Monday, August 24, 2009

6th SMS Ransomware Variant Offered for Sale

"Your copy of Windows has been blocked! You're using an unlicensed version of it! In order to continue using it, you must receive the unlock key. All you have to do is follow these steps: You must send a SMS message. You will receive an activation code once you do so. Enter the code and unlock your copy of Windows."

Anticipating the potential for monetization, cybercriminals are investing more time and resources into coming up with new features for their SMS based ransomware releases. Two of the very latest releases indicate their motivation and long-term ambitions into this newly emerged micro-payment ransomware channel.

What's new, is the social engineering element, the self-replication potential through removable media, and the contingency planning through the use of multiple SMS numbers in case one of the numbers gets shut down. Let's go through some of the features of two newly released SMS ransomware variants offered for $20, and $30 respectively.

What's worth emphasizing on in respect to the first release, is that it's Windows 7 compatible, and is the first SMS ransomware that allows scheduled lock down after infection -- presumably, the author included this feature in order to make it harder for the victim to recognize how he got infected at the first place -- as well as multiple SMS numbers for contingency planning.

Key features include:
- Clean interace
- Bypasses Safe Mode
- Locks down the taskbar or any combination of keys that could allow a user to close the application
- The error message can be customized
- Ability to use multiple-unlock codes
- Ability to use multiple SMS numbers from where the activation code will be obtained
- Ability to lock the system immediately upon infection, or after a given period of tim
- Auto-starting features, self-removal upon entering the correct activation code, and ensuring that the victim would no longer be infected with this release through the use of mutex-es.
- This SMS ransomware is Windows 7 compatible

The majority of SMS based ransomware is relying on the "Unlicensed Windows Copy" theme, but the first self-replicating through removable media propagation such ransomware is signaling a trend to come - social engineering throuhg impersonation in a typical scareware style. This release can be easily described as the first scareware with micro-payment ransom element offered for sale.

Basically, it attempts to impersonate Kaspersky Lab Antivirus Online and trick the infected user into thinking that Kaspersky has detected a piece of malware, has blocked it but since the malware changes its encryption algorithm the user has to send a SMS costing 150 rubles in order to receive the SMS that will block the malware.

This release also includes a timer, and a message explaining that re-installing Windows wouldn't change the situation in an attempt to further trick the user into sending the messsage. The release is exclusively released for Windows XP and is not Windows Vista compatible.

Cybercriminals are known to understand the benefits of converging different successful and well proven tactics across different propagation/infection vectors. Now that we've seen scareware with elements of ransomware, as well as hijacking a browser session's ads and demanding ransom to remove the adult content, it's only a matter of time to witness a micro-payment driven scareware campaign distributed through blackhat SEO and the usual channels.

Related posts:
5th SMS Ransomware Variant Offered for Sale
4th SMS Ransomware Variant Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
SMS Ransomware Source Code Now Offered for Sale
New ransomware locks PCs, demands premium SMS for removal

This post has been reproduced from Dancho Danchev's blog.

Wednesday, August 19, 2009

Movement on the Koobface Front - Part Two


UPDATE13: The domain snimka31082009 .com has been suspended. Just like the domains listed in UPDATE11, it's worth pointing out that once the PrivacyProtect.org whois records return to their original state, all of the domains are registered using the name Rancho Ranchev -- from Ukraine with typosquatting.

UPDATE12: A new Koobface domain is in circulation across Facebook - snimka31082009 .com -- snimka means photo -- which redirects to the Chinese IP (China Railcom Guangdong Shenzhen Subbranch) offering hosting services for the Koobface gang as of last week - 61.235.117.83 /redirectsoft/go/fb_w.php. The snimka31082009.com domain is in a process of getting shut down. 

UPDATE11: The latest Koobface domains masa31082009 .com - Email: yxlvpewoztjox@gmail.com; pari270809 .com - Email: baoyshzrcwmraq@gmail.com; rect08242009 .com and suz11082009 .com have been suspended.

The Koobface gang has also changed the C&C domain in their latest updated pushed throughout the past couple of days. Interestingly, it's a subdomain used in the Twitter campaign from July - cubman32 .net.ua/.sys/?action=ldgen&v=14 and cubman32 .net.ua/.sys/?action=ldgen&f=0&a=-531027389&lang=&v=14&c=0&s=ld&l=1000&ck=0&c_fb=0&c_ms=0&c_hi=0&c_tw=0&c_be=0&c_fr=-2&c_yb=-2&c_tg=0&c_nl=0&c_fu=-2. 

UPDATE10: Two new Koobface domains, and a new redirector are in circulation across Facebook - rect08242009 .com (61.235.117.83) and pari270809 .com, which redirects to masa31082009 .com/go/fb_w.php. The "fan club" has also introduced updated the malware - web.reg .md/1/v2prx.exe.

The domains, pari270809 .com, rect08242009 .com and masa31082009 .com are in a process of getting shut down.

UPDATE9: Domain zadnik270809 .com - Email: baoyshzrcwmraq@gmail.com has been suspended.

UPDATE8 Koobface reactivated itself once again at 61.235.117.83 - China Railcom Guangdong Shenzhen Subbranch - a well known Zeus crimeware C&C, which is also apparently used for automatic hacking of third-party sites through compromised FTP accounts.

The gang has also introduced a new domain, used exclusively for Facebook campaigns - zadnik270809 .com - in particular zadnik270809 .com/youtube.com/w/?video which loads zadnik270809 .com/youtube.com/w/ups.php and redirects to a well known Koobface redirector kiano-180809 .com/go/fb_w.php.

Zadnik means a**hole. Domain suspension and IP take down are in progress.

UPDATE7: Earlier today, TelosSolutions confirmed that "this customer has been removed from our network". Great news taking into consideration the fact that Directi's Abuse Desk has also suspended boomer-110809 .com, as well as upr200908013 .com.

The Koobface gang responded to the take down action by once again moving to China, 61.235.117.83 (China Railcom Guangdong Shenzhen Subbranch) in particular. The IP has been taken care of, with all of Koobface campaigns once again in an "inactive stage". It's worth pointing out that kallagoon13 .cn and allavers .org are also parked at this Chinese IP, with both domains clearly involved in Zeus crimeware campaigns. 

UPDATE6: Following the 24 hours downtime, the Koobface gang has found a new home online, courtesy of Telos-Solutions-AS/Telos Solutions LTD, with an ongoing migration of the Koobface C&C and campaign domains to 91.212.127.140. Take down activities are in progress.

UPDATE5: Oc3 Networks & Web Solutions Llc abuse team took care of 67.215.238.178. All of Koobface worm's campaigns once again redirect to nowhere.

UPDATE4: Koobface has been kicked out of China -- again -- courtesy of China's CERT, and is no longer responding to 221.5.74.46. This is the second time that the Koobface gang is using the same IP for its central campaign domains, clearly indicating an ISP which "reserves its right to offer them services in the future once they stop receiving abuse notifications".

So which hosting provider's services is the Koobface botnet using for the time being? It's 67.215.238.178 - AS22298 - Netherlands Distinctio Ltd, which they were also using in the beginning of the month. A new domain is in circulation across social networks/micro blogging services - kiano-180809 .com/go/fb2.php (67.215.238.178) Email: bigvillyxxx@gmail.com. Take down activities are in progress.

UPDATE3: The entire portfolio of Koobface related domains is now parked at 221.5.74.46 - AS17816 - CHINA169-GZ CNCGROUP IP network China169 Guangzhou MAN. For instance, xtsd20090815 .com/youtube.com/xexe.php redirects to the actual IP 221.5.74.46 /redirectsoft/go/fb2.php with piupiu-110809.com/achcheck.php, web.reg.md /1/prx90.exe and web.reg.md/1 /prx90.exe as phone back locations. Two new components are dropped DDnsFilter.dll - MD5: 0x8904BCEBACB2B878FF46C5EB0C5C57EB and DnsFilter.sys - MD5: 0x30DD915396E46824DA92FE70485F7CF8 which prevent infected users from interacting with antivirus vendor sites.

UPDATE2: The gang has responded to the take down activities, by using the only IP that wasn't shut down 221.5.74.46, with piupiu-110809 .com, upr200908013 .com, and upr200908013 .com already moved there.

Interestingly, now that the gang's centralized domains used in the majority of campaigns are not responding thanks the quick reaction of BlueConnex, they've started embedding up to 15 iFrames directly loading IPs from the Koobface botnet. The script is detected as Trojan-Clicker.HTML.IFrame.a. The pattern? Each and every host is serving the fake Facebook page from a similar directory - /0x3E8/. 221.5.74.46 is in a process of getting shut down.

UPDATE: Three hours after notification, Blue Square Data Group Services Limited ensures that "the customer has been disconnected permanently". It's a fact. All of Koobface worm's campaigns currently redirect to nowhere. Let's see for how long.

Kuku Ruku Koobface! What does Koobface has to do with a legendary cocoa cream wafer Koukou Roukou sold in the 90's? It's one of new domains introduced over the past seven days (kukuruku-290709 .com now offline thanks to community efforts).

What is the Koobface gang up to anyway? Despite that they've randomized the automatically generated directories on the compromised sites (kimchistory.freevar .com/fantasticfi1ms; tastemasters .ca/freeem0vie; simonsoderberg .se/mmym0vies; ekespangs .se/meggavide0; akesheronline .com/privalesh0w; belljarstudio .com/bestttube), the gang continues relying on centralized hosting for its campaigns.

During the week, they've migrated from 67.215.238 .178/redirectsoft/go/fb_s.php (PacificRack.com) to 85.234.141 .92/redirectsoft/go/fb_s.php (BlueConnex Ltd), interestingly, they did so with all of the their currently active domains, the ones used as central redirection points on the thousands of legitimate/malicious sites participating in their campaigns. Interestingly, merely suspending a domain name wouldn't get you a personal greeting from the Koobface gang, since they'll basically register a new one. Getting them kicked out of several different hosting providers simultaneously would. Upon having their newly pushed domains shut down, the gang stopped using domains and switched to the original IP of their hosting provider, once again requiring a direct ISP action, instead of domain registar's one.

Koobface C&C, central malware campaign domains suspended through community efforts:
- glavnij20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92
- kukuruku-290709 .com - Email: kuku.ruku.pam@gmail.com was parked at 85.234.141.92
- superturbo20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 (Super Turbo is yet another legendary product sold in the 90's)
- bombimbom20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 (Bombi Bom is also a classic chewing gum sold in the 90's in Europe/Eastern Europe)
- mishkigammy-060809.com - Email: kuku.ruku.pam@gmail.com was parked at 85.234.141.92

Currently active Koobface C&C domains, also participating in the CAPTCHA-solving, malware campaigns:
- piupiu-110809 .com - 85.234.141.92
- xtsd20090815 .com - 85.234.141.92 - Email: bigvillyxxx@gmail.com
- boomer-110809 .com - 85.234.141.92
- upr200908013 .com - 85.234.141.92 - Email: kfmnmkswrnkcxlgpfdxb68@gmail.com
- suz11082009 .com - 85.234.141.92 - Email: xxmgbtwgdhyv@gmail.com
- upr0306 .com - 221.5.74.46 China Unicom Guangdong province network - Email: bigvillyxxx@gmail.com
- findhereandnow .com - 85.234.141.92 - Email: bigvillyxxx@gmail.com

The CAPTCHA solving  process on behalf of the infected victims, is exclusively targeting Google web properties (piupiu-110809 .com/cap/tempgoo/GOO8cdabdfe8d68013c6217ce754a519194.jpg). Koobface worm's captcha7.dll module is active at:
- glavnij20090809 .com/cap/?a=get&i=1&v=7
- suz11082009 .com/cap/?a=get&i=3&v=7
- boomer-110809 .com/cap/?a=get&i=4&v=7
- piupiu-110809 .com/cap/?a=get&i=2&v=7


BlueConnex Ltd has been notified. The Koobface gang continues enjoying the largest market share of systematic Web 2.0 abuse

Related posts:
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

Ukrainian "fan club" and the Koobface connection:
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 

This post has been reproduced from Dancho Danchev's blog.

Movement on the Koobface Front - Part Two


UPDATE13: The domain snimka31082009 .com has been suspended. Just like the domains listed in UPDATE11, it's worth pointing out that once the PrivacyProtect.org whois records return to their original state, all of the domains are registered using the name Rancho Ranchev -- from Ukraine with typosquatting.

UPDATE12: A new Koobface domain is in circulation across Facebook - snimka31082009 .com -- snimka means photo -- which redirects to the Chinese IP (China Railcom Guangdong Shenzhen Subbranch) offering hosting services for the Koobface gang as of last week - 61.235.117.83 /redirectsoft/go/fb_w.php. The snimka31082009.com domain is in a process of getting shut down. 

UPDATE11: The latest Koobface domains masa31082009 .com - Email: yxlvpewoztjox@gmail.com; pari270809 .com - Email: baoyshzrcwmraq@gmail.com; rect08242009 .com and suz11082009 .com have been suspended.

The Koobface gang has also changed the C&C domain in their latest updated pushed throughout the past couple of days. Interestingly, it's a subdomain used in the Twitter campaign from July - cubman32 .net.ua/.sys/?action=ldgen&v=14 and cubman32 .net.ua/.sys/?action=ldgen&f=0&a=-531027389&lang=&v=14&c=0&s=ld&l=1000&ck=0&c_fb=0&c_ms=0&c_hi=0&c_tw=0&c_be=0&c_fr=-2&c_yb=-2&c_tg=0&c_nl=0&c_fu=-2. 

UPDATE10: Two new Koobface domains, and a new redirector are in circulation across Facebook - rect08242009 .com (61.235.117.83) and pari270809 .com, which redirects to masa31082009 .com/go/fb_w.php. The "fan club" has also introduced updated the malware - web.reg .md/1/v2prx.exe.

The domains, pari270809 .com, rect08242009 .com and masa31082009 .com are in a process of getting shut down.

UPDATE9: Domain zadnik270809 .com - Email: baoyshzrcwmraq@gmail.com has been suspended.

UPDATE8 Koobface reactivated itself once again at 61.235.117.83 - China Railcom Guangdong Shenzhen Subbranch - a well known Zeus crimeware C&C, which is also apparently used for automatic hacking of third-party sites through compromised FTP accounts.

The gang has also introduced a new domain, used exclusively for Facebook campaigns - zadnik270809 .com - in particular zadnik270809 .com/youtube.com/w/?video which loads zadnik270809 .com/youtube.com/w/ups.php and redirects to a well known Koobface redirector kiano-180809 .com/go/fb_w.php.

Zadnik means a**hole. Domain suspension and IP take down are in progress.

UPDATE7: Earlier today, TelosSolutions confirmed that "this customer has been removed from our network". Great news taking into consideration the fact that Directi's Abuse Desk has also suspended boomer-110809 .com, as well as upr200908013 .com.

The Koobface gang responded to the take down action by once again moving to China, 61.235.117.83 (China Railcom Guangdong Shenzhen Subbranch) in particular. The IP has been taken care of, with all of Koobface campaigns once again in an "inactive stage". It's worth pointing out that kallagoon13 .cn and allavers .org are also parked at this Chinese IP, with both domains clearly involved in Zeus crimeware campaigns. 

UPDATE6: Following the 24 hours downtime, the Koobface gang has found a new home online, courtesy of Telos-Solutions-AS/Telos Solutions LTD, with an ongoing migration of the Koobface C&C and campaign domains to 91.212.127.140. Take down activities are in progress.

UPDATE5: Oc3 Networks & Web Solutions Llc abuse team took care of 67.215.238.178. All of Koobface worm's campaigns once again redirect to nowhere.

UPDATE4: Koobface has been kicked out of China -- again -- courtesy of China's CERT, and is no longer responding to 221.5.74.46. This is the second time that the Koobface gang is using the same IP for its central campaign domains, clearly indicating an ISP which "reserves its right to offer them services in the future once they stop receiving abuse notifications".

So which hosting provider's services is the Koobface botnet using for the time being? It's 67.215.238.178 - AS22298 - Netherlands Distinctio Ltd, which they were also using in the beginning of the month. A new domain is in circulation across social networks/micro blogging services - kiano-180809 .com/go/fb2.php (67.215.238.178) Email: bigvillyxxx@gmail.com. Take down activities are in progress.

UPDATE3: The entire portfolio of Koobface related domains is now parked at 221.5.74.46 - AS17816 - CHINA169-GZ CNCGROUP IP network China169 Guangzhou MAN. For instance, xtsd20090815 .com/youtube.com/xexe.php redirects to the actual IP 221.5.74.46 /redirectsoft/go/fb2.php with piupiu-110809.com/achcheck.php, web.reg.md /1/prx90.exe and web.reg.md/1 /prx90.exe as phone back locations. Two new components are dropped DDnsFilter.dll - MD5: 0x8904BCEBACB2B878FF46C5EB0C5C57EB and DnsFilter.sys - MD5: 0x30DD915396E46824DA92FE70485F7CF8 which prevent infected users from interacting with antivirus vendor sites.

UPDATE2: The gang has responded to the take down activities, by using the only IP that wasn't shut down 221.5.74.46, with piupiu-110809 .com, upr200908013 .com, and upr200908013 .com already moved there.

Interestingly, now that the gang's centralized domains used in the majority of campaigns are not responding thanks the quick reaction of BlueConnex, they've started embedding up to 15 iFrames directly loading IPs from the Koobface botnet. The script is detected as Trojan-Clicker.HTML.IFrame.a. The pattern? Each and every host is serving the fake Facebook page from a similar directory - /0x3E8/. 221.5.74.46 is in a process of getting shut down.

UPDATE: Three hours after notification, Blue Square Data Group Services Limited ensures that "the customer has been disconnected permanently". It's a fact. All of Koobface worm's campaigns currently redirect to nowhere. Let's see for how long.

Kuku Ruku Koobface! What does Koobface has to do with a legendary cocoa cream wafer Koukou Roukou sold in the 90's? It's one of new domains introduced over the past seven days (kukuruku-290709 .com now offline thanks to community efforts).

What is the Koobface gang up to anyway? Despite that they've randomized the automatically generated directories on the compromised sites (kimchistory.freevar .com/fantasticfi1ms; tastemasters .ca/freeem0vie; simonsoderberg .se/mmym0vies; ekespangs .se/meggavide0; akesheronline .com/privalesh0w; belljarstudio .com/bestttube), the gang continues relying on centralized hosting for its campaigns.

During the week, they've migrated from 67.215.238 .178/redirectsoft/go/fb_s.php (PacificRack.com) to 85.234.141 .92/redirectsoft/go/fb_s.php (BlueConnex Ltd), interestingly, they did so with all of the their currently active domains, the ones used as central redirection points on the thousands of legitimate/malicious sites participating in their campaigns. Interestingly, merely suspending a domain name wouldn't get you a personal greeting from the Koobface gang, since they'll basically register a new one. Getting them kicked out of several different hosting providers simultaneously would. Upon having their newly pushed domains shut down, the gang stopped using domains and switched to the original IP of their hosting provider, once again requiring a direct ISP action, instead of domain registar's one.

Koobface C&C, central malware campaign domains suspended through community efforts:
- glavnij20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92
- kukuruku-290709 .com - Email: kuku.ruku.pam@gmail.com was parked at 85.234.141.92
- superturbo20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 (Super Turbo is yet another legendary product sold in the 90's)
- bombimbom20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 (Bombi Bom is also a classic chewing gum sold in the 90's in Europe/Eastern Europe)
- mishkigammy-060809.com - Email: kuku.ruku.pam@gmail.com was parked at 85.234.141.92

Currently active Koobface C&C domains, also participating in the CAPTCHA-solving, malware campaigns:
- piupiu-110809 .com - 85.234.141.92
- xtsd20090815 .com - 85.234.141.92 - Email: bigvillyxxx@gmail.com
- boomer-110809 .com - 85.234.141.92
- upr200908013 .com - 85.234.141.92 - Email: kfmnmkswrnkcxlgpfdxb68@gmail.com
- suz11082009 .com - 85.234.141.92 - Email: xxmgbtwgdhyv@gmail.com
- upr0306 .com - 221.5.74.46 China Unicom Guangdong province network - Email: bigvillyxxx@gmail.com
- findhereandnow .com - 85.234.141.92 - Email: bigvillyxxx@gmail.com

The CAPTCHA solving  process on behalf of the infected victims, is exclusively targeting Google web properties (piupiu-110809 .com/cap/tempgoo/GOO8cdabdfe8d68013c6217ce754a519194.jpg). Koobface worm's captcha7.dll module is active at:
- glavnij20090809 .com/cap/?a=get&i=1&v=7
- suz11082009 .com/cap/?a=get&i=3&v=7
- boomer-110809 .com/cap/?a=get&i=4&v=7
- piupiu-110809 .com/cap/?a=get&i=2&v=7


BlueConnex Ltd has been notified. The Koobface gang continues enjoying the largest market share of systematic Web 2.0 abuse

Related posts:
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

Ukrainian "fan club" and the Koobface connection:
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 

This post has been reproduced from Dancho Danchev's blog.

Tuesday, August 18, 2009

Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign


AltusHost Inc, the company whose services were exclusively used in the blackhat SEO campaign using U.S Federal Forms theme for scareware service purposes, has finally responded to the abuse notifications sent seven days ago stating that "the sites have been terminated". Such a slow response once again proves that dysfunctional abuse departments increase the lifecycle of a malware/spam/phishing campaign by not taking it down when it's most actively gaining momentum.

(For historical OSINT research, the following domains not previously listed were in circulating during the past week - thwovretgi .com - 91.214.44.239 - Email: joby47619@msn.com; shtifobpy .com - 91.214.44.210 - Email: hiraldo13686@hotmail.com; vodcotha .com - 91.214.44.203 - Email: jamarcus59884@yahoo.com; stromiko .com - Email: hyacinthiemccolman@gmail.com; ceslyemsof .com - 91.214.44.205 - Email: brisco68781@lycos.com;  ejeifyevy .com - 91.214.44.208 - Email: brisco68781@lycos.com; kuhatjidd .com - 91.214.44.203 - Email: khrista12110@hotmail.com )


How did the cybercriminals respond? By proving that this blackhat SEO campaign has been well planed and coordinate a long time before it was executed in the wild. For the time being, it relies on a combination of legitimate U.K based sites, the result of a evident compromise of Web Hosting Mania due to the fact that all the affected legitimate sites are hosted there, a growing portfolio of .cc tld domains, automatic abuse of free services such as myftpsite.net; dns2go.com; dynodns.net; thebbs.org, and systematic pushing of new scareware variants/redirector and scareware domains, which explains the low generic detection rate of all the samples obtained.


Moreover, not only did the blackhat SEO themes expanding in the typical randomly generated junk that has naturally been crawled by public search engines, but also, according to publicly obtainable statistics, millions of users (collectively) have already visited the landing sites, with 42.80% of the referring site for a particular domain coming from thebbs.org and 31.97% from Google - their tactics are actively hijacking millions of users already.


Let's dissect the latest developments in the ongoing blackhat SEO campaign, list the participating scareware/blackhat SEO/redirection domains, the various monetization tactics going beyond scareware, as well as discuss some of the innovations used in the javascript obfuscation which makes it virtually impossible for a crawler to detect that the site is malicious.

Key summary points:
  • U.K based hosting provider Web Mania Hosting appears to be compromised due to the fact that all the abused legitimate sites are hosted there
  • the redirection and scareware domain/binary are updated two times during 24 hours period of time
  • all the scareware samples continue phoning back to several domains parked at 78.46.201.90
  • the cybercriminals have introduced multiple monetization tactics through pay-per-click malware-friendly search engines
  • sampled scareware adds the following registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\6A36EA6E11EAAECDF5E540DEF2149079] plxxh = "Dujaq!!" - Dujaq!! means "Bl*w me!!"

Compromised legitimate domains at Web Hosting Mania currently in circulation:
ladydestiny .com
marchbrook.co .uk
mgwooldridge.co .uk
midfleet .com
mikedz.co .uk
millypeds.co .uk
mitchameditorial.co .uk
moddeydhoomcc.co .uk
monkeyfist.co .uk
morita.co .uk
mosoul.co .uk
mrbuzzhard.co .uk
mtbpigs.co .uk
mysticspirals.co .uk
mythagostudios .com
neilwebsterhoundtrailing.co .uk
newmarskecricketclub.co .uk
oneintenrock.co .uk
pcook.co .uk
pengineer.co .uk



Blackhat SEO domains redirecting to scareware, currently in circulation using a .cc tld extension:
agjjgtfyi .cc - Email: susan@michiganfarms.com
ckckoo .cc - Email: briettamacpherson@gmail.com
eunlabkce .cc - 93.170.134.175 - Email: susan@michiganfarms.com
ewjwjiavg .cc - 74.206.242.22 - Email: susan@michiganfarms.com
fgodvsli .cc - 93.170.133.205 - Email: susan@michiganfarms.com
fgodvsli .cc - 93.170.133.205 - Email: susan@michiganfarms.com
fyecdizt .cc 93.170.156.119 - Email: susan@michiganfarms.com
hgzondsul .cc - 174.137.171.69 - Email: susan@michiganfarms.com
iiuuoo .cc - Email: briettamacpherson@gmail.com
ijnteqc .cc - 93.170.130.105 - Email: susan@michiganfarms.com
irolopl .cc - 93.170.134.203 - Email: susan@michiganfarms.com
jglcbngvu .cc -  93.170.130.217 - Email: susan@michiganfarms.com
jpydmee .cc - 93.170.133.247 - Email: susan@michiganfarms.com
kdwwwwon .cc - 93.170.134.231 - Email: susan@michiganfarms.com
kgowncgi .cc - 93.170.154.179 - Email: susan@michiganfarms.com
lmhhsnd .cc - 93.170.156.105 - Email: susan@michiganfarms.com


mezkopq .cc - 93.170.129.75 - Email: susan@michiganfarms.com
mvsoomw .cc - 93.170.131.66 - Email: susan@michiganfarms.com
njfgfbd .cc - 93.170.156.21 - Email: susan@michiganfarms.com
nsdgkrge .cc - 93.170.153.98 - Email: susan@michiganfarms.com
nselkss .cc - 93.170.130.245 - Email: susan@michiganfarms.com
owudfnay .cc - 93.170.131.178 - Email: susan@michiganfarms.com
pfjfsiunt .cc - 93.170.151.80 - Email: susan@michiganfarms.com
piqvrrugd .cc - 93.170.156.63 - Email: susan@michiganfarms.com
rroiqbznj .cc - 93.170.134.35 - Email: susan@michiganfarms.com
ssyydqyh .cc - 93.170.131.206 - Email: susan@michiganfarms.com
sucdugon .cc - 93.170.154.100 - Email: susan@michiganfarms.com
tftrwxlg .cc - 93.170.130.133 - Email: susan@michiganfarms.com
tirtop .cc - 188.72.198.21 - Email: elaynedangubic@gmail.com


uclrwpyp .cc - 93.170.131.38 - Email: susan@michiganfarms.com
uomfchbj .cc - 93.170.131.10 - Email: susan@michiganfarms.com
vrmmnicl .cc - 93.170.151.10 - Email: susan@michiganfarms.com
vtgisihjy .cc - 93.170.133.163 - Email: susan@michiganfarms.com
vwyldlbe .cc - 188.72.204.57 - Email: brigidadorion@gmail.com
vzlbamuvs .cc - 93.170.130.49 - Email: susan@michiganfarms.com
wgyxrmtld .cc - 93.170.152.226 - Email: susan@michiganfarms.com
xisuuzos .cc - 93.170.134.77 - Email: susan@michiganfarms.com
xlkzmqiw .cc - 93.170.131.234 - Email: susan@michiganfarms.com
zirtop .cc - Email: elaynedangubic@gmail.com
zmtkpugbz .cc - 93.170.130.189 - Email: susan@michiganfarms.com
zncutvk .cc - 174.137.171.117 - Email: susan@michiganfarms.com


New blackhat SEO domains portfolio using NOC4Hosts Inc's services:
rebuwe .net - 206.51.230.97
sivezo .net - 206.51.230.98
mipola .net - 206.51.230.95
kowipe .net - 206.51.230.92
kerobo .net - 206.51.230.90
gelupe .net - 206.51.230.104
fuquwe .net - 206.51.230.103
hyduve .net - 206.51.230.200
bisehu .net - 206.51.230.99
wypule .net - 206.51.230.95
xylucy .net - 206.51.230.97
xulady .net - 206.51.230.96
lyqyte .net - 206.51.230.94

nimygu .net - 206.51.230.96
zuziki .net - 206.51.230.98
symiza .net - 206.51.230.99
bisehu .net - 206.51.230.99
msrxdk .com - 188.72.192.78 - Email: charlenecrewshgkn@yahoo.com
kimuka .net - 188.72.192.78 - Email: charlenecrewshgkn@yahoo.com
ylkbin .com - 188.72.192.81


Portfolio of scareware domains participating in the blackhat SEO campaing, parked at 83.133.126.155; 88.198.107.25; 88.198.120.177; 91.212.107.5; 94.102.51.26; 188.40.61.236; 62.90.136.237; 91.212.127.200; 78.46.251.43; 91.212.107.5; 69.4.230.204; 78.46.251.43; 88.198.107.25; 88.198.105.149; 88.198.233.225; 93.158.114.132:
antispywaretotalscan9 .com - 213.163.89.60; 89.47.237.55; 89.248.174.61 - Email: info@siggy.com
antispywaretotalscan5 .com - Email: info@siggy.com
antispywaretotalscan6 .com - Email: info@siggy.com
antispywaretotalscan8 .com - Email: info@siggy.com
antispywaretotalscan9 .com - Email: info@siggy.com
delete-all-virus05 .com - Email: sales@naukrit.com
delete-all-virus07 .com - Email: sales@naukrit.com
delete-all-virus09 .com - Email: sales@naukrit.com
delete-all-virus03 .com - 213.163.89.60; 88.198.233.225; 91.213.126.100; 193.169.12.70 - Email: sales@naukrit.com
clean-all-spyware10 .com - Email: crbarnes@uvic.ca
remove-all-adware01 .com - Email: info@nco.com.cn
clean-all-spyware01 .com - Email: crbarnes@uvic.ca
fast-virus-scan2 .com - Email: courseinfo@greenwich.ac.uk
remove-all-spyware03 .com - Email: info@nco.com.cn
fast-virus-scan4 .com - Email: courseinfo@greenwich.ac.uk
clean-all-spyware05 .com - Email: crbarnes@uvic.ca
best-virus-scanner5 .com - Email: info@ecomsol.com
remove-all-spyware07 .com - Email: info@nco.com.cn
fast-virus-scan7 .com - Email: courseinfo@greenwich.ac.uk  
005threats-scanner .com
09computerquickscan .com
005yourprivatescanner .com
online-systemscan .net - Email: gertrudeedickens@text2re.com 
best-spyware-scan01 .com - Email: info@viter-media.com
online-antivir-scan09 .com - Email: contacts@stevens-media.com
checkviruszone .com - Email: gertrudeedickens@text2re.com

guardsearch .net - Email: gertrudeedickens@text2re.com
protection-check07 .com - Email: info@democraticyouth.com
malwareinternetscanner03 .com - Email: kathy@nj-steams.com
best-spyware-scan03 .com - Email: info@viter-media.com
antispywarescanner08 .com - Email: info@cpehn.org
antivirusonlinescan03 .com - Email: kathy@nj-steams.com
quick-virus-scanner02 .com - Email: info@person.k112.nc.us
securedlivescan .com
superb-virus-scan09 .com - Email: tours@admiralgroup.co.uk
superb-antivir-scan01 .com
- Email: tours@admiralgroup.co.uk
intellectual-vir-scan09 .com
- Email: info@worldlifehencey.com
intellectual-vir-scan08 .com
- Email: info@worldlifehencey.com
private-antivirus-scannerv2 .com
- Email: webmaster@parun.co.kr 
reliable-scanner01 .com - Email: info@cansupply.com
superb-virus-scan07 .com - Email: tours@admiralgroup.co.uk
antivirus-online-scan8 .com - Email: webmaster@TangoDance.cn
best-antivirus3 .com - Email: info@legtimeprime.com
live-virus-scanner5 .com - Email: info@infy-tasks.com
antivirus-online-scan4 .com - Email: pranky-marie@yahoo.com
antispyware-scanner5 .com - Email: janny.mar123@yahoo.com
antivirus-online-scan5 .com - Email: pranky-marie@yahoo.com
live-virus-scanner7 .com - Email: info@infy-tasks.com



clean-all-spyware .com - Email: jdemagis@rocheste.ganet.com 
getyoursecuritynowv2 .com - Email: info@meat-beaf.com.cn
getyourantivirusv3 .com - Email: info@meat-beaf.com.cn
getyourpcsecurev3 .com - Email: info@meat-beaf.com.cn
antivirus-scannerv12 .com - Email: info@chinatownnetwork.com.cn
safeonlinescannerv4 .com - Email: steg.greg1992@yahoo.com
check-for-malwarev3 .com - Email: al@bis-solutions.com
check-your-pc-onlinev3 .com - Email: al@bis-solutions.com
searchurlguide .com - 64.86.16.9 - Email:powell.john11@gmail.com
securitypad .net - 206.53.61.70 - Email: gertrudeedickens@text2re.com
prestotunerst .cn - 64.86.16.210 - Email: unitedisystems@gmail.com
officesecuritysupply .com - Email: Ronald.T.Samora@spambob.com
securityread .com - Email: Anna.R.Helm@dodgit.com
scanasite .com - Email: Carol.J.Hipp@mailinator.com
cheapsecurityscan .com - Email: Kevin.L.Linkous@trashymail.com
securitysupplycenter .com - Email: Janet.R.Vasquez@spambob.com
best-folder-scanv3 .com - Email: info@best-util-til.com
online-best-scanv3 .com - Email: public@cropfactor.in
online-defenderv9 .com - Email: public@cropfactor.in
antispyware-live-scanv3 .com - Email: ervin1981rolf@yahoo.com
antispywarelivescanv5 .com - Email: sales.in@bauhmerhhs.com


antispyware-online-scanv7 .com - Email: ervin1981rolf@yahoo.com
basicsystemscannerv8 .com - Email: changhong@corpdefence.cn
bestpersonalprotectionv2 .com - Email: cfaa1996@yahoo.com.cn
bestpersonalprotectionv7 .com - Email: cfaa1996@yahoo.com.cn
computer-antivirus-scanv9 .com - Email: melaniestarmelanie@yahoo.com
fastvirusscanv6 .com - Email: info@rasystems.com
govirusscanner .com - Email: contact@demoninchina.com
mysafecomputerscan .com - Email: acurtis@stevens.com
onlineantispywarescanv6 .com - Email: czoao@hotmail.com
online-antivir-scanv2 .com - Email: iren.g@sysintern.in
onlinebestscannerv3 .com - Email: info@srilanka.cn
onlinepersonalscanner .com - Email: info@srilanka.cn
onlineproantivirusscan .com - Email: addworld@freebbmail.com
online-pro-antivirus-scan .com - Email: findz@freebbmail.com


onlineproantivirusscanner .com - Email: findz@freebbmail.com
online-secure-scannerv2 .com - Email: iren.g@sysintern.in
personalantivirusprotection .com - Email: info@Wholesaler.cn
personalfolderscanv2 .com - Email: hfbeauty@yahoo.com
premium-antispy-scanv3 .com - Email: Ktrivedi@go2uti.com
premium-antispy-scanv7 .com - Email: Ktrivedi@go2uti.com
premium-antivirus-scanv6 .com - Email: Ktrivedi@go2uti.com
private-antivirus-scannerv2 .com - Email: webmaster@parun.co.kr
privatevirusscannerv8 .com - Email: info@rasystems.com
secure-antispyware-scanv3 .com - Email: info@prrp.de
securepersonalscanner .com - Email: info@prrp.de
secure-spyware-scannerv3 .com - Email: info@prrp.de
secure-virus-scannerv5 .com - Email: info@prrp.de
securityfolderprotection .com - Email: info@Wholesaler.cn
spyware-scannerv2 .com - Email: hanan.abdelrazek@bibalexy.org
spywarescannerv4 .com - Email: hanan.abdelrazek@bibalexy.org


Sampled scareware from the last 24 hours phones back to mineralwaterfilter .com - 78.46.201.90. Parked there are also: june-crossover .com; goldmine-sachs .com; momentstohaveyou .cn. More sampled scareware phones back to a new domain Phones back to pencil-netwok .com (94.102.48.31), parked there are the rest of the phone back locations for the rest of the scareware such as mineralwaterfilter .com; june-crossover .com; goldmine-sachs .com; bestparishotelsnow .com

A second sampled scareware phones back to a different location - 92.241.176.188. Parked there are the rest of the domains in their scareware portfolio:
bestscanpc .org
bestscanpc .biz
downloadavr2 .com
downloadavr3 .com
trucount3005 .com
antivirus-scan-2009 .com
antivirusxppro-2009 .com
advanced-virus-remover-2009 .com
advanced-virus-remover2009 .com
advanced-virusremover2009 .com
bestscanpc .com
xxx-white-tube .com
blue-xxx-tube .com
trucountme .com
10-open-davinci .com
vs-codec-pro .com
vscodec-pro .com
download-vscodec-pro .com
v-s-codecpro .com
antivirus-2009-ppro .com
onlinescanxppro .com
downloadavr .com
bestscanpc .info
bestscanpc .net
bestscanpc .biz



New/historical redirection domains used in the campaign, this time parked at 78.46.201.89/94.102.48.29/different locations as noted:
cnn-bcc2 .com - 89.248.174.61 - Email: mail@sccits.com.cn
issuenews1 .com - Email: mail@sccits.com.cn
headlinenews2 .com - Email: mail@sccits.com.cn
usdisturbed .cn - Email: info@brandbanks.com
milesdavisorland .cn - Email: info@brandbanks.com
usaworkinghard .cn - Email: info@brandbanks.com
nationaltreasure .cn - Email: info@brandbanks.com
milesdavisorland .cn - 91.213.126.101 - Email: info@brandbanks.com 
we-accepted .cn - Email: info@rcusan.org
myth-busters .cn - Email: info@rcusan.org
russell-brand .cn - Email: info@sciencesdemo.com
willsmithinc .cn - Email: contact@oregonvma.org
dirty-dancing .cn - Email: allisonh@soeconline.org
sex-and-the-city .cn - Email: oregon.artscomm@state.or.us 
clicksick .cn - 67.215.245.187 - Email: webmaster@clicksick.cn
doubleclicknet .cn - 67.215.245.187 - Email: webmaster@doubleclicknet.cn 
shrekmovie .cn - Email: oregon.artscomm@state.or.us
radioheadicon .cn - Email: contact@oregonvma.org
batman-comics .cn - Email: contact@oregonvma.org
beststarwars .cn - Email: allisonh@soeconline.org
mashroomtheory .cn - Email: webmaster@TangoDance.cn
space2009city .cn - Email: webmaster@TangoDance.cn
messengerinfo .cn - Email: allisonh@soeconline.org
greattime2009 .cn - Email: webmaster@seniorstuds.com.ar
iwanttowin .cn - Email: webmaster@seniorstuds.com.ar
hardnut .cn - Email: tan.mei.sie@monash.com.my
sitemechanics .cn - info@powertrackers.com
exceldocumentsinfo .cn - Email: info@powertrackers.com
chinafavorites .cn - Email: cmo@ci.springfields.or.us
best-live-lottery .cn - Email: info@powertrackers.com
adeptofmastery .cn - Email: info@powertrackers.com
trytowintoday .cn - Email: info@powertrackers.com
bulkdvdreader .cn - 94.102.48.29 - Email: info@powertrackers.com
style-everywhere .com - 88.198.105.145 - Email: angy.helm21@yahoo.com 
clicksick .cn - 67.215.245.187 - Email: webmaster@clicksick.cn 
supportyourcountry .cn - Email: cmo@ci.springfields.or.us
wheels-on-fire .cn - 94.102.48.29 - Email: epron.sales@epron.com.hk
stillphotoshots .cn -  94.102.48.29 - Email: epron.sales@epron.com.hk
delayyouranswer .cn - Email: info@globaltechs.com.cn
getbestsales .cn - Email: info@globaltechs.com.cn
library-presents .cn - Email: hanzellandgretell@googlemail.com
in-t-h-e .cn - 72.21.41.198 (Layered Technologies, Inc.) - Email: admin@in-t-h-e.cn
bestwishestoyou .cn - 94.102.48.29 - Email: hanzellandgretell@googlemail.com
library-presents .cn - 94.102.48.29 - Email: hanzellandgretell@googlemail.com
getbestsales .cn - 94.102.48.29 - Email: info@globaltechs.com.cn 
aware-of-future .cn - Email: info@globaltechs.com.cn 
nothing-to-wear .cn - Email: steg.greg1992@yahoo.com
newsmediaone .com - 72.21.41.198 - Email: advertizers@newsmediaone.com
bapoka .net - 87.118.96.6
stylestats1 .net - 94.102.63.16 - Email: grem@yahoo.com
luckystats .org - Email: director@climbing-games.com
luckystats1 .com - Email: grem@yahoo.com
lifewepromote .cn - Email: ruixiang.guo@yahoo.com
securecommercialnews .cn - Email: contacts@swedbank.com.cn
snowboard2009 .cn - Email: weinwein2@yahoo.com
nothern-ireland .cn - Email: accabj@cn.accaglobal.com
goldensunshine .cn - Email: info@tartirtar.com
steplessculture .cn - Email: info@myfibernetworks.cn
vipsoccermanager .cn - Email: opressor1992@yahoo.com
b2b-forums .cn - Email: weinwein2@yahoo.com
rondo-trips .cn - Email: acurtis@stevens.com
mywatermakrs .cn - Email: shanghaihuny@yahoo.com
gazsnippets .cn - Email: acurtis@stevens.com
bestvanillaresorts .cn - Email: opressor1992@yahoo.com
personalrespect .cn - Email: weinwein2@yahoo.com
consensualart .cn - Email: shanghaihuny@yahoo.com
yourholidaytoday .cn - Email: opressor1992@yahoo.com
guidetogalaxy .cn - Email: stp9014@yahoo.com


Among the new monetization tactics used are the typical pay-per-click malware-friendly search engines which act as both, redirectors to phony sites/scams, as well as keyword blackholes which help them assess the popularity for a particular keyword, and therefore start pushing it more aggressively through a process called synonymization.

Interestingly, they're exclusively using the compromised .co.uk, as well as purely malicious blackhat SEO domains for scareware serving purposes, but continue using the ones they operate under the free DNS service providers for monetization through the bogus search engines. The domains used in this monetization approach are as follows:


rivasearchpage .com - 64.27.21.5 - Email: support@ruler-domains.com
triwoperl .com - 95.168.191.19 - Email: florenzaluwemba@gmail.com
tropysearch .us - 74.52.216.46 - Email: tech@add-manager.com
glorys .info (glorys .info/red/cube.js) - - 78.159.97.186 - Email: kor4seo@rambler.ru
funnyblogetc .info/go.php -  - Email: tigerwood1@nm.ru


triwoperl.com's front page is currently relying on the go.live.com javascript obfuscation. Deobfuscated it redirects to fi97 .net/jsr.php?uid=dir&group=ggl&keyword=&okw=&query=", deja vu again - fi97 .net was used in the Ukrainian "fan club's" blackhat SEO campaign in June.

Monitoring of the campaign and takedown actions would continue, with an emphasis on the RBN connection from a related blackhat SEO campaign from last year. The gang is not going away anytime soon, but their campaigns definitely are.

Related posts:
A Peek Inside the Managed Blackhat SEO Ecosystem
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 

This post has been reproduced from Dancho Danchev's blog.

Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign

AltusHost Inc, the company whose services were exclusively used in the blackhat SEO campaign using U.S Federal Forms theme for scareware service purposes, has finally responded to the abuse notifications sent seven days ago stating that "the sites have been terminated". Such a slow response once again proves that dysfunctional abuse departments increase the lifecycle of a malware/spam/phishing campaign by not taking it down when it's most actively gaining momentum.

(For historical OSINT research, the following domains not previously listed were in circulating during the past week - thwovretgi .com - 91.214.44.239 - Email: joby47619@msn.com; shtifobpy .com - 91.214.44.210 - Email: hiraldo13686@hotmail.com; vodcotha .com - 91.214.44.203 - Email: jamarcus59884@yahoo.com; stromiko .com - Email: hyacinthiemccolman@gmail.com; ceslyemsof .com - 91.214.44.205 - Email: brisco68781@lycos.com;  ejeifyevy .com - 91.214.44.208 - Email: brisco68781@lycos.com; kuhatjidd .com - 91.214.44.203 - Email: khrista12110@hotmail.com )

How did the cybercriminals respond? By proving that this blackhat SEO campaign has been well planed and coordinate a long time before it was executed in the wild. For the time being, it relies on a combination of legitimate U.K based sites, the result of a evident compromise of Web Hosting Mania due to the fact that all the affected legitimate sites are hosted there, a growing portfolio of .cc tld domains, automatic abuse of free services such as myftpsite.net; dns2go.com; dynodns.net; thebbs.org, and systematic pushing of new scareware variants/redirector and scareware domains, which explains the low generic detection rate of all the samples obtained.

Moreover, not only did the blackhat SEO themes expanding in the typical randomly generated junk that has naturally been crawled by public search engines, but also, according to publicly obtainable statistics, millions of users (collectively) have already visited the landing sites, with 42.80% of the referring site for a particular domain coming from thebbs.org and 31.97% from Google - their tactics are actively hijacking millions of users already.

Let's dissect the latest developments in the ongoing blackhat SEO campaign, list the participating scareware/blackhat SEO/redirection domains, the various monetization tactics going beyond scareware, as well as discuss some of the innovations used in the javascript obfuscation which makes it virtually impossible for a crawler to detect that the site is malicious.

Key summary points:
  • U.K based hosting provider Web Mania Hosting appears to be compromised due to the fact that all the abused legitimate sites are hosted there
  • the redirection and scareware domain/binary are updated two times during 24 hours period of time
  • all the scareware samples continue phoning back to several domains parked at 78.46.201.90
  • the cybercriminals have introduced multiple monetization tactics through pay-per-click malware-friendly search engines
  • sampled scareware adds the following registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\6A36EA6E11EAAECDF5E540DEF2149079] plxxh = "Dujaq!!" - Dujaq!! means "Bl*w me!!"
Compromised legitimate domains at Web Hosting Mania currently in circulation:
ladydestiny .com
marchbrook.co .uk
mgwooldridge.co .uk
midfleet .com
mikedz.co .uk
millypeds.co .uk
mitchameditorial.co .uk
moddeydhoomcc.co .uk
monkeyfist.co .uk
morita.co .uk
mosoul.co .uk
mrbuzzhard.co .uk
mtbpigs.co .uk
mysticspirals.co .uk
mythagostudios .com
neilwebsterhoundtrailing.co .uk
newmarskecricketclub.co .uk
oneintenrock.co .uk
pcook.co .uk
pengineer.co .uk


Blackhat SEO domains redirecting to scareware, currently in circulation using a .cc tld extension:
agjjgtfyi .cc - Email: susan@michiganfarms.com
ckckoo .cc - Email: briettamacpherson@gmail.com
eunlabkce .cc - 93.170.134.175 - Email: susan@michiganfarms.com
ewjwjiavg .cc - 74.206.242.22 - Email: susan@michiganfarms.com
fgodvsli .cc - 93.170.133.205 - Email: susan@michiganfarms.com
fgodvsli .cc - 93.170.133.205 - Email: susan@michiganfarms.com
fyecdizt .cc 93.170.156.119 - Email: susan@michiganfarms.com
hgzondsul .cc - 174.137.171.69 - Email: susan@michiganfarms.com
iiuuoo .cc - Email: briettamacpherson@gmail.com
ijnteqc .cc - 93.170.130.105 - Email: susan@michiganfarms.com
irolopl .cc - 93.170.134.203 - Email: susan@michiganfarms.com
jglcbngvu .cc -  93.170.130.217 - Email: susan@michiganfarms.com
jpydmee .cc - 93.170.133.247 - Email: susan@michiganfarms.com
kdwwwwon .cc - 93.170.134.231 - Email: susan@michiganfarms.com
kgowncgi .cc - 93.170.154.179 - Email: susan@michiganfarms.com
lmhhsnd .cc - 93.170.156.105 - Email: susan@michiganfarms.com

mezkopq .cc - 93.170.129.75 - Email: susan@michiganfarms.com
mvsoomw .cc - 93.170.131.66 - Email: susan@michiganfarms.com
njfgfbd .cc - 93.170.156.21 - Email: susan@michiganfarms.com
nsdgkrge .cc - 93.170.153.98 - Email: susan@michiganfarms.com
nselkss .cc - 93.170.130.245 - Email: susan@michiganfarms.com
owudfnay .cc - 93.170.131.178 - Email: susan@michiganfarms.com
pfjfsiunt .cc - 93.170.151.80 - Email: susan@michiganfarms.com
piqvrrugd .cc - 93.170.156.63 - Email: susan@michiganfarms.com
rroiqbznj .cc - 93.170.134.35 - Email: susan@michiganfarms.com
ssyydqyh .cc - 93.170.131.206 - Email: susan@michiganfarms.com
sucdugon .cc - 93.170.154.100 - Email: susan@michiganfarms.com
tftrwxlg .cc - 93.170.130.133 - Email: susan@michiganfarms.com
tirtop .cc - 188.72.198.21 - Email: elaynedangubic@gmail.com

uclrwpyp .cc - 93.170.131.38 - Email: susan@michiganfarms.com
uomfchbj .cc - 93.170.131.10 - Email: susan@michiganfarms.com
vrmmnicl .cc - 93.170.151.10 - Email: susan@michiganfarms.com
vtgisihjy .cc - 93.170.133.163 - Email: susan@michiganfarms.com
vwyldlbe .cc - 188.72.204.57 - Email: brigidadorion@gmail.com
vzlbamuvs .cc - 93.170.130.49 - Email: susan@michiganfarms.com
wgyxrmtld .cc - 93.170.152.226 - Email: susan@michiganfarms.com
xisuuzos .cc - 93.170.134.77 - Email: susan@michiganfarms.com
xlkzmqiw .cc - 93.170.131.234 - Email: susan@michiganfarms.com
zirtop .cc - Email: elaynedangubic@gmail.com
zmtkpugbz .cc - 93.170.130.189 - Email: susan@michiganfarms.com
zncutvk .cc - 174.137.171.117 - Email: susan@michiganfarms.com

New blackhat SEO domains portfolio using NOC4Hosts Inc's services:
rebuwe .net - 206.51.230.97
sivezo .net - 206.51.230.98
mipola .net - 206.51.230.95
kowipe .net - 206.51.230.92
kerobo .net - 206.51.230.90
gelupe .net - 206.51.230.104
fuquwe .net - 206.51.230.103
hyduve .net - 206.51.230.200
bisehu .net - 206.51.230.99
wypule .net - 206.51.230.95
xylucy .net - 206.51.230.97
xulady .net - 206.51.230.96
lyqyte .net - 206.51.230.94
nimygu .net - 206.51.230.96
zuziki .net - 206.51.230.98
symiza .net - 206.51.230.99
bisehu .net - 206.51.230.99
msrxdk .com - 188.72.192.78 - Email: charlenecrewshgkn@yahoo.com
kimuka .net - 188.72.192.78 - Email: charlenecrewshgkn@yahoo.com
ylkbin .com - 188.72.192.81

Portfolio of scareware domains participating in the blackhat SEO campaing, parked at 83.133.126.155; 88.198.107.25; 88.198.120.177; 91.212.107.5; 94.102.51.26; 188.40.61.236; 62.90.136.237; 91.212.127.200; 78.46.251.43; 91.212.107.5; 69.4.230.204; 78.46.251.43; 88.198.107.25; 88.198.105.149; 88.198.233.225:
reliable-scanner01 .com - Email: info@cansupply.com
superb-virus-scan07 .com - Email: tours@admiralgroup.co.uk
antivirus-online-scan8 .com - Email: webmaster@TangoDance.cn
best-antivirus3 .com - Email: info@legtimeprime.com
live-virus-scanner5 .com - Email: info@infy-tasks.com
antivirus-online-scan4 .com - Email: pranky-marie@yahoo.com
antispyware-scanner5 .com - Email: janny.mar123@yahoo.com
antivirus-online-scan5 .com - Email: pranky-marie@yahoo.com
live-virus-scanner7 .com - Email: info@infy-tasks.com
clean-all-spyware .com - Email: jdemagis@rocheste.ganet.com 
getyoursecuritynowv2 .com - Email: info@meat-beaf.com.cn
getyourantivirusv3 .com - Email: info@meat-beaf.com.cn
getyourpcsecurev3 .com - Email: info@meat-beaf.com.cn
antivirus-scannerv12 .com - Email: info@chinatownnetwork.com.cn
safeonlinescannerv4 .com - Email: steg.greg1992@yahoo.com
check-for-malwarev3 .com - Email: al@bis-solutions.com
check-your-pc-onlinev3 .com - Email: al@bis-solutions.com
searchurlguide .com - 64.86.16.9 - Email:powell.john11@gmail.com
securitypad .net - 206.53.61.70 - Email: gertrudeedickens@text2re.com
prestotunerst .cn - 64.86.16.210 - Email: unitedisystems@gmail.com
officesecuritysupply .com - Email: Ronald.T.Samora@spambob.com
securityread .com - Email: Anna.R.Helm@dodgit.com
scanasite .com - Email: Carol.J.Hipp@mailinator.com
cheapsecurityscan .com - Email: Kevin.L.Linkous@trashymail.com
securitysupplycenter .com - Email: Janet.R.Vasquez@spambob.com
best-folder-scanv3 .com - Email: info@best-util-til.com
online-best-scanv3 .com - Email: public@cropfactor.in
online-defenderv9 .com - Email: public@cropfactor.in
antispyware-live-scanv3 .com - Email: ervin1981rolf@yahoo.com
antispywarelivescanv5 .com - Email: sales.in@bauhmerhhs.com

antispyware-online-scanv7 .com - Email: ervin1981rolf@yahoo.com
basicsystemscannerv8 .com - Email: changhong@corpdefence.cn
bestpersonalprotectionv2 .com - Email: cfaa1996@yahoo.com.cn
bestpersonalprotectionv7 .com - Email: cfaa1996@yahoo.com.cn
computer-antivirus-scanv9 .com - Email: melaniestarmelanie@yahoo.com
fastvirusscanv6 .com - Email: info@rasystems.com
govirusscanner .com - Email: contact@demoninchina.com
mysafecomputerscan .com - Email: acurtis@stevens.com
onlineantispywarescanv6 .com - Email: czoao@hotmail.com
online-antivir-scanv2 .com - Email: iren.g@sysintern.in
onlinebestscannerv3 .com - Email: info@srilanka.cn
onlinepersonalscanner .com - Email: info@srilanka.cn
onlineproantivirusscan .com - Email: addworld@freebbmail.com
online-pro-antivirus-scan .com - Email: findz@freebbmail.com

onlineproantivirusscanner .com - Email: findz@freebbmail.com
online-secure-scannerv2 .com - Email: iren.g@sysintern.in
personalantivirusprotection .com - Email: info@Wholesaler.cn
personalfolderscanv2 .com - Email: hfbeauty@yahoo.com
premium-antispy-scanv3 .com - Email: Ktrivedi@go2uti.com
premium-antispy-scanv7 .com - Email: Ktrivedi@go2uti.com
premium-antivirus-scanv6 .com - Email: Ktrivedi@go2uti.com
private-antivirus-scannerv2 .com - Email: webmaster@parun.co.kr
privatevirusscannerv8 .com - Email: info@rasystems.com
secure-antispyware-scanv3 .com - Email: info@prrp.de
securepersonalscanner .com - Email: info@prrp.de
secure-spyware-scannerv3 .com - Email: info@prrp.de
secure-virus-scannerv5 .com - Email: info@prrp.de
securityfolderprotection .com - Email: info@Wholesaler.cn
spyware-scannerv2 .com - Email: hanan.abdelrazek@bibalexy.org
spywarescannerv4 .com - Email: hanan.abdelrazek@bibalexy.org

Sampled scareware from the last 24 hours phones back to mineralwaterfilter .com - 78.46.201.90. Parked there are also: june-crossover .com; goldmine-sachs .com; momentstohaveyou .cn. More sampled scareware phones back to a new domain Phones back to pencil-netwok .com (94.102.48.31), parked there are the rest of the phone back locations for the rest of the scareware such as mineralwaterfilter .com; june-crossover .com; goldmine-sachs .com; bestparishotelsnow .com

A second sampled scareware phones back to a different location - 92.241.176.188. Parked there are the rest of the domains in their scareware portfolio:
bestscanpc .org
bestscanpc .biz
downloadavr2 .com
downloadavr3 .com
trucount3005 .com
antivirus-scan-2009 .com
antivirusxppro-2009 .com
advanced-virus-remover-2009 .com
advanced-virus-remover2009 .com
advanced-virusremover2009 .com
bestscanpc .com
xxx-white-tube .com
blue-xxx-tube .com
trucountme .com
10-open-davinci .com
vs-codec-pro .com
vscodec-pro .com
download-vscodec-pro .com
v-s-codecpro .com
antivirus-2009-ppro .com
onlinescanxppro .com
downloadavr .com
bestscanpc .info
bestscanpc .net
bestscanpc .biz


New/historical redirection domains used in the campaign, this time parked at 78.46.201.89/94.102.48.29/different locations as noted:
beststarwars .cn - Email: allisonh@soeconline.org
mashroomtheory .cn - Email: webmaster@TangoDance.cn
space2009city .cn - Email: webmaster@TangoDance.cn
messengerinfo .cn - Email: allisonh@soeconline.org
greattime2009 .cn - Email: webmaster@seniorstuds.com.ar
iwanttowin .cn - Email: webmaster@seniorstuds.com.ar
hardnut .cn - Email: tan.mei.sie@monash.com.my
sitemechanics .cn - info@powertrackers.com
exceldocumentsinfo .cn - Email: info@powertrackers.com
chinafavorites .cn - Email: cmo@ci.springfields.or.us
best-live-lottery .cn - Email: info@powertrackers.com
adeptofmastery .cn - Email: info@powertrackers.com
trytowintoday .cn - Email: info@powertrackers.com
bulkdvdreader .cn - 94.102.48.29 - Email: info@powertrackers.com
style-everywhere .com - 88.198.105.145 - Email: angy.helm21@yahoo.com 
clicksick .cn - 67.215.245.187 - Email: webmaster@clicksick.cn 
supportyourcountry .cn - Email: cmo@ci.springfields.or.us
wheels-on-fire .cn - 94.102.48.29 - Email: epron.sales@epron.com.hk
stillphotoshots .cn -  94.102.48.29 - Email: epron.sales@epron.com.hk
delayyouranswer .cn - Email: info@globaltechs.com.cn
getbestsales .cn - Email: info@globaltechs.com.cn
library-presents .cn - Email: hanzellandgretell@googlemail.com
in-t-h-e .cn - 72.21.41.198 (Layered Technologies, Inc.) - Email: admin@in-t-h-e.cn
bestwishestoyou .cn - 94.102.48.29 - Email: hanzellandgretell@googlemail.com
library-presents .cn - 94.102.48.29 - Email: hanzellandgretell@googlemail.com
getbestsales .cn - 94.102.48.29 - Email: info@globaltechs.com.cn 
aware-of-future .cn - Email: info@globaltechs.com.cn 
nothing-to-wear .cn - Email: steg.greg1992@yahoo.com
newsmediaone .com - 72.21.41.198 - Email: advertizers@newsmediaone.com
bapoka .net - 87.118.96.6
stylestats1 .net - 94.102.63.16 - Email: grem@yahoo.com
luckystats .org - Email: director@climbing-games.com
luckystats1 .com - Email: grem@yahoo.com
lifewepromote .cn - Email: ruixiang.guo@yahoo.com
securecommercialnews .cn - Email: contacts@swedbank.com.cn
snowboard2009 .cn - Email: weinwein2@yahoo.com
nothern-ireland .cn - Email: accabj@cn.accaglobal.com
goldensunshine .cn - Email: info@tartirtar.com
steplessculture .cn - Email: info@myfibernetworks.cn
vipsoccermanager .cn - Email: opressor1992@yahoo.com
b2b-forums .cn - Email: weinwein2@yahoo.com
rondo-trips .cn - Email: acurtis@stevens.com
mywatermakrs .cn - Email: shanghaihuny@yahoo.com
gazsnippets .cn - Email: acurtis@stevens.com
bestvanillaresorts .cn - Email: opressor1992@yahoo.com
personalrespect .cn - Email: weinwein2@yahoo.com
consensualart .cn - Email: shanghaihuny@yahoo.com
yourholidaytoday .cn - Email: opressor1992@yahoo.com
guidetogalaxy .cn - Email: stp9014@yahoo.com

Among the new monetization tactics used are the typical pay-per-click malware-friendly search engines which act as both, redirectors to phony sites/scams, as well as keyword blackholes which help them assess the popularity for a particular keyword, and therefore start pushing it more aggressively through a process called synonymization.

Interestingly, they're exclusively using the compromised .co.uk, as well as purely malicious blackhat SEO domains for scareware serving purposes, but continue using the ones they operate under the free DNS service providers for monetization through the bogus search engines. The domains used in this monetization approach are as follows:

rivasearchpage .com - 64.27.21.5 - Email: support@ruler-domains.com
triwoperl .com - 95.168.191.19 - Email: florenzaluwemba@gmail.com
tropysearch .us - 74.52.216.46 - Email: tech@add-manager.com
glorys .info (glorys .info/red/cube.js) - - 78.159.97.186 - Email: kor4seo@rambler.ru
funnyblogetc .info/go.php -  - Email: tigerwood1@nm.ru

triwoperl.com's front page is currently relying on the go.live.com javascript obfuscation. Deobfuscated it redirects to fi97 .net/jsr.php?uid=dir&group=ggl&keyword=&okw=&query=", deja vu again - fi97 .net was used in the Ukrainian "fan club's" blackhat SEO campaign in June.

Monitoring of the campaign and takedown actions would continue, with an emphasis on the RBN connection from a related blackhat SEO campaign from last year. The gang is not going away anytime soon, but their campaigns definitely are.

Related posts:
A Peek Inside the Managed Blackhat SEO Ecosystem
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 

This post has been reproduced from Dancho Danchev's blog.