The Continuing .Gov Blackat SEO Campaign

Just like the situation in the previous case of injecting SEO content into .gov domains, once the pages are up and running, they get actively advertised across the Web, again automatically. While bridger-mt.gov responds to 72.22.69.184, the subdomain freeporn.eee.bridger-mt.gov is pointing to another netblock, in this case 66.49.238.80, exactly the same approach was used in a previous such assessment that was however serving malware to its visitors. Here are some of the very latest such examples listed by directory :

- Cobb County Government - cobbcountyga.gov/css - over 2,240 pages
- Benton Franklin Health District - bfhd.wa.gov/search/templates/dark/.thumbs - 1,200 pages
- Bridger, Montana - freeporn.eee.bridger-mt.gov - 778 pages
- Mid-Region Council of Governments - mrcog-nm.gov/includes/phpmailer/language - 336 pages
- Michigan Senate - senate.michigan.gov/FindYourSenator/top - 26 pages
- Nevada City, California - nevadacityca.gov/postcards - 13 pages
- Brookhaven National Laboratory - pvd.chm.bnl.gov/twiki/pub/Trash/OnlinePharmacy - 12 pages

Who's behind all of these? Checking the outgoing links and verifying the forums the advertisements got posted at could prove informative, but for instance, topsfield-ma.gov/warrant where a single blackhat SEO page was located seems to have been hacked by a turkish defacement group who left the following - "RapciSeLo WaS HeRe !!! OwNz You - For AvciHack.CoM with greets given to "J0k3R inf3RNo ByMs-Dos FuriOuS SSeS UmuT SerSeriiii Ov3R YstanBLue DeHS@ CMD 3RR0R SaNaLBeLa Keyser-SoZe GoLg3 J0k3ReM JackalTR Albay ParS MicroP"

Serving Malware Through Advertising Networks

This summary is not available. Please click here to view the post.

Geolocating Malicious ISPs

Here are some of the ISPs knowingly or unknowingly providing infrastructure to the RBN and the New Media Malware Gang, a customer of the RBN or RBN's actual operational department. To clarify even further, these are what can be defined as malicious ecosystems that actually interact with each other quite often.

- Ukrtelegroup Ltd
85.255.112.0 - 85.255.127.255
UkrTeleGroup Ltd.
Mechnikova 58/5
65029 Odessa
UKRAINE
phone: +380487311011
fax-no: +380487502499

- Turkey Abdallah Internet Hizmetleri
TurkTelekom
88.255.0.0/16 - 88.255.0.0/17

- Hong Kong Hostfresh
58.65.232.0 - 58.65.239.255
Hong Kong Hostfresh
No. 500, Post Office,
Tuen Mun, N.T,
Hong Kong
phone: +852-35979788
fax-no: +852-24522539

These are not just some of the major malware hosting and C&C providers, their infrastructure is also appearing on each and every high-profile malware embedded attack assessment that I conduct. And since all of these are malicious, the question is which one is the most malicious one? Let's say certain netblocks at TurkTelecom are competing with certain netblocks at UkrTeleGroup Ltd, however, the emphasis shouldn't be on the volukme of malicious activities, but mostly regarding the ones related to the RBN, and the majority of high-profile malware embedded attacks during 2007, and early 2008.

Massive Blackhat SEO Targeting Blogspot

With Blogspot's fancy pagerank and with Google's recent introduction of real-time content indexing of blogs using the service, the interest of blackhat SEO-ers into the efficient registration and posting of junk content with the idea to monetize the traffic that will come from the process, seems to continue evolving as a process. In this specific case, we have firesearch.sc (64.111.196.120; 64.111.197.88) a blackhat SEO links farm that's visualized in the attached screenshot, and several thousands of automatically registered blogspot accounts directly feeding the searching queries that led to visiting them into firesearch.sc. What's also worth mentioning about this campaign is that the firesearch.sc's javascript search field appears at the top of every blog, whereas the blog's content itself consists of outgoing links to nearly fifty other such automatically registered blogs, again redirecting the search queries to firesearch.sc, whereas advertisements get served from 64.111.196.117/c.php

Sample blogs :

tilas--paralyze--video.blogspot.com
parentdirectoryofnokia19942.blogspot.com
imelodyalesana.blogspot.com
iberryblack8320.blogspot.com
ku990downloadwallpaper.blogspot.com
blackberrypearl8100fre62265.blogspot.com
motorolarazrv3amdriver90079.blogspot.com
downloadcredmakerforf64090.blogspot.com
smsmarathi.blogspot.com
pradaphonethemes.blogspot.com

With a basic sample of ten such blogs, the entire operation could be tracked down and removed from Google's index. And while firesearch.sc is pitching itself as a "search engine that you can trust", it looks like it's not generating revenues for the people behind the operation, but also, acts as a keyword popularity blackhole.

Related posts:
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
Malicious Keywords Advertising
Visualizing a SEO Links Farm
Spammers and Phishers Breaking CAPTCHAs
But of Course It's a Pleasant Transaction
Vladuz's EBay CAPTCHA Populator
The Blogosphere and Splogs
p0rn.gov - The Ongoing Blackhat SEO Operation

Malware Embedded Link at Pod-Planet

The "the World's largest Podcast Directory" is currently embedded with a malicious link, whereas thankfully the campaign's already in an undercover phrase and stopped responding over the weekend. The embedded link points to ame8.com/a.js (222.73.254.56) then loads ame8.com/app/helptop.do, once deobfuscated attempts to load ame8.com/app/cc.do as well as 51.la/?1587102 acting as the counter for the campaign. In case you remember, the web counter services offered by 51.la were also used in the malware embedded attack at Chinese Internet Security Response Team. And with ame8.com hosted in China, someone's either engineering a situation where we're supposed to believe it's Chinese malicious parties behind it, thereby taking advantage of the media buzz, or it's Chinese attackers for real. For this particular case however, I'd go for the second scenario.