Monday, December 07, 2009

Celebrity-Themed Scareware Campaign Abusing DocStoc


UPDATE: Docstoc has removed all the participating accounts in this campaign, and is applying additional filtering to undermine its effectiveness.

Last week's "Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd" is now exclusively targeting the popular Docstoc document-sharing service. Naturally, this very latest campaign once again offers overwhelming evidence on the inner workings of the cybercrime ecosystem, in this particular case, the connection between the Koobface gang and money mule recruitment campaigns.

So let's cut to the chase before we expose the entire campaign, and have all the involved profiles removed. One of the most popular bogus video site link embedded in these documents, wildyourvideo .com - 188.130.250.246 - gevtone@gmail.com, is using NS1.FUCKABUSE .BIZ - abusehostserver@gmail.com - as its nameserver. The same email was also used to registered some of the client-side exploit serving domains part of the Koobface drive-by download experiment, and is also known to have been used in registering money-mule recruitment domains.

Automatically registered Docstoc accounts involved:
docstoc .com/profile/abefugymyu16261
docstoc .com/profile/acihofabulobe4403
docstoc .com/profile/adisareiecij23245
docstoc .com/profile/apyauputy10168
docstoc .com/profile/aqoqulicumisah16835
docstoc .com/profile/aqypycapytu4493
docstoc .com/profile/atirogesepuioh10057
docstoc .com/profile/atolageleraru
docstoc .com/profile/ayluleasyte37
docstoc .com/profile/bacuqelufukone
docstoc .com/profile/bibiemymiea12218
docstoc .com/profile/bonituhibo18350
docstoc .com/profile/bypopopihebyguk15216
docstoc .com/profile/byqaocopymyn
docstoc .com/profile/cubaaacanejof26562
docstoc .com/profile/daaqajyceqehi21058
docstoc .com/profile/deuymyhocapaqu2971
docstoc .com/profile/dorusefykylam
docstoc .com/profile/dyahucybofuk
docstoc .com/profile/eaahuigu
docstoc .com/profile/eduobecoyy23483
docstoc .com/profile/efifyybiciga21903
docstoc .com/profile/efodotoodyga7522
docstoc .com/profile/eheahakyydat
docstoc .com/profile/ekysihyracihapi2534


docstoc .com/profile/eqitulesarasimi10237
docstoc .com/profile/fukepeojened16595
docstoc .com/profile/fuosupoqeseta
docstoc .com/profile/gicorukucyqa
docstoc .com/profile/goibidukejeany
docstoc .com/profile/gupapegesia
docstoc .com/profile/gydohesypero
docstoc .com/profile/holoadybyila
docstoc .com/profile/hysygususedi17619
docstoc .com/profile/idejyetyoibi
docstoc .com/profile/ierycyceda
docstoc .com/profile/igikapuheac979
docstoc .com/profile/imaemesaoker321
docstoc .com/profile/imaqaybyqero16774
docstoc .com/profile/ineigysatu
docstoc .com/profile/isajetedisucadop
docstoc .com/profile/joqajerulehuyb
docstoc .com/profile/loufahysimirotu16153
docstoc .com/profile/lunyikajek
docstoc .com/profile/macugysie9926
docstoc .com/profile/myrosejilur
docstoc .com/profile/oboduqumufo
docstoc .com/profile/ocetiiuq


docstoc .com/profile/oijaobymegapob4072
docstoc .com/profile/ojujutauguqe16712
docstoc .com/profile/okytokydogu
docstoc .com/profile/omipasudeo19398
docstoc .com/profile/onobytadiny7825
docstoc .com/profile/pugihutoaqi8884
docstoc .com/profile/pygylipuhisupe1787
docstoc .com/profile/pymuhaqyretok23088
docstoc .com/profile/qouuebepy22520
docstoc .com/profile/quqadekytel
docstoc .com/profile/qynucehae15146
docstoc .com/profile/roonusohigi25266
docstoc .com/profile/ryjisuuuha
docstoc .com/profile/sujiloyhiimiq6675
docstoc .com/profile/tumofeukirilida9561
docstoc .com/profile/tydiidugaoga
docstoc .com/profile/uacalobyj24600
docstoc .com/profile/uaekihygua


docstoc .com/profile/ugadofauuy17774
docstoc .com/profile/ukylapytijun
docstoc .com/profile/unobahamor27750
docstoc .com/profile/upyeudufyye5432
docstoc .com/profile/uykulylyki10195
docstoc .com/profile/yahypiger
docstoc .com/profile/ybonyoeo
docstoc .com/profile/ydajyqeylaqun14519
docstoc .com/profile/yhonalejuboha
docstoc .com/profile/yjacilehybatage29784
docstoc .com/profile/ynefyjopam
docstoc .com/profile/yodulafiy8856
docstoc .com/profile/ypybifaboaqy22695
docstoc .com/profile/ysofaerabyqafi22465
docstoc .com/profile/zalupa


Sampled accounts are currently advertising some of the following domains - wildyourvideo .com - 188.130.250.246 - gevtone@gmail.com - where the malware is obtained from technologyplayer .com/xvidplayer.45206.exe which phones back to:

central-arts-gallery .com - 216.240.146.126 - aproctor@who.net
gold-ballade-art .com - 66.199.229.230 - madkins@outgun.com
global-arts-area .com - 64.27.5.204 - tcrotts@safrica.com

Related Docstoc accounts also link to two Blogspot accounts - carrie-prejean-sex-tapes .blogspot.com; carrie-prejean-sextape-video-free .blogspot.com advertising tv-world-online .net - 58.218.199.186 - breathy3@gmail.com with the malware obtained from freebigutilites .com/install_ActiveX.45171.exe.

Parked on 58.218.199.186 are also related domains, with money-mule recruitment domain involvement:
0n-china .cn - Email: abusehostserver@gmail.com
bigitube .com - Email: lastomarino@gmail.com
free-video-portal1 .info - Email: kokishpoki@gmail.com
free-video-portal4 .info - Email: kokishpoki@gmail.com
greatmagice .com
i-finally-found .cn - Email: Michell.Gregory2009@yahoo.com
relevant-information .cn - Email: steven_lucas_2000@yahoo.com
search-results .cn - Email: hilarykneber@yahoo.com
share-video-portal1 .info - Email: kokishpoki@gmail.com
share-video-portal4 .info - Email: kokishpoki@gmail.com
spainsn .com - Email: ijushdf@gmail.com
usworkingspace .com - Email: ijushdf@gmail.com
web-paradise .cn - Email: steven_lucas_2000@yahoo.com
wed-bew .cn - Email: Michell.Gregory2009@yahoo.com

The domain location domain freebigutilites.com responds to 69.10.41.147, parked on the same IP are the rest of the domains used in this and related campaigns:
bbflashplugin .com - Email: davidg@representative.com 
bestflashplugins .com - Email: rcuthbertson@witty.com
digitalmultimediasoftware .com - Email: cperry@wallet.com
frashflashplugins .com - Email: rcuthbertson@witty.com
freebigutilites .com - Email: sybarra@yours.com
freemegautilites .com - Email: sybarra@yours.com
globaltechsoftware .com - Email: cperry@wallet.com
loadmoviesoft .com - Email: virgilm@disciples.com
mediaarchive2009 .com - Email: mmerchant@priest.com
mediadatastorage .net - Email: patrickf@loveable.com
mediagroup2009 .com - Email: mmerchant@priest.com
multimediafact .com - Email: patrickf@loveable.com
multimediafiles .net - Email: mcastillo@mindless.com
setmoviesoft .net - Email: virgilm@disciples.com
soft-multimedia .com - Email: terryl@dbzmail.com
super0multimedia .com - Email: terryl@dbzmail.com
technewdata .com - Email: mcastillo@mindless.com
technologyplayer .com - Email: amcdaniel@witty.com
thebbflashplugin .com - Email: davidg@representative.com

Docstoc has been notified of the involved usernames, and should take action against them quickly. Naturally, the attacks would continue due to the apparent outsourcing of the CAPTCHA solving process.

Related posts:
The Ultimate Guide to Scareware Protection
Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd
Scareware Campaign Using Google Sponsored Links
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding
Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
A Peek Inside the Managed Blackhat SEO Ecosystem 
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot  

This post has been reproduced from Dancho Danchev's blog.