AltusHost Inc, the company whose services were exclusively used in the blackhat SEO campaign using U.S Federal Forms theme for scareware service purposes, has finally responded to the abuse notifications sent seven days ago stating that "the sites have been terminated". Such a slow response once again proves that dysfunctional abuse departments increase the lifecycle of a malware/spam/phishing campaign by not taking it down when it's most actively gaining momentum.

(For historical OSINT research, the following domains not previously listed were in circulating during the past week - thwovretgi .com - - Email:; shtifobpy .com - - Email:; vodcotha .com - - Email:; stromiko .com - Email:; ceslyemsof .com - - Email:;  ejeifyevy .com - - Email:; kuhatjidd .com - - Email: )

How did the cybercriminals respond? By proving that this blackhat SEO campaign has been well planed and coordinate a long time before it was executed in the wild. For the time being, it relies on a combination of legitimate U.K based sites, the result of a evident compromise of Web Hosting Mania due to the fact that all the affected legitimate sites are hosted there, a growing portfolio of .cc tld domains, automatic abuse of free services such as;;;, and systematic pushing of new scareware variants/redirector and scareware domains, which explains the low generic detection rate of all the samples obtained.

Moreover, not only did the blackhat SEO themes expanding in the typical randomly generated junk that has naturally been crawled by public search engines, but also, according to publicly obtainable statistics, millions of users (collectively) have already visited the landing sites, with 42.80% of the referring site for a particular domain coming from and 31.97% from Google - their tactics are actively hijacking millions of users already.

Let's dissect the latest developments in the ongoing blackhat SEO campaign, list the participating scareware/blackhat SEO/redirection domains, the various monetization tactics going beyond scareware, as well as discuss some of the innovations used in the javascript obfuscation which makes it virtually impossible for a crawler to detect that the site is malicious.

Key summary points:
  • U.K based hosting provider Web Mania Hosting appears to be compromised due to the fact that all the abused legitimate sites are hosted there
  • the redirection and scareware domain/binary are updated two times during 24 hours period of time
  • all the scareware samples continue phoning back to several domains parked at
  • the cybercriminals have introduced multiple monetization tactics through pay-per-click malware-friendly search engines
  • sampled scareware adds the following registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\6A36EA6E11EAAECDF5E540DEF2149079] plxxh = "Dujaq!!" - Dujaq!! means "Bl*w me!!"
Compromised legitimate domains at Web Hosting Mania currently in circulation:
ladydestiny .com .uk .uk
midfleet .com .uk .uk .uk .uk .uk .uk .uk .uk .uk .uk
mythagostudios .com .uk .uk .uk .uk .uk

Blackhat SEO domains redirecting to scareware, currently in circulation using a .cc tld extension:
agjjgtfyi .cc - Email:
ckckoo .cc - Email:
eunlabkce .cc - - Email:
ewjwjiavg .cc - - Email:
fgodvsli .cc - - Email:
fgodvsli .cc - - Email:
fyecdizt .cc - Email:
hgzondsul .cc - - Email:
iiuuoo .cc - Email:
ijnteqc .cc - - Email:
irolopl .cc - - Email:
jglcbngvu .cc - - Email:
jpydmee .cc - - Email:
kdwwwwon .cc - - Email:
kgowncgi .cc - - Email:
lmhhsnd .cc - - Email:

mezkopq .cc - - Email:
mvsoomw .cc - - Email:
njfgfbd .cc - - Email:
nsdgkrge .cc - - Email:
nselkss .cc - - Email:
owudfnay .cc - - Email:
pfjfsiunt .cc - - Email:
piqvrrugd .cc - - Email:
rroiqbznj .cc - - Email:
ssyydqyh .cc - - Email:
sucdugon .cc - - Email:
tftrwxlg .cc - - Email:
tirtop .cc - - Email:

uclrwpyp .cc - - Email:
uomfchbj .cc - - Email:
vrmmnicl .cc - - Email:
vtgisihjy .cc - - Email:
vwyldlbe .cc - - Email:
vzlbamuvs .cc - - Email:
wgyxrmtld .cc - - Email:
xisuuzos .cc - - Email:
xlkzmqiw .cc - - Email:
zirtop .cc - Email:
zmtkpugbz .cc - - Email:
zncutvk .cc - - Email:

New blackhat SEO domains portfolio using NOC4Hosts Inc's services:
rebuwe .net -
sivezo .net -
mipola .net -
kowipe .net -
kerobo .net -
gelupe .net -
fuquwe .net -
hyduve .net -
bisehu .net -
wypule .net -
xylucy .net -
xulady .net -
lyqyte .net -
nimygu .net -
zuziki .net -
symiza .net -
bisehu .net -
msrxdk .com - - Email:
kimuka .net - - Email:
ylkbin .com -

Portfolio of scareware domains participating in the blackhat SEO campaing, parked at;;;;;;;;;;;;;;
reliable-scanner01 .com - Email:
superb-virus-scan07 .com - Email:
antivirus-online-scan8 .com - Email:
best-antivirus3 .com - Email:
live-virus-scanner5 .com - Email:
antivirus-online-scan4 .com - Email:
antispyware-scanner5 .com - Email:
antivirus-online-scan5 .com - Email:
live-virus-scanner7 .com - Email:
clean-all-spyware .com - Email: 
getyoursecuritynowv2 .com - Email:
getyourantivirusv3 .com - Email:
getyourpcsecurev3 .com - Email:
antivirus-scannerv12 .com - Email:
safeonlinescannerv4 .com - Email:
check-for-malwarev3 .com - Email:
check-your-pc-onlinev3 .com - Email:
searchurlguide .com - -
securitypad .net - - Email:
prestotunerst .cn - - Email:
officesecuritysupply .com - Email:
securityread .com - Email:
scanasite .com - Email:
cheapsecurityscan .com - Email:
securitysupplycenter .com - Email:
best-folder-scanv3 .com - Email:
online-best-scanv3 .com - Email:
online-defenderv9 .com - Email:
antispyware-live-scanv3 .com - Email:
antispywarelivescanv5 .com - Email:

antispyware-online-scanv7 .com - Email:
basicsystemscannerv8 .com - Email:
bestpersonalprotectionv2 .com - Email:
bestpersonalprotectionv7 .com - Email:
computer-antivirus-scanv9 .com - Email:
fastvirusscanv6 .com - Email:
govirusscanner .com - Email:
mysafecomputerscan .com - Email:
onlineantispywarescanv6 .com - Email:
online-antivir-scanv2 .com - Email:
onlinebestscannerv3 .com - Email:
onlinepersonalscanner .com - Email:
onlineproantivirusscan .com - Email:
online-pro-antivirus-scan .com - Email:

onlineproantivirusscanner .com - Email:
online-secure-scannerv2 .com - Email:
personalantivirusprotection .com - Email:
personalfolderscanv2 .com - Email:
premium-antispy-scanv3 .com - Email:
premium-antispy-scanv7 .com - Email:
premium-antivirus-scanv6 .com - Email:
private-antivirus-scannerv2 .com - Email:
privatevirusscannerv8 .com - Email:
secure-antispyware-scanv3 .com - Email:
securepersonalscanner .com - Email:
secure-spyware-scannerv3 .com - Email:
secure-virus-scannerv5 .com - Email:
securityfolderprotection .com - Email:
spyware-scannerv2 .com - Email:
spywarescannerv4 .com - Email:

Sampled scareware from the last 24 hours phones back to mineralwaterfilter .com - Parked there are also: june-crossover .com; goldmine-sachs .com; momentstohaveyou .cn. More sampled scareware phones back to a new domain Phones back to pencil-netwok .com (, parked there are the rest of the phone back locations for the rest of the scareware such as mineralwaterfilter .com; june-crossover .com; goldmine-sachs .com; bestparishotelsnow .com

A second sampled scareware phones back to a different location - Parked there are the rest of the domains in their scareware portfolio:
bestscanpc .org
bestscanpc .biz
downloadavr2 .com
downloadavr3 .com
trucount3005 .com
antivirus-scan-2009 .com
antivirusxppro-2009 .com
advanced-virus-remover-2009 .com
advanced-virus-remover2009 .com
advanced-virusremover2009 .com
bestscanpc .com
xxx-white-tube .com
blue-xxx-tube .com
trucountme .com
10-open-davinci .com
vs-codec-pro .com
vscodec-pro .com
download-vscodec-pro .com
v-s-codecpro .com
antivirus-2009-ppro .com
onlinescanxppro .com
downloadavr .com
bestscanpc .info
bestscanpc .net
bestscanpc .biz

New/historical redirection domains used in the campaign, this time parked at locations as noted:
beststarwars .cn - Email:
mashroomtheory .cn - Email:
space2009city .cn - Email:
messengerinfo .cn - Email:
greattime2009 .cn - Email:
iwanttowin .cn - Email:
hardnut .cn - Email:
sitemechanics .cn -
exceldocumentsinfo .cn - Email:
chinafavorites .cn - Email:
best-live-lottery .cn - Email:
adeptofmastery .cn - Email:
trytowintoday .cn - Email:
bulkdvdreader .cn - - Email:
style-everywhere .com - - Email: 
clicksick .cn - - Email: 
supportyourcountry .cn - Email:
wheels-on-fire .cn - - Email:
stillphotoshots .cn - - Email:
delayyouranswer .cn - Email:
getbestsales .cn - Email:
library-presents .cn - Email:
in-t-h-e .cn - (Layered Technologies, Inc.) - Email:
bestwishestoyou .cn - - Email:
library-presents .cn - - Email:
getbestsales .cn - - Email: 
aware-of-future .cn - Email: 
nothing-to-wear .cn - Email:
newsmediaone .com - - Email:
bapoka .net -
stylestats1 .net - - Email:
luckystats .org - Email:
luckystats1 .com - Email:
lifewepromote .cn - Email:
securecommercialnews .cn - Email:
snowboard2009 .cn - Email:
nothern-ireland .cn - Email:
goldensunshine .cn - Email:
steplessculture .cn - Email:
vipsoccermanager .cn - Email:
b2b-forums .cn - Email:
rondo-trips .cn - Email:
mywatermakrs .cn - Email:
gazsnippets .cn - Email:
bestvanillaresorts .cn - Email:
personalrespect .cn - Email:
consensualart .cn - Email:
yourholidaytoday .cn - Email:
guidetogalaxy .cn - Email:

Among the new monetization tactics used are the typical pay-per-click malware-friendly search engines which act as both, redirectors to phony sites/scams, as well as keyword blackholes which help them assess the popularity for a particular keyword, and therefore start pushing it more aggressively through a process called synonymization.

Interestingly, they're exclusively using the compromised, as well as purely malicious blackhat SEO domains for scareware serving purposes, but continue using the ones they operate under the free DNS service providers for monetization through the bogus search engines. The domains used in this monetization approach are as follows:

rivasearchpage .com - - Email:
triwoperl .com - - Email:
tropysearch .us - - Email:
glorys .info (glorys .info/red/cube.js) - - - Email:
funnyblogetc .info/go.php -  - Email:'s front page is currently relying on the javascript obfuscation. Deobfuscated it redirects to fi97 .net/jsr.php?uid=dir&group=ggl&keyword=&okw=&query=", deja vu again - fi97 .net was used in the Ukrainian "fan club's" blackhat SEO campaign in June.

Monitoring of the campaign and takedown actions would continue, with an emphasis on the RBN connection from a related blackhat SEO campaign from last year. The gang is not going away anytime soon, but their campaigns definitely are.

Related posts:
A Peek Inside the Managed Blackhat SEO Ecosystem
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 

This post has been reproduced from Dancho Danchev's blog.


Post a Comment

Dancho Danchev's Blog - Designer: Douglas Bowman | Dimodifikasi oleh Abdul Munir Original Posting Rounders 3 Column