From the automatically registered bogus LinkedIn profiles promoting pharmaceuticals campaign in February, to January's malware campaign redirecting to malware Zlob variants and rogue security software, the malware gang behind both of these campaigns is once again showcasing its persistence.
It gets even more interesting when a direct connection between January's, this very latest campaign, and the most recent massive comment-spam attack at Digg.com, is established since the very same malware domains are participating in all of the campaigns (e.g funkytube .net)
Bogus LinkedIn profiles for March:
linkedin .com/in/keeleyhazellsextape
linkedin .com/in/minimesextape
linkedin .com/in/lindsaylohansextape1
linkedin .com/in/vernetroyersextape
linkedin.com/in/freejennifertoasteetoofsex
linkedin .com/in/parishiltonsextapeq
linkedin .com/in/britneyspearssextapeq
linkedin .com/in/carmenelectra
linkedin .com/in/halleberrysexscene
linkedin .com/pub/dir/tila tequila/sex
linkedin .com/in/carmenelectrasex1
linkedin .com/in/carmenelectrasexscene1
linkedin .com/pub/dir/jennifer%20aniston/sex%20scene
linkedin .com/in/lindsaylohansex1
linkedin.com/in/olsentwinsnude
linkedin.com/in/keiraknightleynude
linkedin.com/in/christinaaguileradirrty1
linkedin.com/pub/dir/emma watson/wearing
linkedin.com/in/trishstratusnude
linkedin.com/pub/dir/ellen degeneres/gay
linkedin.com/in/angelinajolienaked1
linkedin.com/in/carmenelectranaked1
linkedin.com/pub/dir/tila tequila/porn
linkedin.com/pub/dir/emma watson/porn
linkedin.com/pub/dir/disney's raven/symone nude
linkedin .com/pub/dir/olsen twins/camel toe
linkedin .com/in/aliciamachadodesnuda
linkedin .com/pub/dir/leighton meester/nude
linkedin .com/in/katehudsonnude
linkedin .com/in/jenniferanistonbangs1
linkedin .com/in/hilaryduffnude2
linkedin .com/in/adriennebailonnaked
linkedin .com/in/jennifermorrisonnude1
linkedin .com/in/jenniferlopezdesnuda
linkedin .com/in/jennifergarnernude1
linkedin .com/in/aishwaryaraiwearingnothing
linkedin .com/in/isprinceharrygay
linkedin .com/in/vanessahudgensnude
linkedin .com/in/mariahcareynude1
linkedin .com/pub/dir/olsen twins/nudity
linkedin .com/pub/dir/denise richards/naked
linkedin .com/pub/dir/kate mara/naked
linkedin .com/in/carmencocks1
linkedin .com/in/ravensymonebreast
linkedin .com/in/adriennebailonnudephotos
linkedin .com/pub/dir/shakira/nude
linkedin .com/in/jenniferanistonnude
linkedin .com/in/emmawatsonkissingsomeone
Using a celebrities theme, all of these bogus accounts are linking to the same malware serving domains. The following central redirectors :
oymomahon .com/fathulla/11.html
oymomahon .com/mirolim-video/3.html
oymomahon .com/paqi-video/28.html
muse.100-celebrities .com/paqi-video/1.html
nahyu .org/xxxx/
1k .pl/nufexz
are then redirecting to another set of fake codec domains :
xretrotube .com
globextubes .com
globalstube2009 .com
globerstube .com
spywareremover21 .com
antispyscanner13 .com
privacyscanner15 .com
easywinscanner17 .com
systemscanner19 .com
sgviralscan .com
to ultimately direct the visitor to the actual binaries:
nahyu .org/xxx/video/teens_fuck_orgy11.mpeg.exe - detection rate
loyaldown99 .com/codec/186.exe - detection rate
kol-development .com/viewtubesoftware.40012.exe - detection rate
Despite the fact that real-time/event-based blackhat search engine optimization is gaining popularity these days, blackhat SEO in its very nature relies on huge bogsus content farms, using a diverse theme-based set of content, usually generated in an automated fashion. Real-time blackhat SEO or standard volume-based blackhat SEO as a tactic of choice? Does it really matter given that from the perspective of tactical warfare, combining well proven tactics results in high click-through/infection rates for the campaigns in question.
Related posts:
Blackhat SEO Redirects to Malware and Rogue Software
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Rogue RBN Software Pushed Through Blackhat SEO
Massive Blackhat SEO Targeting Blogspot
Blackhat SEO Campaign at The Millennium Challenge Corporation
Fake Porn Sites Serving Malware
Fake Porn Sites Serving Malware - Part Two
Fake Celebrity Video Sites Serving Malware
Fake Celebrity Video Sites Serving Malware - Part Two
Fake Celebrity Video Sites Serving Malware - Part Three
The Template-ization of Malware Serving Sites
The Template-ization of Malware Serving Sites - Part Two
A Portfolio of Fake Video Codecs
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Wednesday, April 01, 2009
Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment