Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware

During the past 24 hours, a blackhat SEO campaign has been hijacking U.S Federal Forms related keywords in an attempt to serve scareware.

What's particularly interesting about the campaign is that the Ukrainian fan club behind it -- you didn't even think for a second that there's no connection with their previous campaigns, did you? -- are using basic segmentation principles since the tax form keywords poisoning is attempting to hijack U.S traffic. Evasive practices are also in place through the usual http referrer check, which would only serve the scareware if the visitor is coming from, if not a 404 error message will appear.

Upon clicking on the link, the user is redirected through a centralized location responsible for managing the traffic from the thousands of subdomains/keywords used - honda-recycle .cn/go.php?id=2017&key=cbafb5cb2&p=1 - Email: Parked on the same IP are also related malware/scareware domains:

winsoftwareupdatev2 .com - Email:
much-in-love .com - Email:
i-dont-care-much .com - Email:
malwareurlblock .com - Email:
bennysaintscathedral .com - Email:
browsersecurityinfo .com - Email:
windowssecurityinfo .com - Email:
ringtone-radio .com - Email:
events-team-manager .com - Email:
1worldupdatesserver .com - Email:
discovernewchina .cn - Email:
rollerskatesadvise .cn - Email:
allfootballmanager .cn - Email:
hardwarefactories .cn - Email:
besthockeyteams .cn - Email:
gowildtours .cn - Email:

The malicious domains used -- with two exceptions -- are all parked at AltusHost Inc./ALTUSHOST-NET. Here's the complete list:
tebdigasbi .com - - Email:
kraijfaw .com - - Email:
reychohica .com - - Email:
fequervo .com - - Email:
ukaszohat .com - - Email:
buwrynko .com - - Email:
fetholye .com - - Email:
pasbirrada .com - - Email: - legitimate - legitimate

The people behind the campaign have also taken contingency planning in mind since the scareware domain portfolio is parked on five different IPs - no-spyware-thanks .com -;;;; Email: The complete list:

fast-scan-your-pcv3 .com - Email:
basicsystemscannerv3 .com - Email:
antivirus-quickscanv5 .com - Email:
basicsystemscannerv6 .com - Email:
basicsystemscannerv8 .com - Email:
privatevirusscannerv8 .com - Email:
spywarefastscannerv9 .com - Email:
online-pro-antivirus-scan .com - Email:
onlineproscan .com - Email:
onlineproantivirusscan .com - Email:
online-pro-scanner .com - Email:
basicsystemscanner .com - Email:
onlineproantivirusscanner .com - Email:
iwantsweepviruses .com - Email:

Two sampled scareware samples during the past 24 hours phone back to goldmine-sachs .com (Goldman Sachs typosquatting) -; - Email: and to june-crossover .com - - Email: In regard to, the "fan club" used it to host scareware in their June's campaigns.

AltusHost Inc./ALTUSHOST-NET is expected to take action shortly.

This post has been reproduced from Dancho Danchev's blog.


Post a Comment