Just like GazTranzitStroyInfo's case, what we've got here is failure to understand that the efforts put into building legitimacy of front-ends to cybercrime, is prone to get undermined upon closer examination of the particular web hosting provider.
Who, and what is Life4you .info - Free Hosting for Live (dirsite .com; 65.98.15.80; Dennis Linkor Email: admin@dirsite.com)?
"We are pleased to announce the launch of dirsite.com, the best ASP.NET host on the web. We currently offer one plan. This plan is entirely free! Free ASP.NET 2.0 hosting*! Unfortunately we have hit our quota for ad free accounts. Every new signup is now required to display a 460x60 banner ad on their content pages. We will be running another ad free promotion soon, so be sure to check back! We are currently experiencing some technical issues that are out of our control. We are suffering some server problems and as a result, slight delays in processing signups. We are working on it, and will have everything resolved as soon as possible. Thank you for your patience."
What's so special about them? Well, for starters, they've got no customers but the cybercriminals themselves maintaining a portfolio of over 7,000 adult related keywords which they have been using for blackhat SEO campaigns across thousands of automatically registered -- CAPTCHA recognition outsourced -- Blogspot accounts since February, 2009.
With the Blogspot campaign still ongoing, let's assess it and expose all the participating scareware domains. Upon automatic generation of the Blogspot accounts, links like the following are included next to the bogus content, all using dirsite.com's pseudo-legitimate hosting services:
goto.dirsite .com/go.php?sid=2&tds-key=erotic+bikini+babes
goto.dirsite .com/go.php?sid=2&tds-key=sexe+amateur+on+my+space
goto.dirsite .com/go.php?sid=2&tds-key=aunt+judy+older+women
goto.dirsite .com/go.php?sid=2&tds-key=view+private+profiles+on+myspace
goto.dirsite .com/go.php?sid=2&tds-key=fullmetal+alchemist+porn
goto.dirsite .com/go.php?sid=2&tds-key=Asian+style+bed+throws
goto.dirsite .com/go.php?sid=2&tds-key=cheerleader+candid+pictures
goto.dirsite .com/go.php?sid=2&tds-key=desisexstories
goto.dirsite .com/go.php?sid=2&tds-key=Hey+Arnold+porno
goto.dirsite .com/go.php?sid=2&tds-key=warcraft+henrai
Upon clicking the users are redirected to tdncgo2009 .com/?uid=68&pid=3 (trdatasft .com; fra22 .net; Email: ) 64.86.17.47, Email: hmlragnsky@whoisservices.cn, where the scareware domains are randomly loaded:
virusdoctor-onlinedefender .com - 64.213.140.69 Email: sebarinvert.ivus@gmail.com
onlinescan-ultraantivirus2009 .com - 206.53.61.76
virussweeper-scan .net - 206.53.61.76
virusalarm-scanvirus .net - 206.53.61.76
viruscatcher .net - 64.213.140.71 Email: jeannemcpeters@gmail.com
fast-antivirus .com - 64.213.140.68
The scareware attempts to phone back to update1.virusshieldpro .com/ReleaseXP.exe - 206.53.61.75 - Email: unitedisystems@gmail.com and to updvmfnow .cn - 64.86.17.9 Email: oijfsd.sd@gmail.com. ReleaseXP.exe then phones back to the following locations, naturally earning profit for the cybecriminal -
pay-virusshield .cn - 64.213.140.70; Email: unitedisystems@gmail.com; Returning the following message: "Sorry, the operation is currently unavailable, please email our support team from product's site (Error Code #150)"
updvmfnow .cn - 64.86.17.9
updvmfnow .cn/reports/install-report.php (64.86.17.9)
updvmfnow .cn/reports/soft-report.php
updvmfnow .cn/reports/minstalls.php
The phone back location is also hosting more active scarewaredomains:
ultraantivirus2009 .com - 64.86.17.9
virusalarmpro .com
vmfastscanner .com
mysuperviser .com
pay-virusdoctor .com
virusmelt .com
payvirusmelt .com
Not only is life4info .info or dirsite .com a bogus free hosting provider, but the campaigns hosted by them are interacting with our "dear friends" at AS30407; VELCOM .com which Spamhaus describes as "N. American base of Ukrainian cybercrime spammers" - and with a reason.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Monday, June 08, 2009
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment