During the past 24 hours, a blackhat SEO campaign has been hijacking U.S Federal Forms related keywords in an attempt to serve scareware.
What's particularly interesting about the campaign is that the Ukrainian fan club behind it -- you didn't even think for a second that there's no connection with their previous campaigns, did you? -- are using basic segmentation principles since the tax form keywords poisoning is attempting to hijack U.S traffic. Evasive practices are also in place through the usual http referrer check, which would only serve the scareware if the visitor is coming from Google.com, if not a 404 error message will appear.
Upon clicking on the link, the user is redirected through a centralized location responsible for managing the traffic from the thousands of subdomains/keywords used - honda-recycle .cn/go.php?id=2017&key=cbafb5cb2&p=1 - 83.133.123.113 Email: accabj@cn.accaglobal.com. Parked on the same IP are also related malware/scareware domains:
winsoftwareupdatev2 .com - Email: webmaster@kaity.or.kr
much-in-love .com - Email: krebikim@kanmail.net
i-dont-care-much .com - Email: krebikim@kanmail.net
malwareurlblock .com - Email: Qinrui971@hotmail.com
bennysaintscathedral .com - Email: gayaomila@yahoo.com
browsersecurityinfo .com - Email: visor@elcomtech.com
windowssecurityinfo .com - Email: arziw12@freebbmail.com
ringtone-radio .com - Email: bobbyer@iofc.org
events-team-manager .com - Email: krebikim@kanmail.net
1worldupdatesserver .com - Email: tapias.andres@hdtvspain.org
discovernewchina .cn - Email: leijun.ma@unifem.org
rollerskatesadvise .cn - Email: info@chinaeuropaforum.net
allfootballmanager .cn - Email: info@chinaeuropaforum.net
hardwarefactories .cn - Email: leijun.ma@unifem.org
besthockeyteams .cn - Email: info@chinaeuropaforum.net
gowildtours .cn - Email: leijun.ma@unifem.org
The malicious domains used -- with two exceptions -- are all parked at AltusHost Inc./ALTUSHOST-NET. Here's the complete list:
tebdigasbi .com - 91.214.44.205 - Email: martin94304@yahoo.com
kraijfaw .com - 91.214.44.240 - Email: argantael31869@msn.com
reychohica .com - 91.214.44.209 - Email: martin94304@yahoo.com
fequervo .com - 91.214.44.239 - Email: orla53111@hotmail.com
ukaszohat .com - 91.214.44.205 - Email: argantael31869@msn.com
buwrynko .com - 91.214.44.204 - Email: keallach84256@yahoo.com
fetholye .com - 91.214.44.208 - Email: martin94304@yahoo.com
pasbirrada .com - 91.214.44.204 - Email: martin94304@yahoo.com
dynodns.net - legitimate
thebbs.org - legitimate
The people behind the campaign have also taken contingency planning in mind since the scareware domain portfolio is parked on five different IPs - no-spyware-thanks .com - 94.102.48.29; 94.102.51.26; 188.40.61.236; 83.133.126.155; 91.212.107.5 Email: Paul.Saydak@lovellis.com. The complete list:
fast-scan-your-pcv3 .com - Email: info@valeros.com
basicsystemscannerv3 .com - Email: changhong@corpdefence.cn
antivirus-quickscanv5 .com - Email: diana1982@yahoo.com
basicsystemscannerv6 .com - Email: changhong@corpdefence.cn
basicsystemscannerv8 .com - Email: changhong@corpdefence.cn
privatevirusscannerv8 .com - Email: info@rasystems.com
spywarefastscannerv9 .com - Email: info@rasystems.com
online-pro-antivirus-scan .com - Email: findz@freebbmail.com
onlineproscan .com - Email: addworld@freebbmail.com
onlineproantivirusscan .com - Email: addworld@freebbmail.com
online-pro-scanner .com - Email: addworld@freebbmail.com
basicsystemscanner .com - Email: changhong@corpdefence.cn
onlineproantivirusscanner .com - Email: findz@freebbmail.com
iwantsweepviruses .com - Email: leesten@fedexnow.com
Two sampled scareware samples during the past 24 hours phone back to goldmine-sachs .com (Goldman Sachs typosquatting) - 83.133.122.211; 89.47.237.52 - Email: rodriguez.dallas@romehotels.com and to june-crossover .com - 83.133.123.109 - Email: doru@sattenis.com. In regard to 89.47.237.52, the "fan club" used it to host scareware in their June's campaigns.
AltusHost Inc./ALTUSHOST-NET is expected to take action shortly.
This post has been reproduced from Dancho Danchev's blog.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Thursday, August 06, 2009
Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment