Compared to a previous example of an
over-performing image spammer whose efforts to bypass spam filters make it virtually impossible for someone to fall victim into the
pharmaceutical scam, in this example of image spam we have something very interesting, namely a dynamic subdomain generating spamming host running a proxy server every time the central campaign URL gets refreshed via an obfuscated javascript.
meds247.org (216.55.70.170) is the public face of
abetterlevel.org (221.130.192.17), and here are examples of the "one-time-scams-in-everything" style subdomains :
cpv9c5pt.abetterlevel.org:8080/cg/viagra.php
ccj70tjcm.abetterlevel.org:8088/cg/viagra.php
fdbtpju.abetterlevel.org:8080/cg/viagra.php
b80cpno.abetterlevel.org:8088/cg/viagra.php
ffh3rj8zn.abetterlevel.org:8088/cg/viagra.php
Once accessed, a few minutes later the subdomains either stop responding, or start listening on the second port. Moreover, all the subdomains generated at
abetterlevel.org resolve to
radius.tercernivel.com (200.57.39.20) an indication of an ecosystem operating on three different networks.
No comments:
Post a Comment