
Anticipating the potential for monetization, cybercriminals are investing more time and resources into coming up with new features for their SMS based ransomware releases. Two of the very latest releases indicate their motivation and long-term ambitions into this newly emerged micro-payment ransomware channel.
What's new, is the social engineering element, the self-replication potential through removable media, and the contingency planning through the use of multiple SMS numbers in case one of the numbers gets shut down. Let's go through some of the features of two newly released SMS ransomware variants offered for $20, and $30 respectively.
What's worth emphasizing on in respect to the first release, is that it's Windows 7 compatible, and is the first SMS ransomware that allows scheduled lock down after infection -- presumably, the author included this feature in order to make it harder for the victim to recognize how he got infected at the first place -- as well as multiple SMS numbers for contingency planning.
Key features include:
- Clean interace
- Bypasses Safe Mode
- Locks down the taskbar or any combination of keys that could allow a user to close the application
- The error message can be customized
- Ability to use multiple-unlock codes
- Ability to use multiple SMS numbers from where the activation code will be obtained
- Ability to lock the system immediately upon infection, or after a given period of tim
- Auto-starting features, self-removal upon entering the correct activation code, and ensuring that the victim would no longer be infected with this release through the use of mutex-es.
- This SMS ransomware is Windows 7 compatible



Cybercriminals are known to understand the benefits of converging different successful and well proven tactics across different propagation/infection vectors. Now that we've seen scareware with elements of ransomware, as well as hijacking a browser session's ads and demanding ransom to remove the adult content, it's only a matter of time to witness a micro-payment driven scareware campaign distributed through blackhat SEO and the usual channels.
Related posts:
5th SMS Ransomware Variant Offered for Sale
4th SMS Ransomware Variant Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
SMS Ransomware Source Code Now Offered for Sale
New ransomware locks PCs, demands premium SMS for removal
This post has been reproduced from Dancho Danchev's blog.
UPDATE12: A new Koobface domain is in circulation across Facebook - snimka31082009 .com -- snimka means photo -- which redirects to the Chinese IP (China Railcom Guangdong Shenzhen Subbranch) offering hosting services for the Koobface gang as of last week - 61.235.117.83 /redirectsoft/go/fb_w.php. The snimka31082009.com domain is in a process of getting shut down.
UPDATE11: The latest Koobface domains masa31082009 .com - Email: yxlvpewoztjox@gmail.com; pari270809 .com - Email: baoyshzrcwmraq@gmail.com; rect08242009 .com and suz11082009 .com have been suspended.
The Koobface gang has also changed the C&C domain in their latest updated pushed throughout the past couple of days. Interestingly, it's a subdomain used in the Twitter campaign from July - cubman32 .net.ua/.sys/?action=ldgen&v=14 and cubman32 .net.ua/.sys/?action=ldgen&f=0&a=-531027389&lang=&v=14&c=0&s=ld&l=1000&ck=0&c_fb=0&c_ms=0&c_hi=0&c_tw=0&c_be=0&c_fr=-2&c_yb=-2&c_tg=0&c_nl=0&c_fu=-2.
UPDATE10: Two new Koobface domains, and a new redirector are in circulation across Facebook - rect08242009 .com (61.235.117.83) and pari270809 .com, which redirects to masa31082009 .com/go/fb_w.php. The "fan club" has also introduced updated the malware - web.reg .md/1/v2prx.exe.
The domains, pari270809 .com, rect08242009 .com and masa31082009 .com are in a process of getting shut down.
UPDATE9: Domain zadnik270809 .com - Email: baoyshzrcwmraq@gmail.com has been suspended.

The gang has also introduced a new domain, used exclusively for Facebook campaigns - zadnik270809 .com - in particular zadnik270809 .com/youtube.com/w/?video which loads zadnik270809 .com/youtube.com/w/ups.php and redirects to a well known Koobface redirector kiano-180809 .com/go/fb_w.php.
Zadnik means a**hole. Domain suspension and IP take down are in progress.
UPDATE7: Earlier today, TelosSolutions confirmed that "this customer has been removed from our network". Great news taking into consideration the fact that Directi's Abuse Desk has also suspended boomer-110809 .com, as well as upr200908013 .com.
The Koobface gang responded to the take down action by once again moving to China, 61.235.117.83 (China Railcom Guangdong Shenzhen Subbranch) in particular. The IP has been taken care of, with all of Koobface campaigns once again in an "inactive stage". It's worth pointing out that kallagoon13 .cn and allavers .org are also parked at this Chinese IP, with both domains clearly involved in Zeus crimeware campaigns.
UPDATE6: Following the 24 hours downtime, the Koobface gang has found a new home online, courtesy of Telos-Solutions-AS/Telos Solutions LTD, with an ongoing migration of the Koobface C&C and campaign domains to 91.212.127.140. Take down activities are in progress.
UPDATE5: Oc3 Networks & Web Solutions Llc abuse team took care of 67.215.238.178. All of Koobface worm's campaigns once again redirect to nowhere.
UPDATE4: Koobface has been kicked out of China -- again -- courtesy of China's CERT, and is no longer responding to 221.5.74.46. This is the second time that the Koobface gang is using the same IP for its central campaign domains, clearly indicating an ISP which "reserves its right to offer them services in the future once they stop receiving abuse notifications".

UPDATE3: The entire portfolio of Koobface related domains is now parked at 221.5.74.46 - AS17816 - CHINA169-GZ CNCGROUP IP network China169 Guangzhou MAN. For instance, xtsd20090815 .com/youtube.com/xexe.php redirects to the actual IP 221.5.74.46 /redirectsoft/go/fb2.php with piupiu-110809.com/achcheck.php, web.reg.md /1/prx90.exe and web.reg.md/1 /prx90.exe as phone back locations. Two new components are dropped DDnsFilter.dll - MD5: 0x8904BCEBACB2B878FF46C5EB0C5C57EB and DnsFilter.sys - MD5: 0x30DD915396E46824DA92FE70485F7CF8 which prevent infected users from interacting with antivirus vendor sites.

Interestingly, now that the gang's centralized domains used in the majority of campaigns are not responding thanks the quick reaction of BlueConnex, they've started embedding up to 15 iFrames directly loading IPs from the Koobface botnet. The script is detected as Trojan-Clicker.HTML.IFrame.a. The pattern? Each and every host is serving the fake Facebook page from a similar directory - /0x3E8/. 221.5.74.46 is in a process of getting shut down.
Kuku Ruku Koobface! What does Koobface has to do with a legendary cocoa cream wafer Koukou Roukou sold in the 90's? It's one of new domains introduced over the past seven days (kukuruku-290709 .com now offline thanks to community efforts).
What is the Koobface gang up to anyway? Despite that they've randomized the automatically generated directories on the compromised sites (kimchistory.freevar .com/fantasticfi1ms; tastemasters .ca/freeem0vie; simonsoderberg .se/mmym0vies; ekespangs .se/meggavide0; akesheronline .com/privalesh0w; belljarstudio .com/bestttube), the gang continues relying on centralized hosting for its campaigns.
During the week, they've migrated from 67.215.238 .178/redirectsoft/go/fb_s.php (PacificRack.com) to 85.234.141 .92/redirectsoft/go/fb_s.php (BlueConnex Ltd), interestingly, they did so with all of the their currently active domains, the ones used as central redirection points on the thousands of legitimate/malicious sites participating in their campaigns. Interestingly, merely suspending a domain name wouldn't get you a personal greeting from the Koobface gang, since they'll basically register a new one. Getting them kicked out of several different hosting providers simultaneously would. Upon having their newly pushed domains shut down, the gang stopped using domains and switched to the original IP of their hosting provider, once again requiring a direct ISP action, instead of domain registar's one.

- glavnij20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92
- kukuruku-290709 .com - Email: kuku.ruku.pam@gmail.com was parked at 85.234.141.92
- superturbo20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 (Super Turbo is yet another legendary product sold in the 90's)
- bombimbom20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 (Bombi Bom is also a classic chewing gum sold in the 90's in Europe/Eastern Europe)
- mishkigammy-060809.com - Email: kuku.ruku.pam@gmail.com was parked at 85.234.141.92

- piupiu-110809 .com - 85.234.141.92
- xtsd20090815 .com - 85.234.141.92 - Email: bigvillyxxx@gmail.com
- boomer-110809 .com - 85.234.141.92
- upr200908013 .com - 85.234.141.92 - Email: kfmnmkswrnkcxlgpfdxb68@gmail.com
- suz11082009 .com - 85.234.141.92 - Email: xxmgbtwgdhyv@gmail.com
- upr0306 .com - 221.5.74.46 China Unicom Guangdong province network - Email: bigvillyxxx@gmail.com
- findhereandnow .com - 85.234.141.92 - Email: bigvillyxxx@gmail.com
The CAPTCHA solving process on behalf of the infected victims, is exclusively targeting Google web properties (piupiu-110809 .com/cap/tempgoo/GOO8cdabdfe8d68013c6217ce754a519194.jpg). Koobface worm's captcha7.dll module is active at:
- glavnij20090809 .com/cap/?a=get&i=1&v=7
- suz11082009 .com/cap/?a=get&i=3&v=7
- boomer-110809 .com/cap/?a=get&i=4&v=7
- piupiu-110809 .com/cap/?a=get&i=2&v=7
BlueConnex Ltd has been notified. The Koobface gang continues enjoying the largest market share of systematic Web 2.0 abuse
Related posts:
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign
The Koobface Gang Mixing Social Engineering Vectors
Ukrainian "fan club" and the Koobface connection:
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot
This post has been reproduced from Dancho Danchev's blog.
UPDATE12: A new Koobface domain is in circulation across Facebook - snimka31082009 .com -- snimka means photo -- which redirects to the Chinese IP (China Railcom Guangdong Shenzhen Subbranch) offering hosting services for the Koobface gang as of last week - 61.235.117.83 /redirectsoft/go/fb_w.php. The snimka31082009.com domain is in a process of getting shut down.
UPDATE11: The latest Koobface domains masa31082009 .com - Email: yxlvpewoztjox@gmail.com; pari270809 .com - Email: baoyshzrcwmraq@gmail.com; rect08242009 .com and suz11082009 .com have been suspended.
The Koobface gang has also changed the C&C domain in their latest updated pushed throughout the past couple of days. Interestingly, it's a subdomain used in the Twitter campaign from July - cubman32 .net.ua/.sys/?action=ldgen&v=14 and cubman32 .net.ua/.sys/?action=ldgen&f=0&a=-531027389&lang=&v=14&c=0&s=ld&l=1000&ck=0&c_fb=0&c_ms=0&c_hi=0&c_tw=0&c_be=0&c_fr=-2&c_yb=-2&c_tg=0&c_nl=0&c_fu=-2.
UPDATE10: Two new Koobface domains, and a new redirector are in circulation across Facebook - rect08242009 .com (61.235.117.83) and pari270809 .com, which redirects to masa31082009 .com/go/fb_w.php. The "fan club" has also introduced updated the malware - web.reg .md/1/v2prx.exe.
The domains, pari270809 .com, rect08242009 .com and masa31082009 .com are in a process of getting shut down.
UPDATE9: Domain zadnik270809 .com - Email: baoyshzrcwmraq@gmail.com has been suspended.

The gang has also introduced a new domain, used exclusively for Facebook campaigns - zadnik270809 .com - in particular zadnik270809 .com/youtube.com/w/?video which loads zadnik270809 .com/youtube.com/w/ups.php and redirects to a well known Koobface redirector kiano-180809 .com/go/fb_w.php.
Zadnik means a**hole. Domain suspension and IP take down are in progress.
UPDATE7: Earlier today, TelosSolutions confirmed that "this customer has been removed from our network". Great news taking into consideration the fact that Directi's Abuse Desk has also suspended boomer-110809 .com, as well as upr200908013 .com.
The Koobface gang responded to the take down action by once again moving to China, 61.235.117.83 (China Railcom Guangdong Shenzhen Subbranch) in particular. The IP has been taken care of, with all of Koobface campaigns once again in an "inactive stage". It's worth pointing out that kallagoon13 .cn and allavers .org are also parked at this Chinese IP, with both domains clearly involved in Zeus crimeware campaigns.
UPDATE6: Following the 24 hours downtime, the Koobface gang has found a new home online, courtesy of Telos-Solutions-AS/Telos Solutions LTD, with an ongoing migration of the Koobface C&C and campaign domains to 91.212.127.140. Take down activities are in progress.
UPDATE5: Oc3 Networks & Web Solutions Llc abuse team took care of 67.215.238.178. All of Koobface worm's campaigns once again redirect to nowhere.
UPDATE4: Koobface has been kicked out of China -- again -- courtesy of China's CERT, and is no longer responding to 221.5.74.46. This is the second time that the Koobface gang is using the same IP for its central campaign domains, clearly indicating an ISP which "reserves its right to offer them services in the future once they stop receiving abuse notifications".

UPDATE3: The entire portfolio of Koobface related domains is now parked at 221.5.74.46 - AS17816 - CHINA169-GZ CNCGROUP IP network China169 Guangzhou MAN. For instance, xtsd20090815 .com/youtube.com/xexe.php redirects to the actual IP 221.5.74.46 /redirectsoft/go/fb2.php with piupiu-110809.com/achcheck.php, web.reg.md /1/prx90.exe and web.reg.md/1 /prx90.exe as phone back locations. Two new components are dropped DDnsFilter.dll - MD5: 0x8904BCEBACB2B878FF46C5EB0C5C57EB and DnsFilter.sys - MD5: 0x30DD915396E46824DA92FE70485F7CF8 which prevent infected users from interacting with antivirus vendor sites.

Kuku Ruku Koobface! What does Koobface has to do with a legendary cocoa cream wafer Koukou Roukou sold in the 90's? It's one of new domains introduced over the past seven days (kukuruku-290709 .com now offline thanks to community efforts).
What is the Koobface gang up to anyway? Despite that they've randomized the automatically generated directories on the compromised sites (kimchistory.freevar .com/fantasticfi1ms; tastemasters .ca/freeem0vie; simonsoderberg .se/mmym0vies; ekespangs .se/meggavide0; akesheronline .com/privalesh0w; belljarstudio .com/bestttube), the gang continues relying on centralized hosting for its campaigns.

- glavnij20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92
- kukuruku-290709 .com - Email: kuku.ruku.pam@gmail.com was parked at 85.234.141.92
- superturbo20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 (Super Turbo is yet another legendary product sold in the 90's)
- bombimbom20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 (Bombi Bom is also a classic chewing gum sold in the 90's in Europe/Eastern Europe)
- mishkigammy-060809.com - Email: kuku.ruku.pam@gmail.com was parked at 85.234.141.92

- piupiu-110809 .com - 85.234.141.92
- xtsd20090815 .com - 85.234.141.92 - Email: bigvillyxxx@gmail.com
- boomer-110809 .com - 85.234.141.92
- upr200908013 .com - 85.234.141.92 - Email: kfmnmkswrnkcxlgpfdxb68@gmail.com
- suz11082009 .com - 85.234.141.92 - Email: xxmgbtwgdhyv@gmail.com
- upr0306 .com - 221.5.74.46 China Unicom Guangdong province network - Email: bigvillyxxx@gmail.com
- findhereandnow .com - 85.234.141.92 - Email: bigvillyxxx@gmail.com
The CAPTCHA solving process on behalf of the infected victims, is exclusively targeting Google web properties (piupiu-110809 .com/cap/tempgoo/GOO8cdabdfe8d68013c6217ce754a519194.jpg). Koobface worm's captcha7.dll module is active at:
- glavnij20090809 .com/cap/?a=get&i=1&v=7
- suz11082009 .com/cap/?a=get&i=3&v=7
- boomer-110809 .com/cap/?a=get&i=4&v=7
- piupiu-110809 .com/cap/?a=get&i=2&v=7
BlueConnex Ltd has been notified. The Koobface gang continues enjoying the largest market share of systematic Web 2.0 abuse
Related posts:
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign
The Koobface Gang Mixing Social Engineering Vectors
Ukrainian "fan club" and the Koobface connection:
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot
This post has been reproduced from Dancho Danchev's blog.
Labels: Botnet, Hacking, Information Security, Koobface, Malicious Software, Security, Typosquatting

(For historical OSINT research, the following domains not previously listed were in circulating during the past week - thwovretgi .com - 91.214.44.239 - Email: joby47619@msn.com; shtifobpy .com - 91.214.44.210 - Email: hiraldo13686@hotmail.com; vodcotha .com - 91.214.44.203 - Email: jamarcus59884@yahoo.com; stromiko .com - Email: hyacinthiemccolman@gmail.com; ceslyemsof .com - 91.214.44.205 - Email: brisco68781@lycos.com; ejeifyevy .com - 91.214.44.208 - Email: brisco68781@lycos.com; kuhatjidd .com - 91.214.44.203 - Email: khrista12110@hotmail.com )

Key summary points:
- U.K based hosting provider Web Mania Hosting appears to be compromised due to the fact that all the abused legitimate sites are hosted there
- the redirection and scareware domain/binary are updated two times during 24 hours period of time
- all the scareware samples continue phoning back to several domains parked at 78.46.201.90
- the cybercriminals have introduced multiple monetization tactics through pay-per-click malware-friendly search engines
- a central redirection point (a-n-d-the .com/wtr/router.php) used in this campaign was used by the RBN/customer of the RBN in massive iFrame injection attacks abusing input validation flaws within high profile sites over an year ago
- sampled scareware adds the following registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\6A36EA6E11EAAECDF5E540DEF2149079] plxxh = "Dujaq!!" - Dujaq!! means "Bl*w me!!"
- the blackhat SEO gang is using a unique javascript obfuscation which I originally stumbled upon a couple of months ago while assessing another blackhat SEO courtesy of the Ukrainian "fan club", the one with the Koobface connection. It relies on dynamically generated code spoofing go.live.com and rds.yahoo.com random URLs for evasion purposes. The only vendor that detects it is McAfee-GW-Edition as Heuristic.BehavesLike.JS.CodeUnfolding.A
ladydestiny .com
marchbrook.co .uk
mgwooldridge.co .uk
midfleet .com
mikedz.co .uk
millypeds.co .uk
mitchameditorial.co .uk
moddeydhoomcc.co .uk
monkeyfist.co .uk
morita.co .uk
mosoul.co .uk
mrbuzzhard.co .uk
mtbpigs.co .uk
mysticspirals.co .uk
mythagostudios .com
neilwebsterhoundtrailing.co .uk
newmarskecricketclub.co .uk
oneintenrock.co .uk
pcook.co .uk
pengineer.co .uk
agjjgtfyi .cc - Email: susan@michiganfarms.com
ckckoo .cc - Email: briettamacpherson@gmail.com
eunlabkce .cc - 93.170.134.175 - Email: susan@michiganfarms.com
ewjwjiavg .cc - 74.206.242.22 - Email: susan@michiganfarms.com
fgodvsli .cc - 93.170.133.205 - Email: susan@michiganfarms.com
fgodvsli .cc - 93.170.133.205 - Email: susan@michiganfarms.com
fyecdizt .cc 93.170.156.119 - Email: susan@michiganfarms.com
hgzondsul .cc - 174.137.171.69 - Email: susan@michiganfarms.com
iiuuoo .cc - Email: briettamacpherson@gmail.com
ijnteqc .cc - 93.170.130.105 - Email: susan@michiganfarms.com
irolopl .cc - 93.170.134.203 - Email: susan@michiganfarms.com
jglcbngvu .cc - 93.170.130.217 - Email: susan@michiganfarms.com
jpydmee .cc - 93.170.133.247 - Email: susan@michiganfarms.com
kdwwwwon .cc - 93.170.134.231 - Email: susan@michiganfarms.com
kgowncgi .cc - 93.170.154.179 - Email: susan@michiganfarms.com
lmhhsnd .cc - 93.170.156.105 - Email: susan@michiganfarms.com

mvsoomw .cc - 93.170.131.66 - Email: susan@michiganfarms.com
njfgfbd .cc - 93.170.156.21 - Email: susan@michiganfarms.com
nsdgkrge .cc - 93.170.153.98 - Email: susan@michiganfarms.com
nselkss .cc - 93.170.130.245 - Email: susan@michiganfarms.com
owudfnay .cc - 93.170.131.178 - Email: susan@michiganfarms.com
pfjfsiunt .cc - 93.170.151.80 - Email: susan@michiganfarms.com
piqvrrugd .cc - 93.170.156.63 - Email: susan@michiganfarms.com
rroiqbznj .cc - 93.170.134.35 - Email: susan@michiganfarms.com
ssyydqyh .cc - 93.170.131.206 - Email: susan@michiganfarms.com
sucdugon .cc - 93.170.154.100 - Email: susan@michiganfarms.com
tftrwxlg .cc - 93.170.130.133 - Email: susan@michiganfarms.com
tirtop .cc - 188.72.198.21 - Email: elaynedangubic@gmail.com
uomfchbj .cc - 93.170.131.10 - Email: susan@michiganfarms.com
vrmmnicl .cc - 93.170.151.10 - Email: susan@michiganfarms.com
vtgisihjy .cc - 93.170.133.163 - Email: susan@michiganfarms.com
vwyldlbe .cc - 188.72.204.57 - Email: brigidadorion@gmail.com
vzlbamuvs .cc - 93.170.130.49 - Email: susan@michiganfarms.com
wgyxrmtld .cc - 93.170.152.226 - Email: susan@michiganfarms.com
xisuuzos .cc - 93.170.134.77 - Email: susan@michiganfarms.com
xlkzmqiw .cc - 93.170.131.234 - Email: susan@michiganfarms.com
zirtop .cc - Email: elaynedangubic@gmail.com
zmtkpugbz .cc - 93.170.130.189 - Email: susan@michiganfarms.com
zncutvk .cc - 174.137.171.117 - Email: susan@michiganfarms.com
rebuwe .net - 206.51.230.97
sivezo .net - 206.51.230.98
mipola .net - 206.51.230.95
kowipe .net - 206.51.230.92
kerobo .net - 206.51.230.90
gelupe .net - 206.51.230.104
fuquwe .net - 206.51.230.103
hyduve .net - 206.51.230.200
bisehu .net - 206.51.230.99
wypule .net - 206.51.230.95
xylucy .net - 206.51.230.97
xulady .net - 206.51.230.96
lyqyte .net - 206.51.230.94
zuziki .net - 206.51.230.98
symiza .net - 206.51.230.99
bisehu .net - 206.51.230.99
msrxdk .com - 188.72.192.78 - Email: charlenecrewshgkn@yahoo.com
kimuka .net - 188.72.192.78 - Email: charlenecrewshgkn@yahoo.com
ylkbin .com - 188.72.192.81

antispywaretotalscan9 .com - 213.163.89.60; 89.47.237.55; 89.248.174.61 - Email: info@siggy.com
antispywaretotalscan5 .com - Email: info@siggy.com
antispywaretotalscan6 .com - Email: info@siggy.com
antispywaretotalscan8 .com - Email: info@siggy.com
antispywaretotalscan9 .com - Email: info@siggy.com
delete-all-virus05 .com - Email: sales@naukrit.com
delete-all-virus07 .com - Email: sales@naukrit.com
delete-all-virus09 .com - Email: sales@naukrit.com
delete-all-virus03 .com - 213.163.89.60; 88.198.233.225; 91.213.126.100; 193.169.12.70 - Email: sales@naukrit.com
clean-all-spyware10 .com - Email: crbarnes@uvic.ca
remove-all-adware01 .com - Email: info@nco.com.cn
clean-all-spyware01 .com - Email: crbarnes@uvic.ca
fast-virus-scan2 .com - Email: courseinfo@greenwich.ac.uk
remove-all-spyware03 .com - Email: info@nco.com.cn
fast-virus-scan4 .com - Email: courseinfo@greenwich.ac.uk
clean-all-spyware05 .com - Email: crbarnes@uvic.ca
best-virus-scanner5 .com - Email: info@ecomsol.com
remove-all-spyware07 .com - Email: info@nco.com.cn
fast-virus-scan7 .com - Email: courseinfo@greenwich.ac.uk
005threats-scanner .com
09computerquickscan .com
005yourprivatescanner .com
online-systemscan .net - Email: gertrudeedickens@text2re.com
best-spyware-scan01 .com - Email: info@viter-media.com
online-antivir-scan09 .com - Email: contacts@stevens-media.com
checkviruszone .com - Email: gertrudeedickens@text2re.com

protection-check07 .com - Email: info@democraticyouth.com
malwareinternetscanner03 .com - Email: kathy@nj-steams.com
best-spyware-scan03 .com - Email: info@viter-media.com
antispywarescanner08 .com - Email: info@cpehn.org
antivirusonlinescan03 .com - Email: kathy@nj-steams.com
quick-virus-scanner02 .com - Email: info@person.k112.nc.us
securedlivescan .com
superb-virus-scan09 .com - Email: tours@admiralgroup.co.uk
superb-antivir-scan01 .com - Email: tours@admiralgroup.co.uk
intellectual-vir-scan09 .com - Email: info@worldlifehencey.com
intellectual-vir-scan08 .com - Email: info@worldlifehencey.com
private-antivirus-scannerv2 .com - Email: webmaster@parun.co.kr
reliable-scanner01 .com - Email: info@cansupply.com
superb-virus-scan07 .com - Email: tours@admiralgroup.co.uk
antivirus-online-scan8 .com - Email: webmaster@TangoDance.cn
best-antivirus3 .com - Email: info@legtimeprime.com
live-virus-scanner5 .com - Email: info@infy-tasks.com
antivirus-online-scan4 .com - Email: pranky-marie@yahoo.com
antispyware-scanner5 .com - Email: janny.mar123@yahoo.com
antivirus-online-scan5 .com - Email: pranky-marie@yahoo.com
live-virus-scanner7 .com - Email: info@infy-tasks.com
clean-all-spyware .com - Email: jdemagis@rocheste.ganet.com
getyoursecuritynowv2 .com - Email: info@meat-beaf.com.cn
getyourantivirusv3 .com - Email: info@meat-beaf.com.cn
getyourpcsecurev3 .com - Email: info@meat-beaf.com.cn
antivirus-scannerv12 .com - Email: info@chinatownnetwork.com.cn
safeonlinescannerv4 .com - Email: steg.greg1992@yahoo.com
check-for-malwarev3 .com - Email: al@bis-solutions.com
check-your-pc-onlinev3 .com - Email: al@bis-solutions.com
searchurlguide .com - 64.86.16.9 - Email:powell.john11@gmail.com
securitypad .net - 206.53.61.70 - Email: gertrudeedickens@text2re.com
prestotunerst .cn - 64.86.16.210 - Email: unitedisystems@gmail.com
officesecuritysupply .com - Email: Ronald.T.Samora@spambob.com
securityread .com - Email: Anna.R.Helm@dodgit.com
scanasite .com - Email: Carol.J.Hipp@mailinator.com
cheapsecurityscan .com - Email: Kevin.L.Linkous@trashymail.com
securitysupplycenter .com - Email: Janet.R.Vasquez@spambob.com
best-folder-scanv3 .com - Email: info@best-util-til.com
online-best-scanv3 .com - Email: public@cropfactor.in
online-defenderv9 .com - Email: public@cropfactor.in
antispyware-live-scanv3 .com - Email: ervin1981rolf@yahoo.com
antispywarelivescanv5 .com - Email: sales.in@bauhmerhhs.com

basicsystemscannerv8 .com - Email: changhong@corpdefence.cn
bestpersonalprotectionv2 .com - Email: cfaa1996@yahoo.com.cn
bestpersonalprotectionv7 .com - Email: cfaa1996@yahoo.com.cn
computer-antivirus-scanv9 .com - Email: melaniestarmelanie@yahoo.com
fastvirusscanv6 .com - Email: info@rasystems.com
govirusscanner .com - Email: contact@demoninchina.com
mysafecomputerscan .com - Email: acurtis@stevens.com
onlineantispywarescanv6 .com - Email: czoao@hotmail.com
online-antivir-scanv2 .com - Email: iren.g@sysintern.in
onlinebestscannerv3 .com - Email: info@srilanka.cn
onlinepersonalscanner .com - Email: info@srilanka.cn
onlineproantivirusscan .com - Email: addworld@freebbmail.com
online-pro-antivirus-scan .com - Email: findz@freebbmail.com

online-secure-scannerv2 .com - Email: iren.g@sysintern.in
personalantivirusprotection .com - Email: info@Wholesaler.cn
personalfolderscanv2 .com - Email: hfbeauty@yahoo.com
premium-antispy-scanv3 .com - Email: Ktrivedi@go2uti.com
premium-antispy-scanv7 .com - Email: Ktrivedi@go2uti.com
premium-antivirus-scanv6 .com - Email: Ktrivedi@go2uti.com
private-antivirus-scannerv2 .com - Email: webmaster@parun.co.kr
privatevirusscannerv8 .com - Email: info@rasystems.com
secure-antispyware-scanv3 .com - Email: info@prrp.de
securepersonalscanner .com - Email: info@prrp.de
secure-spyware-scannerv3 .com - Email: info@prrp.de
secure-virus-scannerv5 .com - Email: info@prrp.de
securityfolderprotection .com - Email: info@Wholesaler.cn
spyware-scannerv2 .com - Email: hanan.abdelrazek@bibalexy.org
spywarescannerv4 .com - Email: hanan.abdelrazek@bibalexy.org

A second sampled scareware phones back to a different location - 92.241.176.188. Parked there are the rest of the domains in their scareware portfolio:
bestscanpc .org
bestscanpc .biz
downloadavr2 .com
downloadavr3 .com
trucount3005 .com
antivirus-scan-2009 .com
antivirusxppro-2009 .com
advanced-virus-remover-2009 .com
advanced-virus-remover2009 .com
advanced-virusremover2009 .com
bestscanpc .com
xxx-white-tube .com
blue-xxx-tube .com
trucountme .com
10-open-davinci .com
vs-codec-pro .com
vscodec-pro .com
download-vscodec-pro .com
v-s-codecpro .com
antivirus-2009-ppro .com
onlinescanxppro .com
downloadavr .com
bestscanpc .info
bestscanpc .net
bestscanpc .biz
cnn-bcc2 .com - 89.248.174.61 - Email: mail@sccits.com.cn
issuenews1 .com - Email: mail@sccits.com.cn
headlinenews2 .com - Email: mail@sccits.com.cn
usdisturbed .cn - Email: info@brandbanks.com
milesdavisorland .cn - Email: info@brandbanks.com
usaworkinghard .cn - Email: info@brandbanks.com
nationaltreasure .cn - Email: info@brandbanks.com
milesdavisorland .cn - 91.213.126.101 - Email: info@brandbanks.com
we-accepted .cn - Email: info@rcusan.org
myth-busters .cn - Email: info@rcusan.org
russell-brand .cn - Email: info@sciencesdemo.com
willsmithinc .cn - Email: contact@oregonvma.org
dirty-dancing .cn - Email: allisonh@soeconline.org
sex-and-the-city .cn - Email: oregon.artscomm@state.or.us
clicksick .cn - 67.215.245.187 - Email: webmaster@clicksick.cn
doubleclicknet .cn - 67.215.245.187 - Email: webmaster@doubleclicknet.cn
shrekmovie .cn - Email: oregon.artscomm@state.or.us
radioheadicon .cn - Email: contact@oregonvma.org
batman-comics .cn - Email: contact@oregonvma.org
beststarwars .cn - Email: allisonh@soeconline.org
mashroomtheory .cn - Email: webmaster@TangoDance.cn
space2009city .cn - Email: webmaster@TangoDance.cn
messengerinfo .cn - Email: allisonh@soeconline.org
greattime2009 .cn - Email: webmaster@seniorstuds.com.ar
iwanttowin .cn - Email: webmaster@seniorstuds.com.ar
hardnut .cn - Email: tan.mei.sie@monash.com.my
sitemechanics .cn - info@powertrackers.com
exceldocumentsinfo .cn - Email: info@powertrackers.com
chinafavorites .cn - Email: cmo@ci.springfields.or.us
best-live-lottery .cn - Email: info@powertrackers.com
adeptofmastery .cn - Email: info@powertrackers.com
trytowintoday .cn - Email: info@powertrackers.com
bulkdvdreader .cn - 94.102.48.29 - Email: info@powertrackers.com
style-everywhere .com - 88.198.105.145 - Email: angy.helm21@yahoo.com
clicksick .cn - 67.215.245.187 - Email: webmaster@clicksick.cn
supportyourcountry .cn - Email: cmo@ci.springfields.or.us
wheels-on-fire .cn - 94.102.48.29 - Email: epron.sales@epron.com.hk
stillphotoshots .cn - 94.102.48.29 - Email: epron.sales@epron.com.hk
delayyouranswer .cn - Email: info@globaltechs.com.cn
getbestsales .cn - Email: info@globaltechs.com.cn
library-presents .cn - Email: hanzellandgretell@googlemail.com
in-t-h-e .cn - 72.21.41.198 (Layered Technologies, Inc.) - Email: admin@in-t-h-e.cn
bestwishestoyou .cn - 94.102.48.29 - Email: hanzellandgretell@googlemail.com
library-presents .cn - 94.102.48.29 - Email: hanzellandgretell@googlemail.com
getbestsales .cn - 94.102.48.29 - Email: info@globaltechs.com.cn
aware-of-future .cn - Email: info@globaltechs.com.cn
nothing-to-wear .cn - Email: steg.greg1992@yahoo.com
newsmediaone .com - 72.21.41.198 - Email: advertizers@newsmediaone.com
bapoka .net - 87.118.96.6
stylestats1 .net - 94.102.63.16 - Email: grem@yahoo.com
luckystats .org - Email: director@climbing-games.com
luckystats1 .com - Email: grem@yahoo.com
lifewepromote .cn - Email: ruixiang.guo@yahoo.com
securecommercialnews .cn - Email: contacts@swedbank.com.cn
snowboard2009 .cn - Email: weinwein2@yahoo.com
nothern-ireland .cn - Email: accabj@cn.accaglobal.com
goldensunshine .cn - Email: info@tartirtar.com
steplessculture .cn - Email: info@myfibernetworks.cn
vipsoccermanager .cn - Email: opressor1992@yahoo.com
b2b-forums .cn - Email: weinwein2@yahoo.com
rondo-trips .cn - Email: acurtis@stevens.com
mywatermakrs .cn - Email: shanghaihuny@yahoo.com
gazsnippets .cn - Email: acurtis@stevens.com
bestvanillaresorts .cn - Email: opressor1992@yahoo.com
personalrespect .cn - Email: weinwein2@yahoo.com
consensualart .cn - Email: shanghaihuny@yahoo.com
yourholidaytoday .cn - Email: opressor1992@yahoo.com
guidetogalaxy .cn - Email: stp9014@yahoo.com

Interestingly, they're exclusively using the compromised .co.uk, as well as purely malicious blackhat SEO domains for scareware serving purposes, but continue using the ones they operate under the free DNS service providers for monetization through the bogus search engines. The domains used in this monetization approach are as follows:

triwoperl .com - 95.168.191.19 - Email: florenzaluwemba@gmail.com
tropysearch .us - 74.52.216.46 - Email: tech@add-manager.com
glorys .info (glorys .info/red/cube.js) - - 78.159.97.186 - Email: kor4seo@rambler.ru
funnyblogetc .info/go.php - - Email: tigerwood1@nm.ru
Monitoring of the campaign and takedown actions would continue, with an emphasis on the RBN connection from a related blackhat SEO campaign from last year. The gang is not going away anytime soon, but their campaigns definitely are.
Related posts:
A Peek Inside the Managed Blackhat SEO Ecosystem
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot
This post has been reproduced from Dancho Danchev's blog.

(For historical OSINT research, the following domains not previously listed were in circulating during the past week - thwovretgi .com - 91.214.44.239 - Email: joby47619@msn.com; shtifobpy .com - 91.214.44.210 - Email: hiraldo13686@hotmail.com; vodcotha .com - 91.214.44.203 - Email: jamarcus59884@yahoo.com; stromiko .com - Email: hyacinthiemccolman@gmail.com; ceslyemsof .com - 91.214.44.205 - Email: brisco68781@lycos.com; ejeifyevy .com - 91.214.44.208 - Email: brisco68781@lycos.com; kuhatjidd .com - 91.214.44.203 - Email: khrista12110@hotmail.com )

Key summary points:
- U.K based hosting provider Web Mania Hosting appears to be compromised due to the fact that all the abused legitimate sites are hosted there
- the redirection and scareware domain/binary are updated two times during 24 hours period of time
- all the scareware samples continue phoning back to several domains parked at 78.46.201.90
- the cybercriminals have introduced multiple monetization tactics through pay-per-click malware-friendly search engines
- a central redirection point (a-n-d-the .com/wtr/router.php) used in this campaign was used by the RBN/customer of the RBN in massive iFrame injection attacks abusing input validation flaws within high profile sites over an year ago
- sampled scareware adds the following registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\6A36EA6E11EAAECDF5E540DEF2149079] plxxh = "Dujaq!!" - Dujaq!! means "Bl*w me!!"
- the blackhat SEO gang is using a unique javascript obfuscation which I originally stumbled upon a couple of months ago while assessing another blackhat SEO courtesy of the Ukrainian "fan club", the one with the Koobface connection. It relies on dynamically generated code spoofing go.live.com and rds.yahoo.com random URLs for evasion purposes. The only vendor that detects it is McAfee-GW-Edition as Heuristic.BehavesLike.JS.CodeUnfolding.A
ladydestiny .com
marchbrook.co .uk
mgwooldridge.co .uk
midfleet .com
mikedz.co .uk
millypeds.co .uk
mitchameditorial.co .uk
moddeydhoomcc.co .uk
monkeyfist.co .uk
morita.co .uk
mosoul.co .uk
mrbuzzhard.co .uk
mtbpigs.co .uk
mysticspirals.co .uk
mythagostudios .com
neilwebsterhoundtrailing.co .uk
newmarskecricketclub.co .uk
oneintenrock.co .uk
pcook.co .uk
pengineer.co .uk
agjjgtfyi .cc - Email: susan@michiganfarms.com
ckckoo .cc - Email: briettamacpherson@gmail.com
eunlabkce .cc - 93.170.134.175 - Email: susan@michiganfarms.com
ewjwjiavg .cc - 74.206.242.22 - Email: susan@michiganfarms.com
fgodvsli .cc - 93.170.133.205 - Email: susan@michiganfarms.com
fgodvsli .cc - 93.170.133.205 - Email: susan@michiganfarms.com
fyecdizt .cc 93.170.156.119 - Email: susan@michiganfarms.com
hgzondsul .cc - 174.137.171.69 - Email: susan@michiganfarms.com
iiuuoo .cc - Email: briettamacpherson@gmail.com
ijnteqc .cc - 93.170.130.105 - Email: susan@michiganfarms.com
irolopl .cc - 93.170.134.203 - Email: susan@michiganfarms.com
jglcbngvu .cc - 93.170.130.217 - Email: susan@michiganfarms.com
jpydmee .cc - 93.170.133.247 - Email: susan@michiganfarms.com
kdwwwwon .cc - 93.170.134.231 - Email: susan@michiganfarms.com
kgowncgi .cc - 93.170.154.179 - Email: susan@michiganfarms.com
lmhhsnd .cc - 93.170.156.105 - Email: susan@michiganfarms.com

mvsoomw .cc - 93.170.131.66 - Email: susan@michiganfarms.com
njfgfbd .cc - 93.170.156.21 - Email: susan@michiganfarms.com
nsdgkrge .cc - 93.170.153.98 - Email: susan@michiganfarms.com
nselkss .cc - 93.170.130.245 - Email: susan@michiganfarms.com
owudfnay .cc - 93.170.131.178 - Email: susan@michiganfarms.com
pfjfsiunt .cc - 93.170.151.80 - Email: susan@michiganfarms.com
piqvrrugd .cc - 93.170.156.63 - Email: susan@michiganfarms.com
rroiqbznj .cc - 93.170.134.35 - Email: susan@michiganfarms.com
ssyydqyh .cc - 93.170.131.206 - Email: susan@michiganfarms.com
sucdugon .cc - 93.170.154.100 - Email: susan@michiganfarms.com
tftrwxlg .cc - 93.170.130.133 - Email: susan@michiganfarms.com
tirtop .cc - 188.72.198.21 - Email: elaynedangubic@gmail.com
uomfchbj .cc - 93.170.131.10 - Email: susan@michiganfarms.com
vrmmnicl .cc - 93.170.151.10 - Email: susan@michiganfarms.com
vtgisihjy .cc - 93.170.133.163 - Email: susan@michiganfarms.com
vwyldlbe .cc - 188.72.204.57 - Email: brigidadorion@gmail.com
vzlbamuvs .cc - 93.170.130.49 - Email: susan@michiganfarms.com
wgyxrmtld .cc - 93.170.152.226 - Email: susan@michiganfarms.com
xisuuzos .cc - 93.170.134.77 - Email: susan@michiganfarms.com
xlkzmqiw .cc - 93.170.131.234 - Email: susan@michiganfarms.com
zirtop .cc - Email: elaynedangubic@gmail.com
zmtkpugbz .cc - 93.170.130.189 - Email: susan@michiganfarms.com
zncutvk .cc - 174.137.171.117 - Email: susan@michiganfarms.com
rebuwe .net - 206.51.230.97
sivezo .net - 206.51.230.98
mipola .net - 206.51.230.95
kowipe .net - 206.51.230.92
kerobo .net - 206.51.230.90
gelupe .net - 206.51.230.104
fuquwe .net - 206.51.230.103
hyduve .net - 206.51.230.200
bisehu .net - 206.51.230.99
wypule .net - 206.51.230.95
xylucy .net - 206.51.230.97
xulady .net - 206.51.230.96
lyqyte .net - 206.51.230.94
zuziki .net - 206.51.230.98
symiza .net - 206.51.230.99
bisehu .net - 206.51.230.99
msrxdk .com - 188.72.192.78 - Email: charlenecrewshgkn@yahoo.com
kimuka .net - 188.72.192.78 - Email: charlenecrewshgkn@yahoo.com
ylkbin .com - 188.72.192.81

reliable-scanner01 .com - Email: info@cansupply.com
superb-virus-scan07 .com - Email: tours@admiralgroup.co.uk
antivirus-online-scan8 .com - Email: webmaster@TangoDance.cn
best-antivirus3 .com - Email: info@legtimeprime.com
live-virus-scanner5 .com - Email: info@infy-tasks.com
antivirus-online-scan4 .com - Email: pranky-marie@yahoo.com
antispyware-scanner5 .com - Email: janny.mar123@yahoo.com
antivirus-online-scan5 .com - Email: pranky-marie@yahoo.com
live-virus-scanner7 .com - Email: info@infy-tasks.com
clean-all-spyware .com - Email: jdemagis@rocheste.ganet.com
getyoursecuritynowv2 .com - Email: info@meat-beaf.com.cn
getyourantivirusv3 .com - Email: info@meat-beaf.com.cn
getyourpcsecurev3 .com - Email: info@meat-beaf.com.cn
antivirus-scannerv12 .com - Email: info@chinatownnetwork.com.cn
safeonlinescannerv4 .com - Email: steg.greg1992@yahoo.com
check-for-malwarev3 .com - Email: al@bis-solutions.com
check-your-pc-onlinev3 .com - Email: al@bis-solutions.com
searchurlguide .com - 64.86.16.9 - Email:powell.john11@gmail.com
securitypad .net - 206.53.61.70 - Email: gertrudeedickens@text2re.com
prestotunerst .cn - 64.86.16.210 - Email: unitedisystems@gmail.com
officesecuritysupply .com - Email: Ronald.T.Samora@spambob.com
securityread .com - Email: Anna.R.Helm@dodgit.com
scanasite .com - Email: Carol.J.Hipp@mailinator.com
cheapsecurityscan .com - Email: Kevin.L.Linkous@trashymail.com
securitysupplycenter .com - Email: Janet.R.Vasquez@spambob.com
best-folder-scanv3 .com - Email: info@best-util-til.com
online-best-scanv3 .com - Email: public@cropfactor.in
online-defenderv9 .com - Email: public@cropfactor.in
antispyware-live-scanv3 .com - Email: ervin1981rolf@yahoo.com
antispywarelivescanv5 .com - Email: sales.in@bauhmerhhs.com

basicsystemscannerv8 .com - Email: changhong@corpdefence.cn
bestpersonalprotectionv2 .com - Email: cfaa1996@yahoo.com.cn
bestpersonalprotectionv7 .com - Email: cfaa1996@yahoo.com.cn
computer-antivirus-scanv9 .com - Email: melaniestarmelanie@yahoo.com
fastvirusscanv6 .com - Email: info@rasystems.com
govirusscanner .com - Email: contact@demoninchina.com
mysafecomputerscan .com - Email: acurtis@stevens.com
onlineantispywarescanv6 .com - Email: czoao@hotmail.com
online-antivir-scanv2 .com - Email: iren.g@sysintern.in
onlinebestscannerv3 .com - Email: info@srilanka.cn
onlinepersonalscanner .com - Email: info@srilanka.cn
onlineproantivirusscan .com - Email: addworld@freebbmail.com
online-pro-antivirus-scan .com - Email: findz@freebbmail.com

online-secure-scannerv2 .com - Email: iren.g@sysintern.in
personalantivirusprotection .com - Email: info@Wholesaler.cn
personalfolderscanv2 .com - Email: hfbeauty@yahoo.com
premium-antispy-scanv3 .com - Email: Ktrivedi@go2uti.com
premium-antispy-scanv7 .com - Email: Ktrivedi@go2uti.com
premium-antivirus-scanv6 .com - Email: Ktrivedi@go2uti.com
private-antivirus-scannerv2 .com - Email: webmaster@parun.co.kr
privatevirusscannerv8 .com - Email: info@rasystems.com
secure-antispyware-scanv3 .com - Email: info@prrp.de
securepersonalscanner .com - Email: info@prrp.de
secure-spyware-scannerv3 .com - Email: info@prrp.de
secure-virus-scannerv5 .com - Email: info@prrp.de
securityfolderprotection .com - Email: info@Wholesaler.cn
spyware-scannerv2 .com - Email: hanan.abdelrazek@bibalexy.org
spywarescannerv4 .com - Email: hanan.abdelrazek@bibalexy.org

A second sampled scareware phones back to a different location - 92.241.176.188. Parked there are the rest of the domains in their scareware portfolio:
bestscanpc .org
bestscanpc .biz
downloadavr2 .com
downloadavr3 .com
trucount3005 .com
antivirus-scan-2009 .com
antivirusxppro-2009 .com
advanced-virus-remover-2009 .com
advanced-virus-remover2009 .com
advanced-virusremover2009 .com
bestscanpc .com
xxx-white-tube .com
blue-xxx-tube .com
trucountme .com
10-open-davinci .com
vs-codec-pro .com
vscodec-pro .com
download-vscodec-pro .com
v-s-codecpro .com
antivirus-2009-ppro .com
onlinescanxppro .com
downloadavr .com
bestscanpc .info
bestscanpc .net
bestscanpc .biz
beststarwars .cn - Email: allisonh@soeconline.org
mashroomtheory .cn - Email: webmaster@TangoDance.cn
space2009city .cn - Email: webmaster@TangoDance.cn
messengerinfo .cn - Email: allisonh@soeconline.org
greattime2009 .cn - Email: webmaster@seniorstuds.com.ar
iwanttowin .cn - Email: webmaster@seniorstuds.com.ar
hardnut .cn - Email: tan.mei.sie@monash.com.my
sitemechanics .cn - info@powertrackers.com
exceldocumentsinfo .cn - Email: info@powertrackers.com
chinafavorites .cn - Email: cmo@ci.springfields.or.us
best-live-lottery .cn - Email: info@powertrackers.com
adeptofmastery .cn - Email: info@powertrackers.com
trytowintoday .cn - Email: info@powertrackers.com
bulkdvdreader .cn - 94.102.48.29 - Email: info@powertrackers.com
style-everywhere .com - 88.198.105.145 - Email: angy.helm21@yahoo.com
clicksick .cn - 67.215.245.187 - Email: webmaster@clicksick.cn
supportyourcountry .cn - Email: cmo@ci.springfields.or.us
wheels-on-fire .cn - 94.102.48.29 - Email: epron.sales@epron.com.hk
stillphotoshots .cn - 94.102.48.29 - Email: epron.sales@epron.com.hk
delayyouranswer .cn - Email: info@globaltechs.com.cn
getbestsales .cn - Email: info@globaltechs.com.cn
library-presents .cn - Email: hanzellandgretell@googlemail.com
in-t-h-e .cn - 72.21.41.198 (Layered Technologies, Inc.) - Email: admin@in-t-h-e.cn
bestwishestoyou .cn - 94.102.48.29 - Email: hanzellandgretell@googlemail.com
library-presents .cn - 94.102.48.29 - Email: hanzellandgretell@googlemail.com
getbestsales .cn - 94.102.48.29 - Email: info@globaltechs.com.cn
aware-of-future .cn - Email: info@globaltechs.com.cn
nothing-to-wear .cn - Email: steg.greg1992@yahoo.com
newsmediaone .com - 72.21.41.198 - Email: advertizers@newsmediaone.com
bapoka .net - 87.118.96.6
stylestats1 .net - 94.102.63.16 - Email: grem@yahoo.com
luckystats .org - Email: director@climbing-games.com
luckystats1 .com - Email: grem@yahoo.com
lifewepromote .cn - Email: ruixiang.guo@yahoo.com
securecommercialnews .cn - Email: contacts@swedbank.com.cn
snowboard2009 .cn - Email: weinwein2@yahoo.com
nothern-ireland .cn - Email: accabj@cn.accaglobal.com
goldensunshine .cn - Email: info@tartirtar.com
steplessculture .cn - Email: info@myfibernetworks.cn
vipsoccermanager .cn - Email: opressor1992@yahoo.com
b2b-forums .cn - Email: weinwein2@yahoo.com
rondo-trips .cn - Email: acurtis@stevens.com
mywatermakrs .cn - Email: shanghaihuny@yahoo.com
gazsnippets .cn - Email: acurtis@stevens.com
bestvanillaresorts .cn - Email: opressor1992@yahoo.com
personalrespect .cn - Email: weinwein2@yahoo.com
consensualart .cn - Email: shanghaihuny@yahoo.com
yourholidaytoday .cn - Email: opressor1992@yahoo.com
guidetogalaxy .cn - Email: stp9014@yahoo.com

Interestingly, they're exclusively using the compromised .co.uk, as well as purely malicious blackhat SEO domains for scareware serving purposes, but continue using the ones they operate under the free DNS service providers for monetization through the bogus search engines. The domains used in this monetization approach are as follows:

triwoperl .com - 95.168.191.19 - Email: florenzaluwemba@gmail.com
tropysearch .us - 74.52.216.46 - Email: tech@add-manager.com
glorys .info (glorys .info/red/cube.js) - - 78.159.97.186 - Email: kor4seo@rambler.ru
funnyblogetc .info/go.php - - Email: tigerwood1@nm.ru
Monitoring of the campaign and takedown actions would continue, with an emphasis on the RBN connection from a related blackhat SEO campaign from last year. The gang is not going away anytime soon, but their campaigns definitely are.
Related posts:
A Peek Inside the Managed Blackhat SEO Ecosystem
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot
This post has been reproduced from Dancho Danchev's blog.
;;
Subscribe to:
Posts (Atom)