Friday, September 25, 2009

Dissecting September's Twitter Scareware Campaign

UPDATE:  4 hours after notification, Twitter has suspended the remaining bogus accounts. Until the next time, when the reCAPTCHA recognition gets cost-effectively outsourced for automatic scareware-serving purposes.

Over the last couple of days, my Ukrainian "fan club" -- fan club in a sarcastic sense due to the love, more love, even more love and gratitude shown so far -- has once against started abusing Twitter by automatically generating bogus accounts tweeting scareware serving links by syndicating Twitter's trending topics.

This traffic acquisition tactic is in fact nothing new, and in the case of this Ukrainian cybercrime enterprise, is done "in between" the rest of their malicious activities. What's worth pointing out is that just like the most recent malvertising campaign at NYTimes.com, the Ukrainian gang keeps using domains already in circulation within their blackhat SEO campaigns, making it fairly easy to establish connections between these and the ongoing Twitter campaign.

By the time Twitter suspends the automatically registered bogus accounts, on average, 70 to 80 tweets have been published per single account. Here's the most recent list of currently active Twitter accounts tweeting scareware links:
twitter.com /verina1238
twitter.com /knab190
twitter.com /zastrow994
twitter.com /gustave12
twitter.com /trautwein9975
twitter.com /reinke341
twitter.com /ordella509
twitter.com /lysa380
twitter.com /weinhold344
twitter.com /wachsmann1541

twitter.com /weishaupt917
twitter.com /scheid1265
twitter.com /fitz1677
twitter.com /falkner425
twitter.com /opel1409
twitter.com /rasche1401
twitter.com /schlecht1581
twitter.com /verina1238
twitter.com /perahta985


The accounts are relying on identical short URLs, with the following ones still active and in circulation:
tinyurl.com /lyby2r
tinyurl.com /nx39k8
tinyurl.com /lyby2r
tinyurl.com /mnbfox
tinyurl.com /msjjv8
tinyurl.com /mj5wju
tinyurl.com /mxg2vo
tinyurl.com /m656h7
tinyurl.com /nffkly
xrl.us /bfnpv7
xrl.us /bfnsa8
xrl.us /bfny8e
xrl.us /bfnnu4
xrl.us /bfnzkk
a.gd/ 6af3fe
a.gd/ 649be
a.gd/ f6b7f5
a.gd/ 0abe74
is.gd/ 3AoRZ
is.gd/ 3A5DD
is.gd/ 3AUVc
is.gd/ 3BZqa
is.gd/ 3C4lU


The short URLs rely on several redirectors to finally land the end user on a scareware site, such as securityland .cn and imagination-1 .com:

securityland .cn - 64.86.25.201 - Email: keithdgetz@gmail.com. Parked on the same IP are also:
abclllab .com
0lenfo .com
ynoubfa .cn
protectinstructor .cn
immitations-all .net
1limbo .net

imagination-1 .com- 64.86.25.202 - Email: gertrudeedickens@text2re.com. Parked on the same IP are also:
bombas10 .com
graves111 .com
iriskas .com
yvicawo .cn


Where do we know the gertrudeedickens@text2re.com email from? Several of the scareware domains pushed in the ongoing U.S Federal Forms Themed Blackhat SEO Campaign have been registered using it, that very same blackhat SEO whose central redirector a-n-d-the .com/wtr/router.php - 95.168.177.35 - and in-t-h-e.cn - 72.21.41.198 - (hosted by Layered Technologies, Inc.) mimics the campaign structure of 2008's massive input validation abuse attack using iFrames, courtesy of the RBN and the very first scareware campaigns.

Moreover, the same email has been used to register two of the "phone-back" domains for the scareware pushed in the blackhat SEO campaign and the NYTimes.com malvertising attack - windowsprotection-suite .net - Email: gertrudeedickens@text2re.com and securemysystem .net - Email: gertrudeedickens@text2re.com.

The following scareware domains are not just used within the Twitter campaign, some of them have also been detected as part of blackhat SEO campaigns:
ekevuc .cn - 64.213.140.68
windowspcdefender .com
smart-virus-eliminator .com
fast-systemguard .net
opyhila .cn
riwryse .cn
adijef .cn
dunhah .cn
idisuan .cn
wobcyn .cn
upuoro .cn
ucyilwo .cn
ogywuep .cn
adaengu .cn
taziqow .cn
zerkauz .cn


ejavone .cn - 64.213.140.69
fastsystem-guard .com
windowsguardsuite .com
windowssystemsuite .com
winsecuritysuite-pro .com
windows-protectionsuite .net
malwarecatcher .net
fast-scan-protect .net
fastscansecure .net
goryhe .cn
pyzuhme .cn
zydfaqe .cn
ahoize .cn
abonyag .cn
abenapi .cn
otobym .cn
abicoym .cn
nepsoym .cn
byzfalo .cn
pywudar .cn
qucgyit .cn
dahokxu .cn
lylbaov .cn
cusryw .cn



fast-scanandprotect .net
fastscanonline .com
fastsearch-secure .com
fast-systemguard .net
go-scanandsecure .net
goscan-protect .com
go-searchandscan .com
guardmyzone .net
mynewprotection .net
my-newprotection .net
my-officeguard .com
my-officeguard .net


myprotectedsystem .com
myprotected-system .com
my-protectedzone .net
myprotectionshield .com
myprotectionzone .com
my-protectionzone .com
my-protectionzone .net
myprotection-zone .net
my-saerchsecure .com
my-safetyprotection .com
my-systemprotection .net
mysystemsafety .com
my-systemscan .com
my-systemscanner .com
mysystemsecurity .com
new-scanandprotect .com



newscan-andprotect .net
new-systemprotection .com
online-scanandsecure .net
online-securescanner .net
online-systemscan .com
onlinesystemscan .net
protectand-secure .com
protectionsearch .com
safetyshield .net
safetysystem-guard .com
scanonline-protect .com
scan-system .net


scanvirus-online .net
searchandscan .net
search-scanonline .net
searchsecureguard .net
secure-systemguard .net
system-guard .net
systemguard-zone .com
systemguard-zone .net
systemprotected .net
systemscan-secure .net
trust-systemprotect .com
trust-systemprotect .net
trustsystem-protection .com
trust-systemprotection .net
windows-protectionsuite .net
windows-systemguard .net
windows-virusscan .net
winprotection-suite .com


Sampled scareware also phones-back to mysecurityguru .cn - 64.86.16.170 - Email: andrew.fbecket@gmail.com, the same phone-back domain was used in the scareware sampled from the NYTimes.com malvertising attack, with the same email also belonging to a scareware domain (mainsecsys .info) listed in the Diverse Portfolio of Fake Security Software - Part Twenty Two for July.

The cybercrime powerhouse behind all these attacks, continues maintaining the largest market share of systematic Web 2.0 abuse, and that includes their involvement in the Koobface botnet.

Related posts:
Dissecting Koobface Worm's Twitter Campaign
Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
The Twitter Malware Campaign Wants to Bank With You
Does Twitter’s malware link filter really work?
Commercial Twitter spamming tool hits the market
Cybercriminals hijack Twitter trending topics to serve malware
Spammers harvesting emails from Twitter - in real time
Twitter hit by multiple variants of XSS worm

This post has been reproduced from Dancho Danchev's blog.