UPDATE: In less than half an hour upon notification, Twitter and LinkedIn have already removed the bogus accounts.
UPDATE2: Forty five minutes later Scribd removes the bogus accounts.
As usual, persistence must be met with persistence. A single
blackhat SEO group -- if well analyzed and monitored -- has the potential to provide an insight into some of the current monetization tactics
which cybecriminals use, as well as directly demonstrate the (automatic) impact they have across different Web 2.0 services.
What is my "
fan club" up to anyway? Covering up their weekend's Twitter campaign that was serving scareware by using a new template, and once again diversifying - this time by managing a bogus LinkedIn accounts campaign, another one on Scribd, followed by another another currently active one on Twitter, in between increasing the size of their blackhat SEO farm at
is-the-boss.com.
Moreover, for the first time ever, the group is starting to serve live exploits based on a bit.ly URL shortening service referrer, like the ones used in the latest Twitter campaign. The use of Arbitrary file download via the Microsoft Data Access Components (MDAC) exploits is done to ultimately drop a new
Koobface variant, making this
the second time the group is pushing Koobface variants beyond Facebook.
Let's summarize their activities during the past six days starting with the weekend's campaign across Twitter.
Upon clicking on the TinyURL, the user is redirected through their well known
66.199.229 .253/etds (
66.199.229 .253/etds/go.php?sid=41;
66.199.229 .253/etds/got.php?sid=41;
66.199.229 .253/etds/go.php?sid=43;
66.199.229 .253/etds/got.php?sid=43) traffic management location, to end up at the scareware
av4best .net (64.86.17.47) with a new template is served (
FakeAlert-EA).
Parked on the same IP are also well known scareware domains known from their previous campaigns, namely
fast-antivirus .com and
viruscatcher .net. The scareware message used in the new template takes you back to the good old school MS-DOS days :
"
A problem has been detected and windows has been shut down to prevent damage to your computer.
Initialization_failed C:\WINDOWS\system32\himem.sys
If this is the first time you've seen this Stop error screen, restart the computer. If this screen appears again, read information below: The reason why this might happen is the newest malicious software which blocks access to the system libraries. Check to make sure any new antivirus software is properly installed. We suggest you to download and install antivirus, new up-to-date software which specializes on detection and removal of malicious and suspicious software."
The messaged used in the weekend's Twitter campaign, as well as a graph on the peaks and downds for a particular keyword:
"
Competitions video; What do you think about video; I know why Percent Of Accounts; Between food and gay; movie Trailler!; Sun eclipce free; Air France extreem; Tetris long and sweet; Take sex under control; alcohol long and sweet; Between food and SATs; What do you think about Autotune; Gotcha!, Palm Pre!; Goodnight high in the sky; What do you think about Hangover; Death of Autotune crack addict; Amazing. movie from MSFT; Amazing. Air France from MSFT; Sims 3, It's Cool!; video, It's Cool!; Manage Air France; Amazing. porn from MSFT; alcohol unbroken; Them girls Honduras; Between food and phish; Between food and Detroit; Tetris high in the sky; I know why iPhone; Futurama unbroken; Balls to the Woman Who Missed Air; alcohol high in the sky; follow the video"
Sample (now suspended) automatically registered accounts used in the weekend's campaign:
twitter .com/wenning351twitter .com/ula475twitter .com/escher338twitter .com/ochs40twitter .com/karlen131twitter .com/cordes904twitter .com/hecker905twitter .com/bohl566twitter .com/sattler649twitter .com/hildegard115twitter .com/andreas281twitter .com/wassermann38twitter .com/rummel980twitter .com/guilaine896twitter .com/orlowski781twitter .com/rupette972twitter .com/holzner473twitter .com/dumke576twitter .com/hilgers465twitter .com/heese157twitter .com/meier679twitter .com/habel896twitter .com/holzinger567twitter .com/wilhelm578twitter .com/dearg450twitter .com/habicht717twitter .com/ferde373twitter.com/hass323twitter .com/heckmann918twitter .com/bruna555twitter .com/wilbert25twitter .com/eckart412twitter .com/sperlich374twitter .com/jahn562twitter .com/ludvig30twitter .com/bing274twitter .com/fett628twitter .com/brock93twitter .com/mally981twitter .com/merle752twitter .com/axmann101twitter .com/pelz478twitter .com/renaud687twitter .com/wienke879twitter .com/hartinger619twitter .com/chriselda988twitter .com/kloos267twitter .com/dreyer15twitter .com/herta740
twitter .com/brauer427twitter .com/nadina732twitter .com/wenda245twitter .com/rieken434twitter.com/reinhard192twitter .com/plath132twitter .com/bick497twitter .com/johannsen747twitter .com/tacke432Besides the TinyURL links used, they've also returned to temporarily using their original .us domains such as
twitter .8w8.us - 82.146.51.126 - Email: ambersurman@gmail.com;
5us .us - 82.146.51.25 - Email: elchip0707@mail.ru, and
girlstubes .cn 82.146.52.158 - Email: alexvasiliev1987@cocainmail.com with Alex Vasiliev's emails first noticed in the
Diverse Portfolio of Fake Security Software - Part Nine and again in
Part Twenty.
Now it's time to assess their currently active campaigns across Twitter, LinkedIn and Scribd, and connect the dots in the face of the single URL acting as a counter across all the campaigns -
counteringate .com (194.165.4.77) which has already been profiled in their
original massive blackhat SEO campaign, and still remains active.
The automatically registered and currently active Twitter accounts participating in the campaign are as follows, it's also worth pointing out that compared to their previous campaigns, in this way they've included relevant backgrounds and avatars to the Twitter accounts:
twitter .com/AshleyTisdal1
twitter .com/AnnaNicoleSmit
twitter .com/ParisHiltonjpg1
twitter .com/ParisHiltonmov1
twitter .com/ParisHiltonNake
twitter .com/ParisHiltonSex1
twitter .com/ParisHiltonNud2
twitter .com/ParisSexTape2
twitter .com/Britneynipslip1
twitter .com/Britneywomani
twitter .com/Britneystrip1
twitter .com/BritneySex
twitter .com/Britneycomix
twitter .com/Britneywomaniz
twitter .com/BritneyNaked2
twitter .com/britneysextape
twitter .com/BritneyxSpears1
twitter .com/Britneydesnuda1
twitter .com/LopezAss
twitter .com/jennifermorriso
twitter .com/JenniferTilly2
twitter .com/AnistonSexscen
twitter .com/AnistonBangs
twitter .com/JenniferTilly1
twitter .com/Jennifernude
twitter .com/JenniferConnel
twitter .com/JenniferGarner1
twitter .com/LopezNaked
twitter .com/AnistonSexiest
twitter .com/JenniferAnisto4
twitter .com/JenniferToastee
twitter .com/JenniferAnisto2
twitter .com/LoveHewitt1
twitter .com/JenniferLoveH1
twitter .com/JenniferGreyn
twitter .com/1JenniferAnisto
twitter .com/2JenniferAnisto
twitter .com/1JenniferLopez
twitter .com/Lopedesnuda1
twitter .com/ElishaCuthbert3
twitter .com/ElishaCuthbert1
twitter .com/AlysonHannigan2
twitter .com/AliciaMachado
twitter .com/AliLarterNaked
/twitter .com/AliLarterNude
twitter .com/MelissaJoanha
twitter .com/AishwaryaRaiN1
Upon clicking on
bit .ly/Je2Sd, the user is redirected to
oymomahon .com/mirolim-video/3.html - 216.32.86.106 Email: StaceyGuerreroSF@gmail.com, redirecting to
myhealtharea .cn/in.cgi?13 and then to
oymoma-tube .freehostia.com/x-tube.htm where the fake codec/scareware is served, downloaded from
totalsitesarchive .com/error.php?id=62 -
Trojan.Win32.FakeAV.nz which once executed phones back to
bestyourtrust .com/in.php?url=5&affid=00262 (209.44.126.241) parked at the same IP are also the following scareware domains:
uniqtrustedweb .com
hortshieldpc .com
securetopshield .com
gisecurityshield .com
ourbestsecurityshield .com
intellectsecfind .com
thesecuritytree .com
godsecurityarchive .com
besecurityguardian .com
thefirstupper .com
securityshieldcenter .com
bitsecuritycenter .com
joinsecuritytools .com
hupersecuritydot .com
bestyourtrust .com
thetrueshiledsecurity .com
souptotalsecurity .com
scantrustsecurity .com 
The second
bit .ly/1a5ZsY link used in the Twitter campaign, is redirecting to
showmealltube .com/paqi-video/7.html - 64.92.170.135 Email: zbestgotterflythe@gmail.com.
From there, the redirector
myhealtharea .cn/in.cgi?12 - 216.32.83.110 - zbest2008@mail.ru again loads
oymoma-tube.freehostia .com/tube.htm and most importantly the counter
counteringate .com/count.php?id=186 which is using
an IP known from their previous campaign (194.165.4.77).
Time to move on to the LinkedIn campaign, and establish a direct connection with the Twitter one, both maintained by the same group of cybercriminals.
Currently active and participating LinkedIn accounts:
linkedin .com/in/rihannanudelinkedin .com/in/rihannanude2linkedin .com/in/nudecelebslinkedin .com/in/britneyspearsnudeelinkedin .com/in/pamelaandersonnudeelinkedin .com/in/nudepreteen2linkedin .com/in/tilatequilanudeelinkedin .com/pub/beyonce-nude/14/b/952linkedin .com/pub/child-nude/13/b4b/a16linkedin .com/in/nudemodels
linkedin .com/in/preteennudelinkedin .com/in/mariahcareynude3linkedin .com/in/nudeboyslinkedin .com/in/evamendesnude2linkedin .com/in/nudebeacheslinkedin .com/in/nudebabeslinkedin .com/in/nudewomen2linkedin .com/pub/ashley-tisdale-nude/13/b4b/762linkedin .com/pub/mila-kunis-nude/13/b4a/b99linkedin .com/pub/nude-kids/13/b4b/aalinkedin .com/pub/young-nude-girls/13/b4a/6a 
The LinkedIn campaign is linking to the
delshikandco .com, from where the user is redirected to the same domains used in the Twitter campaign, sharing the same celebrity theme -
delshikandco .com/mirolim-video/3.html/
delshikandco .com/paqi-video/1.html - 216.32.83.104 leads to
myhealtharea .cn/in.cgi?12 to finally serve the codec at
ymoma-tube.freehostia.com/xxxtube.htm or at
tubes-portal.com/xplaymovie.php?id=40012 - 216.240.143.7, another
IP that has already been profiled part of their previous campaigns.
Yet another nude themed campaign is operated by the same group at Scribd, linking to the already profiled
delshikandco .com, used in both, Twitter's and LinkedIn's campaigns.
Currently active and participating Scribd accounts:
scribd .com/Stacy%20Keibler-nudescribd .com/Vanessa_Hudgens%20nudescribd .com/Jessica%20%20Simpson%20%20nudescribd .com/MileyCyrus%20nudescribd .com/KimKardashian%20%E2%80%98nude%E2%80%99scribd .com/Carmen%20%20Electra%20nudescribd .com/Jennifer%20Anistonnudescribd .com/Paris-Hilton-nude3scribd .com/Vida%20%20Guerra%20%20nudescribd .com/nude2scribd .com/Kim%20%20Kardashian%20nudescribd .com/ZacEfron%20nudescribd .com/BritneySpears%20nudescribd .com/Hilary-Duff-nude%202scribd .com/Angelina-Jolie-nude11scribd .com/Vanessa-Hudgens-nude2scribd .com/Natalie-Portman-nude2scribd .com/JessicaAlba%20nudescribd .com/Jennifer-Love-Hewitt-nude11
scribd .com/Kim-Kardashian-nude2scribd .com/Jessica-Alba-nude11sscribd .com/JENNIFER%20LOPEZ%20NUDE3scribd .com/Elisha%20%20Cuthbert%20%20nudescribd .com/Paris-Hilton-nude1scribd .com/HilaryDuff%20nudescribd .com/Megan-Fox-nude2scribd .com/Britney-Spears-nude1scribd .com/Candice%20%20Michelle%20nudescribd .com/Lindsay-Lohan-nude3scribd .com/Mila-Kunis-nude2scribd .com/Miley%20Cyrus%20nudescribd .com/Vanessa%20%20Anne%20%20Hudgens%20nudescribd .com/rihanna-nude2scribd .com/Jenny%20Mccarthy%20nudescribd .com/Kim%20%20Kardashian%20%20nudescribd .com/Olsen-Twins-nude2scribd .com/Brooke-Hogan-nude2
scribd .com/DeniseRichardsnude2
scribd .com/Scarlett%20Johansson%20nudescribd .com/miley-cyrus-nudescribd .com/Celebrity%20%20nudescribd .com/Lindsay-Lohan-nude2scribd .com/Tila%20Tequila%20nudescribd .com/Ashley%20Tisdale%20nudescribd.com/Angelina-Jolie-nude2scribd .com/Denise-Richards-nude-2scribd .com/Britney%20Spears%20nudescribd .com/Hayden%20Panettiere%20nudescribd .com/Carmen-Electra-nude1
scribd .com/Brooke-Burke-nude2scribd .com/Megan%20Fox%20nudescribd .com/JessicaSimpson%20nudescribd .com/Kendra-Wilkinson-nude2scribd .com/DeniseRichardsnudescribd.com/AngelinaJolie%20nudescribd.com/Kate%20Mara%20nudescribd .com/Eva%20Green%20nudescribd .com/Mariah%20Carey%20nude
scribd .com/Britney-Spears-nude2scribd .com/Paris%20Hilton%20nudescribd .com/CHristina%20Applegate%20nudescribd .com/Billie%20Piper%20nude
scribd .com/Rosario%20Dawson%20nudescribd .com/Anna%20Kournikova%20nudescribd .com/Jennifer-Love-Hewitt-nude2scribd .com/Kate%20Winslet%20nudescribd .com/Carmen%20Electra%20nudescribd .com/Jennifer%20Love%20Hewitt%20nudescribd .com/Vida%20Guerra%20nudescribd .com/AnneHathaway%20nudescribd .com/JenniferLopez_nudescribd .com/Trish%20Stratus%20nudescribd .com/Lindsay_Lohannudescribd .com/Pamela%20Anderson%20nude3scribd .com/Jessica-Simpson-nude3
scribd .com/JENNIFER%20LOPEZ%20NUDEscribd .com/CHristina%20Aguilera%20nudescribd .com/hilary%20duff%20nudescribd .com/MariahCarey%20nudescribd .com/JohnCena%20nudescribd .com/Halle%20Berry%20nudescribd .com/Amanda%20%20Beard%20%20nudescribd .com/Patricia%20%20Heaton%20%20nudescribd .com/Madonna%20nudescribd .com/JenniferLopez%20nudescribd .com/DeniseRichards%20nude
scribd .com/PatriciaHeaton%20nudescribd .com/Celebrity%20nudescribd .com/TilaTequila_nudescribd .com/Hayden-Panettiere-nude2scribd .com/Brenda-Song-nude2scribd .com/Demi%20Moore%20nudescribd .com/celebrity%20nude%201scribd .com/JenniferLove%20Hewitt%20nudescribd .com/Ashley_Harkleroad%20nudescribd .com/AudrinaPatridge%20nudescribd .com/PamelaAnderson%20nudescribd .com/Anna%20Nicole%20Smithnudescribd .com/Meg%20Ryan%20nudescribd .com/Kate%20HudsonnudeNow that all the campaigns are exposed in the naked fashion of their themes, it's worth emphasizing on the live exploits serving Koobface samples based on a bit.ly referrer - in this case the process takes place through
myhealtharea .cn/in.cgi?13, which instead of redirecting to scareware domain as analyzed above, is redirecting to fast-fluxed set of IPs serving identical
Koobface binary -
myhealtharea .cn/in.cgi?13 loads
r-cg100609 .com/go/?pid=30455&type=videxp (92.38.0.69) which redirectss to the live exploits/Koobface.
Parked on 92.38.0.69 are also the following domains:
er20090515 .com
upr0306 .com
cgpay0406 .com
r-cgpay-15062009 .com
r-cg100609 .com
trisem .com
uprtrishest .com
upr15may .com
rd040609-cgpay .netDynamic redirectors from
r-cg100609 .com/go/?pid=30455&type=videxp on per session basis:
92.255.131 .217/pid=30455/type=videxp/?ch=&ea=
92.255.131 .217/pid=30455/type=videxp/setup.exe
76.229.152 .148/pid=30455/type=videxp/?ch=&ea=
76.229.152 .148/pid=30455/type=videxp/?ch=&ea=/setup.exe
189.97.106 .121/pid=30455/type=videxp/?ch=&ea=
189.97.106 .121/pid=30455/type=videxp/setup.exe
117.198.91 .99/pid=30455/type=videxp/?ch=&ea=
117.198.91 .99/pid=30455/type=videxp/setup.exe
79.18.18 .29/pid=30455/type=videxp/?ch=&ea=
79.18.18 .29/pid=30455/type=videxp/setup.exe
85.253.62 .53/pid=30455/type=videxp/?ch=&ea=
85.253.62 .53/pid=30455/type=videxp/setup.exe
79.164.220 .170/pid=30455/type=videxp/?ch=&ea=
79.164.220 .170/pid=30455/type=videxp/setup.exe
59.98.104 .129/pid=30455/type=videxp/?ch=&ea=
59.98.104 .129/pid=30455/type=videxp/setup.exe
78.43.24 .211/pid=30455/type=videxp/?ch=&ea=
78.43.24 .211/pid=30455/type=videxp/setup.exe
62.98.63 .254/pid=30455/type=videxp/?ch=&ea=
62.98.63 .254/pid=30455/type=videxp/setup.exe
84.176.74 .231/pid=30455/type=videxp/?ch=&ea=
84.176.74 .231/pid=30455/type=videxp/setup.exepanmap .in/html/3003/25ee551429fcbfd75fe7bcfeba4a9cb8/ - 114.80.67.32 - charicard@googlemail.com
Parked on 114.80.67.32 are also:
managesystem32.com
napipsec.in
trialoc.in
pbcofig.in
pclxl.in
ifxcardm.in
ifmon.in
panmap.in
moricons.in
oeimport.in
ncprov.inThe served setup.exe (Win32/Koobface.BC; Worm:Win32/Koobface.gen!D;) samples phone back to a single location:
- upr15may .com/achcheck.php;
upr15may .com/ld/gen.php - 92.38.0.69;
61.235.117 .71/files/pdrv.exe
To further demonstrate the group's involvement in these campaigns, two active campaigns at
is-the-boss.com indicate that they're also using the newly introduced counteringate.com, however, parked on the same IP as a previously analyzed redirector maintained bot the group.
A sample campaign is using the
engseo .net/sutra/in.cgi?4¶meter=bravoerotica - 84.16.230.38 - Email: popkadyp@gmail.com as well as the
warwork .info/cgi-bin/counter?id=945706&k=independent&ref= - 91.207.61.48 redirectors to load
free-porn-video-free-porn .com/1/index.php?q=bravoerotica - 84.16.230.38 - Email: popkadyp@gmail.com serving
a fake codec, and is also using the universal counter serving maintained by group
counteringate .com/count.php?id=308.
A second sampled campaign at is-the-boss.com points to a new domain that is once again parked at a well known
IP mainted by the gang -
goldeninternetsites .com/go.php?id=2022&key=4c69e59ac&p=1 - 83.133.123.140 - known from
previous campaigns.
The redirectors lead to
anti-virussecurity3 .com - 69.4.230.204; 69.10.59.34; 83.133.115.9; 91.212.65.125 with more typosquatted "
Personal Antivirus" scareware parked at these multiple IPs aimed to increase the life cycle of the campaign:
bestantiviruscheck2 .com
securitypcscanner2 .com
fastpcscan3 .com
goodantivirusprotection3 .com
antimalware-online-scanv3 .com
anti-malware-internet-scanv3 .com
antimalwareinternetproscanv3 .com
antimalwareonlinescannerv3 .com
anti-virussecurity3 .com
bestantispywarescanner4 .com
fastsecurityupdateserver .com 
Personal Antivirus then phones back to
startupupdates .com - 83.133.123.140 where more scareware is parked, with the domains known from previous campaigns:
bestwebsitesin2009 .com
live-payment-system .com
bestbuysoftwaresystem .com
antiviruspaymentsystem .com
bestbuysystem .com
homeandofficefun .com
advanedmalwarescanner .com
allinternetfreebies .com
goldeninternetsites .com
primetimeworldnews .com
liveavantbrowser2 .cn
momentstohaveyou .cn
worldofwarcry .cn
awardspacelooksbig .usThe affected services have been notified, blacklisting and take down of the participating domains is in progress.
This post has been reproduced from Dancho Danchev's blog.
Can a lightning strike the same place twice? In the world of cybercrime, there's no such thing as a coincidence especially when it comes to multiple malware embedded embassy web sites during the past couple of months courtesy of a single group, with soft-drinks themed redirectors establishing a direct connection with a well known RBN domain from the not so distance past.
