What's particularly interesting about the campaign is that the Ukrainian fan club behind it -- you didn't even think for a second that there's no connection with their previous campaigns, did you? -- are using basic segmentation principles since the tax form keywords poisoning is attempting to hijack U.S traffic. Evasive practices are also in place through the usual http referrer check, which would only serve the scareware if the visitor is coming from Google.com, if not a 404 error message will appear.
Upon clicking on the link, the user is redirected through a centralized location responsible for managing the traffic from the thousands of subdomains/keywords used - honda-recycle .cn/go.php?id=2017&key=cbafb5cb2&p=1 - 83.133.123.113 Email: accabj@cn.accaglobal.com. Parked on the same IP are also related malware/scareware domains:
much-in-love .com - Email: krebikim@kanmail.net
i-dont-care-much .com - Email: krebikim@kanmail.net
malwareurlblock .com - Email: Qinrui971@hotmail.com
bennysaintscathedral .com - Email: gayaomila@yahoo.com
browsersecurityinfo .com - Email: visor@elcomtech.com
windowssecurityinfo .com - Email: arziw12@freebbmail.com
ringtone-radio .com - Email: bobbyer@iofc.org
events-team-manager .com - Email: krebikim@kanmail.net
1worldupdatesserver .com - Email: tapias.andres@hdtvspain.org
discovernewchina .cn - Email: leijun.ma@unifem.org
rollerskatesadvise .cn - Email: info@chinaeuropaforum.net
allfootballmanager .cn - Email: info@chinaeuropaforum.net
hardwarefactories .cn - Email: leijun.ma@unifem.org
besthockeyteams .cn - Email: info@chinaeuropaforum.net
gowildtours .cn - Email: leijun.ma@unifem.org
tebdigasbi .com - 91.214.44.205 - Email: martin94304@yahoo.com
kraijfaw .com - 91.214.44.240 - Email: argantael31869@msn.com
reychohica .com - 91.214.44.209 - Email: martin94304@yahoo.com
fequervo .com - 91.214.44.239 - Email: orla53111@hotmail.com
ukaszohat .com - 91.214.44.205 - Email: argantael31869@msn.com
buwrynko .com - 91.214.44.204 - Email: keallach84256@yahoo.com
fetholye .com - 91.214.44.208 - Email: martin94304@yahoo.com
pasbirrada .com - 91.214.44.204 - Email: martin94304@yahoo.com
dynodns.net - legitimate
thebbs.org - legitimate
basicsystemscannerv3 .com - Email: changhong@corpdefence.cn
antivirus-quickscanv5 .com - Email: diana1982@yahoo.com
basicsystemscannerv6 .com - Email: changhong@corpdefence.cn
basicsystemscannerv8 .com - Email: changhong@corpdefence.cn
privatevirusscannerv8 .com - Email: info@rasystems.com
spywarefastscannerv9 .com - Email: info@rasystems.com
online-pro-antivirus-scan .com - Email: findz@freebbmail.com
onlineproscan .com - Email: addworld@freebbmail.com
onlineproantivirusscan .com - Email: addworld@freebbmail.com
online-pro-scanner .com - Email: addworld@freebbmail.com
basicsystemscanner .com - Email: changhong@corpdefence.cn
onlineproantivirusscanner .com - Email: findz@freebbmail.com
iwantsweepviruses .com - Email: leesten@fedexnow.com
AltusHost Inc./ALTUSHOST-NET is expected to take action shortly.
This post has been reproduced from Dancho Danchev's blog.
No comments:
Post a Comment