- Go through related web shell backdoors, monetization posts: A Compilation of Web Backdoors; Monetizing Web Site Defacements; Underground Multitasking in Action; Monetizing Compromised Web Sites, Web Site Defacement Groups Going Phishing
AS9394 (CRNET) itself is currently hosting the following active Zeus crimeware campaigns:
6alava .com - 22.214.171.124 - Email: email@example.com
sicha-linna .com - 126.96.36.199 - Email: firstname.lastname@example.org
stopspaming .com - 188.8.131.52 - Email: email@example.com
ubojnajasila .net - 184.108.40.206 - Email: firstname.lastname@example.org
Here's how the experiment looks like in its current form. Once the OS is detected, the redirection takes place through 220.127.116.11 /mac.php -> 18.104.22.168 /vvv.htm loading the following pages, using the gang's unique campaign IDs at AdultFriendFinder:
- BestDatingDirect .com/page_hot.php?page=random&did=14029
- adultfriendfinder .com/go/page/ad_ffadult_gonzo?pid=p291351.sub2w954&lang=english
- adultfriendfinder .com/go/page/landing_page_geobanner?pid=g227362-ppc
Parked on 22.214.171.124 - AS3491; PCCWGlobal-ASN PCCW Global is the rest of the dating site redirectors:
This isn't the first time that the Koobface gang is attempting to monetize traffic through dating affiliate networks. In fact, in November's "Koobface Botnet's Scareware Business Model - Part Two" post emphasizing on the gang's connection with blackhat SEO campaigns, the Bahama botnet and the malvertising attacks at the web site of the New York Times, I also pointed out on their connection with an Ukrainian dating scam agency profiled before, whose botnet was also linked to money mule recruitment campaigns in May, 2009.
An excerpt is worth a thousand words:
The historical OSINT paragraph mentioned that several of the scareware domains pushed during the past two weeks were responding to 126.96.36.199. This very same 188.8.131.52 IP was hosting domains part of an Ukrainian dating scam agency known as Confidential Connections earlier this year, whose spamming operations were linked to a botnet involved in money mule recruitment activities.
For the time being, the following dating scam domains are responding to the same IP:
healthe-lovesite .com - Email: email@example.com
love-isaclick .com - Email: firstname.lastname@example.org
love-is-special .com - Email: email@example.com
only-loveall .com - Email: firstname.lastname@example.org
and-i-loveyoutoo .com - Email: email@example.com
andiloveyoutoo .com - Email: firstname.lastname@example.org
romantic-love-forever .com - Email: email@example.com
love-youloves .com - Email: firstname.lastname@example.org
love-galaxys .com - Email: email@example.com
love-formeandyou .com - Email: firstname.lastname@example.org
ifound-thelove .net - Email: email@example.com
findloveon .net - Email: firstname.lastname@example.org
love-isexcellent .net - Email: email@example.com
Could it get even more malicious and fraudulent than that? Appreciate my rhetoric. The same email (firstname.lastname@example.org) that was used to register the dating scam domains was also used to register exploit serving domains at 184.108.40.206, participate in phishing campaigns, and register a money mule recruitment site for the non-existent Allied Insurance LLC. (Allied Group, Inc.).
Of course, the money made in process looks like pocket change compared to the money they gang makes through blackhat SEO, click fraud and scareware in general -- go through the related posts at the bottom of the article. But since they've previously indicated what I originally anticipated they'll do sooner or later, namely, start diversifying and experimenting due to the ever-growing compromised infrastructure, what they'll do next on the Mac front is an issue worth keeping an eye on.
Related Koobface gang/botnet research:
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.