Wish it was the average .cn domain I'm referring to, in this case it's the web sites of three U.S towns, namely the City of Chetek, Winsonsin, the City of Somerset, Texas and Town of Norwood, Massachusetts, who are the latest victims of embedded malware and blackhat SEO injected within their juicy from a blackhat SEO perspective .gov tld extensions.Apparently, malicious parties managed to compromise City of Chetek's official site and created several subdomains with URLs consisting of spam redirecting to the downloader's page :
st-3.x.cityofchetek-wi.gov/porn/st3/502.htmlst-3.x.cityofchetek-wi.gov/porn/st3/537.html
st-2.x.cityofchetek-wi.gov/porn/st2/322.html
2k.x.cityofchetek-wi.gov/porn/2k-003/1618.html
st-2.x.cityofchetek-wi.gov/porn/st2/409.html
The following URLs redirect to the downloader : freeclipoftheday.com/movie1.php?id=4154&n=teens&border=FFFFFF&bgcolor=000000
Detection rate : Result: 9/32 (28.13%)
File size: 75771 bytes
MD5: a74b09c7e6ca828ec0382c4f4f234bac
SHA1: 2861a4215dd2a579afe1e30372e05d2ea00223f2
City of Somerset, Texas official site is also embedded with the same blackhat SEO content structure, which leads me to the conclusion that these two are related :2k.x.somersettx.gov/porn/2k-004/156.html
2k.x.somersettx.gov/porn/2k-004/313.html
2k.x.somersettx.gov/porn/2k-004/829.html
2k.x.somersettx.gov/porn/2k-004/830.html
st-5.x.somersettx.gov/porn/st5/103.html
Town of Norwood, Massachusetts :sql.norwood-ma.gov/libraries/transformations/.dir/132/valium-cost.html
ldap.norwood-ma.gov/htdocs/js/.dir/12/valium-online-order.html
Several more high profile sites hosting such scams I came across to yesterday are NASA's Worldwind, and the State of New Jersey that used to historically host such pages :
issues.worldwind.arc.nasa.gov/secure/attachment/10781/Buy-Valium.html
issues.worldwind.arc.nasa.gov/secure/attachment/10800/Valium.html
issues.worldwind.arc.nasa.gov/secure/attachment/10791/Panasonic-Ringtone.html
nj.gov/education/voc/9/2007/
nj.gov/education/voc/9/2007/viagra/viagra-online.html
nj.gov/education/voc/9/2007/zoloft/buy-zoloft-online.html
nj.gov/education/voc/9/2007/tramadol/discount-tramadol.html
Several more high profile sites hosting such scams I came across to yesterday are NASA's Worldwind, and the State of New Jersey that used to historically host such pages :
issues.worldwind.arc.nasa.gov/secure/attachment/10781/Buy-Valium.html
issues.worldwind.arc.nasa.gov/secure/attachment/10800/Valium.html
issues.worldwind.arc.nasa.gov/secure/attachment/10791/Panasonic-Ringtone.html
nj.gov/education/voc/9/2007/
nj.gov/education/voc/9/2007/viagra/viagra-online.html
nj.gov/education/voc/9/2007/zoloft/buy-zoloft-online.html
nj.gov/education/voc/9/2007/tramadol/discount-tramadol.html
Moreover, during the last week, another pack of sites were also reported to serve malware, spam, and blackhat SEO pages on their servers :
Just yesterday for instance, F-Secure discovered a phishing page hosted at India's Police Academy site, and
Sunbelt pointed out that Beer.ch got IFRAME-ed with the following URLs belonging to the Russian Business Network who also IFRAME-ed Bank of India once :
81.95.149.74/1/index.php
81.95.149.74/22/index.php
How is all this happening? In both, automated, and sometimes targeted way, where automated stands for remote file inclusion through botnets.
I sure know all the pharmaceutical blockbusters now.
Related posts:
Bank of India Serving Malware
U.S Consulate in St.Petersburg Serving Malware
Syrian Embassy in London Serving Malware
CISRT Serving Malware
No comments:
Post a Comment