Monday, August 10, 2009

U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding

UPDATE2: New scareware domain is in rotation - antispywarelivescanv5 .com -;;;;; - Email: Redirection takes place through consensualart .cn - - Email: 

UPDATE: Four new domains have been introduced, again using the services of AltusHost Inc. (AS44042):

thwovretgi .com - - Email:
hernewdy .com - - Email:
shtifobpy .com - - Email:
vodcotha .com - - Email:

The redirection takes place through mywatermakrs .cn - - Email:

In response to the takedown of the blackhat SEO domains used in the campaign dissected lat week, the group has responded by introducing new domains next to new redirectors and most interestingly, has started using compromised/mis-configured legitimate sites in an attempt to increase the lifecycle of the campaign by making it takedown-proof.

New blackhat SEO domains again using AS44042 ROOT-AS root eSolutions/ALTUSHOST-NET/AltusHost Inc hosting services:
fifiopod .com - - Email:
trodlocho .com - - Email:
ickgetaph .com - - Email:
igecanneg .com - - Email:
somveots .com - - Email:
memodreydi .com - - Email:
jejnahob .com - - Email:
nuwofteuz .com - - Email:
hyhoppeo .com - - Email:
egnegvufvu .com - - Email:
lauzpeog .com - - Email:
sniozeanvo .com - - Email:
hebmipenn .com - - Email:

The cybercriminals are also attempting to use a well proven tactic - occupying as many search engine results as possible for a particular hijacked word by using identical blackhat SEO junk content at multiple domains. A similar attempt was successfully executed in January, 2009's search results poisoning campaign at Google Video, where the first ten results for a particular keyword were all malicious in their nature.

The compromised/misconfigured legitimate sites used in the campaign are serving dynamic javascript obfuscations. Here's a list of ones currently in use:
ali.zaher.101main .com
averder.cwsurf .de .uk .uk
britishbaits .com .uk .uk .uk .uk .uk .uk
childrenofthedrone .net .uk
chris-hillman .com .uk
christine-pearson .com .uk .uk .uk .uk .uk
dak.crep01.linux-site .net .uk .uk
fet.jujas.myftpsite .net
tferh.mi-website .es

The campaign continues switching between different redirectors parked at for instance:
rondo-trips .cn
gazsnippets .cn
besthockeyteams .cn
allfootballmanager .cn
rollerskatesadvise .cn

honda-recycle .cn - used in the previous campaign
nothern-ireland .cn
discovernewchina .cn

An updated portfolio of scareware/fake security software, parked at;;;; has been introduced:
bestpersonalprotectionv2 .com
onlinesecurescannerv3 .com
basicsystemscannerv3 .com
onlinebestscannerv3 .com
basicsystemscannerv6 .com
bestpersonalprotectionv7 .com
basicsystemscannerv8 .com
thankyouforscan .com
onlinepersonalscanner .com
basicsystemscanner .com
onlineproantivirusscanner .com

personalantivirusprotection .com
internetantivirusscanner .com
govirusscanner .com
iwantsweepviruses .com
personalfoldertest .com

Sampled scareware once again phones back to the thebigben .cn - Email: and june-crossover .com - Email:, with more scareware parked there - purchuase-premium-software .com - Email:; livepaymentssystem .com - Email:; secure.livepaymentssystem .com - Email:; purchuasepremiumprotection .com - Email:

Evasion techniques are in again in place, however, this time they end up in a Russian Business Network deja vu moment from 2008. In March, 2008, ZDNet Asia and TorrentReactor followed by a large number of other high profile, high pagerank sites started activing as intermediaries to scareware campaigns, among the first such abuse of legitimate sites for scareware serving purposes.

The compromised/mis-configured web sites participating in this latest blackhat SEO campaign are surprisingly redirecting to /wtr/router.php - - Email: - AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE if the http referrer condition isn't met. This very same domain -- back then parked at INTERCAGE-NETWORK-GROUP2 -- was also used in the same fashion in March, 2008's massive blackhat SEO campaigns serving scareware.

This post has been reproduced from Dancho Danchev's blog.