Thursday, June 20, 2013

Bogus "Shocking Video" Content at Scribd Exposes Malware Monetization Scheme Through Parked Domains


Bogus content populating Scribd, centralized malicious/typosquatted/parked domains/fraudulent infrastructure, combined with dozens of malware samples phoning back to this very same infrastructure to monetize the fraudulently generated traffic, it doesn't get any better than this, does it?

URL redirection chain:
hxxp://papaver.in/shocking/scr68237 -> hxxp://dsnetservices.com/?epl=98EbooDNwLit-qQViA4tbYD7JMZAQuEUyV387pMYNBODms0CdAg9qAe5QvBgKTO6xW6jHW1iYo5F8yDIvYx
7Aavd8wLHmZwHDIltbG4Eta-GVtiO3i9LlnzyK0YgWmT2BOaEeaipahFlE8yB7mCEBrQzXXtQBVUSIMGIEwTo9iUp0IyDUOM
0mZKYzSpf6qGlAAgYN_vvwAA4H8BAABAgFsLAADgPokxWVMmWUExNmhaQqAAAADw -> monetization through Google/MSN

 


Domain names reconnaissance:
papaver.in - 69.43.161.176 - Email: belcanto@hushmail.com - Belcanto Investment Group
dsnetservices.com - 208.73.211.152 - Email: admin@overseedomainmanagement.com - Oversee Domain Management, LLC

 
The following related domains are also registered with the same email (belcanto@hushmail.com):
4cheapsmoke.com
777payday.com
aboutforexincome.com
agroindusfinance.com
atvcrazy.com
bbbamericashop.com
bizquipleasing.com
cashforcrisis.com
cashmores-caravans.com
cashswim.com
cheapbuyworld.com
cheaptobbacco.com
cheapuc.com
debtheadaches.com
debtonatorct.com
gcecenter.com
goldforcashevents.com
studioshc.com
thestandardjournal.com
travelgurur.com
atlanticlimos.net
bethelgroup.net
caravanningnews.net
casting-escort.net
cheapersales.net
couriernetwork.net
dragonarttattoo.net
girlgeniusonline.net
madameshairbeauty.net
manchester-escort.net
mygirlythings.net
vocabhelp.net
cheapmodelships.com
financialdebtfree.com
mskoffice.com
cashacll.com
apollohealthinsurance.com
nieportal.com
playfoupets.com
wducation.com
carwrappingtorino.net
crewealexultras.net
diamondsmassage.net
isleofwightferries.org
migliojewellery.org
mind-quad.org
moneyinfo.us
2daysdietslim.com
999cashlline.com
capitalfinanceome.com
capitlefinanceone.com
captialfinanceone.com
carehireinsurance.com
cashadvaceusa.com
cashadvancesupprt.com
cashdayday.com
cashgftingxpress.com
cashginie.com
cashsoltionsuk.com
cathayairlinescheapfare.com
cheapaddidastops.com
cheapaparmets.com
cheapariaoftguns.com
cheapcheapcompters.com
cheapdealsinmalta.com
cheapdealsorlando.com
cheapeestees.com
cheapetickete.com
cheapeygptholidays.com
cheapfaresairlines.com
cheap-flighs.com
cheapflyithys.com
cheapfreestylebmx.com
cheapgoldjewelery.com
cheaphnoels.com
cheapholidaysites.com
cheaphotellakegeorge.com
cheaplawnbowls.com
cheapm1a1airsoft.com
cheapmetalsticksdiablo.com
cheapmpwers.com
cheapmsells.com
cheapotickeds.com
cheapottickets.com
cheapprotien.com
cheapryobicordlesstools.com
cheap-smell.com
cheapsmellscom.com
cheapsmes.com
cheapsscents.com
cheapstockers.com
cheapsummerdresser.com
cheaptents4sale.com
cheaptertextbooks.com
cheaptikesps.com
cheaptrainfairs.com
cheaptstickts.com
cheaptunictops.com
cheapuksupplement.com
cheapversaceclothes.com
cheapviagra4u.com
cliutterdiet.com
cocheaptickets.com
dailcheapreads.com
dcashstudious.com
debtinyou.com
diabetesdietsplans.com
dietaetreino.com
dietcetresults.com
dietcheff.com
dietdessertndgos.com
dietemaxbrasil.com
dietopan.com
discoveryremortgages.com
dmrbikescheap.com
ferrrycheap.com
financeblogspace.com
firstleasingcompanyofindia.com
firstresponcefinance.com
forexdirecotery.com
forexfacdary.com
foreximegadroid.com
forextrading2u.com
iitzcash.com
insanelycheapfights.com
insurancenbanking.com
inevenhotel.net
islamic-bank.us
italyonlinebet.com
m3motorsite.com



Out of the hundreds of domains known to have phoned back to the same IP in the past, the following are particularly interesting:
motors.shop.ebay.com-cars-trucks-9722711.1svvo.net
motors.shop.ebay.com-trucks-cars-922.1svvo.net
paupal.it
paypa.com.login.php.nahda-online.com
paypal-secure.bengalurban.com
paypal.com-cgi.bin-webscr.cmd.login.submit-dispatch.5885d80a.13c0db1f8.e263663.d3faee.38deaa3.e263663.login.submit.3.webrocha.com
paypal.com-cgi.bin-webscr.cmd.login.submit-dispatch.5885d80a.13c0db1f8.e263663.d3faee.38deaa3.e263663.login.submit.4.webrocha.com
paypal.com.update.service.cgi.bin.webscr.cmd.login-submit.modernstuf.com
paypal.com.update.service.cgi.bin.webscr.cmd.login.submit.modernstuf.com
paypal.com.us.cgi-bin.webscr-cmd.login-run.dispatch.5885d80a13c0db1f8e263663d3faee8d43b1bb6ca6ed6aee8d43b16cv27bc.

darealsmoothvee.com
paypal.it.bengalurban.com


Malicious MD5s known to have made HTTP (monetization) requests to the same IP (69.43.161.176):
MD5: 7fa7500cd90bd75ae52a47e5c18ba800
MD5: 84b28cf33dee08531a6ece603ca92451
MD5: f04ce06f5b1c89414cb1ff9219401a0e
MD5: b2019625e4fd41ca9d70b07f2038803e
MD5: 6cfb98ac63b37c20529c43923bcb257c
MD5: 04641dbafe3d12b00a6b0cd84fba557f
MD5: 02476b31f2cdc2b02b8ef1e0072d4eb2
MD5: 0d5a69fa766343f77630aa936bb64722
MD5: 57f7520b3958031336822926ed0d10b5
MD5: 00d08b163a86008cbe3349e4794ae3c0
MD5: 8dd2223da1ad1a555361c67794eb7e24
MD5: 737309010740c2c1fba3d989233c199c
MD5: eb3043e13dd8bb34a4a8b75612fe401e
MD5: eb4737492d9abcc4bd43b12305c4b2fc
MD5: 6257b9c3239db33a6c52a8ecb2135964
MD5: 481366b6e867af0d47a6642e07d61f10
MD5: d58b7158b3b1fb072098dba98dd82ed5
MD5: 9dd425b00b851f6c63ae069abbbec037
MD5: 6b0c07ce5ff1c3a47685f7be9793dce5
MD5: b2b5e82177a3beb917f9dd1a9a2cf91c
MD5: 05070da990475ac3e039783df4e503bc
MD5: c332dd499cdba9087d0c4632a76c59f0
MD5: 0768764fbbeb84daa5641f099159ee7f
MD5: 843b44c77e47680aa4b274eee1aad4e7
MD5: 36f92066703690df1c11570633c93e73
MD5: 0504b00c51b0d96afd3bea84a9a242a2
MD5: 8b0de5eabc27d37fa97d2b998ffd841a
MD5: 2944b1437d1e8825585eea3737216776
MD5: fa13c7049ae14be0cf2f651fb2fa74ba
MD5: ba5e47e0ed7b96a34b716caee0990ea3
MD5: e67e56643f73ed3f6027253d9b5bdfac
MD5: 8b0de5eabc27d37fa97d2b998ffd841a
MD5: 2944b1437d1e8825585eea3737216776
MD5: 0ab654850416e347468a02ca5a369382
MD5: 4e372e5d1e2bd3fa68b85f6d1f861087
MD5: 696a9b85230a315cfe393d9335cae770
MD5: 04343c3269c33a5613ac5860ddb2ab81
MD5: 384a496cd4c2bc1327c225e19edbee54
MD5: a44b2380cdac36f9dfb460f8fbff3714
MD5: 9e2a83adb079048d1c421afaf56a73a6
MD5: e377c7ad8ab55226e491d40bf914e749
MD5: 46c7c70e30495b4b60be1c58a4397320
MD5: 841890281b7216e8c8ea1953b255881e
MD5: 4392f490e6ee553ff7a7b3c4bd1dd13f
MD5: eeeda63bec6d2704cf6f77f2fb8431cd
MD5: b68e183884ce980e300c93dfa375bb1f
MD5: 7990fb5c676bbcd0a6168ea0f8a0c1d7
MD5: adc250439474d38212773e161dadd6b4
MD5: 075ae09c016df3c7eb3d402d96fc2528
MD5: d03b5bf4a905879d9b93b6e81fc1ca55
MD5: 00c62c8a9f2cf7140b67acec477e6a14
MD5: b228fae216a9564192fa2153ae911d54
MD5: 2f778fc3a22b7d5feb0a357c850bdd0d
MD5: 9080f3a0dfde30aa8afa64f7c3f5d79a
MD5: 526c1f10f94544344de12abec96cf96f
MD5: 4d8ddc8d5f6698a6690985ca86b3de00
MD5: 1a7bb0c9b79d1604b4de5b0015202d02
MD5: 528be69afad5a5e6beb7b40aeb656160
MD5: 1769f1b5beae58c09e5e1aac9249f5de
MD5: 6fb86421ea607ed6c912a3796739ce9b
MD5: 22e36b887946e457964a2a28a756a1cd
MD5: 31a7816a1458321736979e0cfdd3d20f
MD5: 113572249856fc5f2848d1add06dc758
MD5: a8a002732c5a4959afbf034d37992b5d
MD5: 413a9116362ab8fb9ba622cc98c788b1
MD5: 4abb29fe3ec3239d93f7adbc8cb70259
MD5: 989bea3435e5ac5b8951baa07d356526
MD5: 9a966076f114fbffc5cdbf5a90b3fd01
MD5: 14e64da2094ab1aae13d162107c504ec
MD5: 96bb6df37daef5b8de39ceae1e3a7396
MD5: d864369a0e8687ad3f89b693be84c8eb
MD5: 26b8b2c06e1604daee6bfe783a82479e
MD5: 63b922c94338862e7b9605546af2ef14
MD5: 19ba1497f088d850bd3902288bb3bd92
MD5: 96bb6df37daef5b8de39ceae1e3a7396
MD5: d864369a0e8687ad3f89b693be84c8eb
MD5: 26b8b2c06e1604daee6bfe783a82479e


Malicious MD5s known to have made HTTP (monetization) requests to the same IP (208.73.211.152):
MD5: db0aac72ed6d56497e494418132d7a41
MD5: aa47bd20f8a00e354633d930a3ebcb19
MD5: a957e914f697639df7dfb8483a88483b
MD5: a0b7b01a0574106317527e436e515fd3
MD5: 3d0d834fe7ca583ca6ed056392f4413d
MD5: fa342104b329978cba33639311afe446
MD5: f3b3e8b98bdfb6673da6d39847aec1b3
MD5: 3ef52b2fd086094b591eb01bc32947c8
MD5: 128e70484a9f19ab9096fb9b1969bf89
MD5: ee7dc2d2c7d33855b4dd86ae6243ad22
MD5: 6fc317b6f66d73903ffe8d12df72e5f7
MD5: 3800a4a6d6620aa15db7ea717b4d10f5
MD5: 830bbfcaa499de30ab08a510ce4cbba2
MD5: 085afd7f26f388bd62bc53ed430fbbc6
MD5: 3035e120ce08f1824817e0d6eaecc806
MD5: d4db511618c52272e58f4c334414ed6e
MD5: dc4ab086d50dcdcd5ae060acfe9bddca
MD5: c2bc9e266857537699fd10142658bf31
MD5: 9e6ab643d34a6c37b6150aeb8a2e5adb
MD5: b6bb96470ef67c26c0a0e8a4d145c169
MD5: f5aa326e0b5322d7ac47a379e1e1c1f8
MD5: dc0f5c01d8deaabe9d57d31f9daf50b9
MD5: 4a42c42e7acd9ff32ebb18efc2d5b801
MD5: a254b2824867e05d52c60e0464121588
MD5: 7e612f7ac81ccddb368d3c9e47c9942a
MD5: 66cec28f23b692ff2019c70a76894c41


This case is a great example of one of the core practices when profiling cybercrime incidents and campaigns -> sample everything, as what you're originally seeing is just the tip of the iceberg.

Related posts:
Click Fraud, Botnets and Parked Domains - All Inclusive
A Commercial Click Fraud Tool

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.