

Parked on 216.240.143.7 are also:
go-go-tube.com - Email: consanch@gmail.com
thetubesmovie.com - Email: queeziegl@gmail.com
tubessite.com - Email: roberkimb@gmail.com
besttubetech.com - Email: tashcham@gmail.com
supertubetop.com - Email: queeziegl@gmail.com
yourtubetop.com - Email: tashcham@gmail.com
greattubetop.com - Email: roberkimb@gmail.com
fllcorp.com
my-tube-dot.com -
Email: consanch@gmail.com

The newly registered Scribd and LinkedIn accounts also point to these very same domains. Bogus Scribd accounts -- approximately a thousand -- participating in the campaign:
scribd .com/Eva_Mendes%20naked
scribd .com/Kim_Kardashian%20sex%20tape%20free
scribd .com/Nude%20wrestling
scribd .com/KimKardashianSex%20Tape
scribd .com/BritneySpears%20Sex%20Tape
scribd .com/HollyMadison_Naked
scribd .com/Free%20Animal%20Sex%20Videos
scribd.com/BritneySpearsCircus
scribd .com/Emma%20Watson%20kissingsomeone
scribd .com/Paris%20Hilton%20%20sex%20tape
scribd .com/Ellen%20degeneresgay
scribd .com/Gallery%20of%20Lindsay_Lohan
scribd .com/Amy_Smart%20nude
scribd .com/Stacy_Keibler%20in%20a%20bikini
scribd .com/Jennifer%20Aniston%20sexiest1
scribd .com/HelenMirren%20nudity
scribd .com/Vida_Guerra%20butt
scribd .com/Paris%20Hilton%20in%20bed


scribd .com/Paris%20Hilton%20sex%20video
scribd .com/Paris%20Hilton%20%20movie
scribd .com/ParisHiltonnaked1
scribd .com/Jessica%20Rabbitadult

scribd .com/Maria_Kanellis%20playboy
scribd .com/Anna_Nicole_uncensored
scribd .com/Kim+Kardashian%20sex%20video
scribd .com/keeleyhazellsextape
scribd .com/Britney-Spears-womanizer2
scribd .com/BRITNEY%20SPEARS%20DESNUDA%201
scribd.com/Age%20of%20EmmaWatson
scribd .com/JenniferLopez%20desnuda
scribd .com/BritneySpears%20comix
scribd .com/MUJERES%20NEGRAS%20DESNUDAS%201
scribd .com/John%20Cena's%20%20dick
scribd .com/Hilary%20Duff%20naked%201


scribd .com/MaribelGuardia%20desnuda
scribd .com/Jessica%20Simpsonnude

scribd .com/Amanda-Bynes-nip-slip1
scribd .com/Tara-Reid-desnuda1
scribd .com/Jessica%20Albanude
scribd .com/Mujeres%20famosas%20%20desnudas
scribd .com/AngelinaJolie%20Naked
scribd .com/Lindsay_Lohan%20naked
scribd .com/Niurka_Marcos%20desnuda

scribd .com/FOTOS%20DE%20MARIBEL%20GUARDIA%20DESNUDA
scribd .com/INGRID%20CORONADO%20DESNUDA%201
scribd .com/NINEL%20CONDE%20DESNUDA1


scribd .com/Paris%20Hilton%20movie%201
scribd .com/Free%20Kim%20Kardashian%20%20Sex%20%20Tape
scribd .com/Pamela%20anderson%20nude
scribd .com/Vanessa-Williams-Penthouse-pictorial2
scribd .com/Natalie%20Portman%20sunbathing%201
scribd .com/Anne%20Hathaway%20naked%201
scribd .com/Stacy_Keibler%20nude
scribd .com/Scarlett_Johansson%20galleryx


Bogus LinkedIn accounts participating in the campaign:
linkedin .com/pub/anneliese-van-der-pol-nude/14/150/371
linkedin .com/pub/disney-s-raven-symone-nude/14/150/604
linkedin .com/pub/jennifer-love-hewitt/13/ab6/396
linkedin .com/pub/free-nude-celebs/14/6b/65b
linkedin .com/in/nudetubee
linkedin .com/in/nudepics2
linkedin .com/in/freenudecelebrities1
linkedin .com/in/nudecelebrities1
linkedin .com/in/nudephotos1
linkedin .com/pub/nude-art/14/6b/6a


The statistics from two of the bit.ly URLs showcase how the campaign scaled due to the number of bogus accounts, and they virtually disappeared upon notifying the affected parties which removed the accounts in less than an hour. The gang keeps making a point that I made a while ago - a single group can dominate the entire Web 2.0 threatscape, automatically if they want to.

This post has been reproduced from Dancho Danchev's blog.