According to a blog post at PandaLabs, a massive and very persistent blackhat SEO campaign exclusively hijacking "hot BBC and CNN news" related keywords has once again popped-up on their radars. The campaign itself has been active since April, when I last analyzed it.
What has changed?
Instead of relying on purely malicious domains, the Ukrainian fan club, the one with the Koobface connection, remains the most active blackhat SEO group on the Web, and due to the quality of the historical OSINT making it possible to detect their activity -- practice which prompts them to insult back -- they're also starting to put efforts into making it look like it's another group.
The "News Items" themed blackhat SEO campaign is also serving scareware from the domains already participating in the U.S Federal Forms themed blackhat SEO campaign, what's new is the typical dynamic change of the redirectors in place.
Let's dissect a sample campaign currently parked at coolinc.info. Once the http referrer checks are met, bernie-madoff.coolinc .info/fox-25-news.html executes the campaign through a static images/ads.js located on all of the subdomains participating in campaign (bernie-madoff.coolinc .info/images/ads.js; eenadu-epaper.hmsite .net/images/ads.js) with generic detection triggered only by Sophos as Mal/ObfJS-CI.
Through a series of redirectors - usanews2009 .com/index.php - 18.104.22.168 - Email: firstname.lastname@example.org; newscnn2009 .com/index.php - 22.214.171.124 - Email: email@example.com; cnnnews2009 .com/index.php - 126.96.36.199 - EMail: firstname.lastname@example.org; the user is redirected to the scareware domain through justintimberlakestream .com/?pid=95&sid=4e6ffe - 188.8.131.52; Email: email@example.com.
The scareware itself (phones back to worldrolemodeling .com/?b=1s1 - 184.108.40.206) is dynamically served through 220.127.116.11; 18.104.22.168 and 22.214.171.124 with an diverse portfolio of fake security software domains parked there.
Parked at 126.96.36.199 are:
Parked at 188.8.131.52 (IP used in the U.S Federal Forms themed blackhat SEO campaign) are also:
Parked at 184.108.40.206 are also more scareware domains/payment gateways/malware redirectors used in the campaign:
In between the central redirectors, counters from known domains affiliated with the Ukrainian fan club are also embedded as iFrames - sexualporno .ru/admin/red/counter2.html (220.127.116.11; Email: firstname.lastname@example.org) leading to sexualporno .ru/admin/red/mwcounter.html. Parked on 18.104.22.168 are related domains that were once using the ddanchev-suck-my-dick.php redirection, such as sexerotika2009 .ru; celki2009 .ru; seximalinki .ru and videoxporno .ru, as well as the de-facto counter used by the gang - c.hit.ua/hit?i=6001.
Does this admin/red directory structure ring a bell? But, of course. In fact the ddanchev-suck-my-dick redirectors originally introduced by the Ukrainian fan club are still in circulation - for instance not only is videoxporno .ru/admin/red/ddanchev-suck-my-dick.php (parked at the very same 22.214.171.124) still active, but the gang has pushed an update to all of their campaigns, once again establishing a direct connection between previous ones and the ongoing "News Items" themed one.
The ddanchev-suck-my-dick.php file has a similar Mac, Firefox and Chrome check just like the U.S federal forms themed campaign, and the original "Hot News" themed campaigns - if (navigator.appVersion.indexOf("Mac")!=-1) window.location="http://www.zml.com/?did=5663";[. The script also includes a central iFrame from the now known malicious coolinf .info - dash-store.coolinc .info/images/levittpedofil.html which redirects to 1008.myhome .tv/888.php, popoz.wo .tc/p/go.php?sid=4 and 1009.wo .tc/8/ss.php to finally load the now known justintimberlakestream .com/?pid=42&sid=8f68b5.
The bottom line - the Ukrainian "fan club" is a very decent example of a multitasking cybecrime enterprise that is not only systematically abusing all the major Web 2.0 services, but is also directly involved with the Koobface botnet.
Monitoring of their campaigns, and take down actions would continue.
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding
Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
A Peek Inside the Managed Blackhat SEO Ecosystem
Historical OSINT of the group's blackhat SEO campaigns pushing Koobface samples, and the connections between the campaigns:
Movement on the Koobface Front - Part Two -- detailed account of the domain suspension and direct ISP take down actions against the gang during the last month
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot
This post has been reproduced from Dancho Danchev's blog.