Tuesday, August 18, 2009

Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign

AltusHost Inc, the company whose services were exclusively used in the blackhat SEO campaign using U.S Federal Forms theme for scareware service purposes, has finally responded to the abuse notifications sent seven days ago stating that "the sites have been terminated". Such a slow response once again proves that dysfunctional abuse departments increase the lifecycle of a malware/spam/phishing campaign by not taking it down when it's most actively gaining momentum.

(For historical OSINT research, the following domains not previously listed were in circulating during the past week - thwovretgi .com - - Email: joby47619@msn.com; shtifobpy .com - - Email: hiraldo13686@hotmail.com; vodcotha .com - - Email: jamarcus59884@yahoo.com; stromiko .com - Email: hyacinthiemccolman@gmail.com; ceslyemsof .com - - Email: brisco68781@lycos.com;  ejeifyevy .com - - Email: brisco68781@lycos.com; kuhatjidd .com - - Email: khrista12110@hotmail.com )

How did the cybercriminals respond? By proving that this blackhat SEO campaign has been well planed and coordinate a long time before it was executed in the wild. For the time being, it relies on a combination of legitimate U.K based sites, the result of a evident compromise of Web Hosting Mania due to the fact that all the affected legitimate sites are hosted there, a growing portfolio of .cc tld domains, automatic abuse of free services such as myftpsite.net; dns2go.com; dynodns.net; thebbs.org, and systematic pushing of new scareware variants/redirector and scareware domains, which explains the low generic detection rate of all the samples obtained.

Moreover, not only did the blackhat SEO themes expanding in the typical randomly generated junk that has naturally been crawled by public search engines, but also, according to publicly obtainable statistics, millions of users (collectively) have already visited the landing sites, with 42.80% of the referring site for a particular domain coming from thebbs.org and 31.97% from Google - their tactics are actively hijacking millions of users already.

Let's dissect the latest developments in the ongoing blackhat SEO campaign, list the participating scareware/blackhat SEO/redirection domains, the various monetization tactics going beyond scareware, as well as discuss some of the innovations used in the javascript obfuscation which makes it virtually impossible for a crawler to detect that the site is malicious.

Key summary points:
  • U.K based hosting provider Web Mania Hosting appears to be compromised due to the fact that all the abused legitimate sites are hosted there
  • the redirection and scareware domain/binary are updated two times during 24 hours period of time
  • all the scareware samples continue phoning back to several domains parked at
  • the cybercriminals have introduced multiple monetization tactics through pay-per-click malware-friendly search engines
  • sampled scareware adds the following registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\6A36EA6E11EAAECDF5E540DEF2149079] plxxh = "Dujaq!!" - Dujaq!! means "Bl*w me!!"
Compromised legitimate domains at Web Hosting Mania currently in circulation:
ladydestiny .com
marchbrook.co .uk
mgwooldridge.co .uk
midfleet .com
mikedz.co .uk
millypeds.co .uk
mitchameditorial.co .uk
moddeydhoomcc.co .uk
monkeyfist.co .uk
morita.co .uk
mosoul.co .uk
mrbuzzhard.co .uk
mtbpigs.co .uk
mysticspirals.co .uk
mythagostudios .com
neilwebsterhoundtrailing.co .uk
newmarskecricketclub.co .uk
oneintenrock.co .uk
pcook.co .uk
pengineer.co .uk

Blackhat SEO domains redirecting to scareware, currently in circulation using a .cc tld extension:
agjjgtfyi .cc - Email: susan@michiganfarms.com
ckckoo .cc - Email: briettamacpherson@gmail.com
eunlabkce .cc - - Email: susan@michiganfarms.com
ewjwjiavg .cc - - Email: susan@michiganfarms.com
fgodvsli .cc - - Email: susan@michiganfarms.com
fgodvsli .cc - - Email: susan@michiganfarms.com
fyecdizt .cc - Email: susan@michiganfarms.com
hgzondsul .cc - - Email: susan@michiganfarms.com
iiuuoo .cc - Email: briettamacpherson@gmail.com
ijnteqc .cc - - Email: susan@michiganfarms.com
irolopl .cc - - Email: susan@michiganfarms.com
jglcbngvu .cc - - Email: susan@michiganfarms.com
jpydmee .cc - - Email: susan@michiganfarms.com
kdwwwwon .cc - - Email: susan@michiganfarms.com
kgowncgi .cc - - Email: susan@michiganfarms.com
lmhhsnd .cc - - Email: susan@michiganfarms.com

mezkopq .cc - - Email: susan@michiganfarms.com
mvsoomw .cc - - Email: susan@michiganfarms.com
njfgfbd .cc - - Email: susan@michiganfarms.com
nsdgkrge .cc - - Email: susan@michiganfarms.com
nselkss .cc - - Email: susan@michiganfarms.com
owudfnay .cc - - Email: susan@michiganfarms.com
pfjfsiunt .cc - - Email: susan@michiganfarms.com
piqvrrugd .cc - - Email: susan@michiganfarms.com
rroiqbznj .cc - - Email: susan@michiganfarms.com
ssyydqyh .cc - - Email: susan@michiganfarms.com
sucdugon .cc - - Email: susan@michiganfarms.com
tftrwxlg .cc - - Email: susan@michiganfarms.com
tirtop .cc - - Email: elaynedangubic@gmail.com

uclrwpyp .cc - - Email: susan@michiganfarms.com
uomfchbj .cc - - Email: susan@michiganfarms.com
vrmmnicl .cc - - Email: susan@michiganfarms.com
vtgisihjy .cc - - Email: susan@michiganfarms.com
vwyldlbe .cc - - Email: brigidadorion@gmail.com
vzlbamuvs .cc - - Email: susan@michiganfarms.com
wgyxrmtld .cc - - Email: susan@michiganfarms.com
xisuuzos .cc - - Email: susan@michiganfarms.com
xlkzmqiw .cc - - Email: susan@michiganfarms.com
zirtop .cc - Email: elaynedangubic@gmail.com
zmtkpugbz .cc - - Email: susan@michiganfarms.com
zncutvk .cc - - Email: susan@michiganfarms.com

New blackhat SEO domains portfolio using NOC4Hosts Inc's services:
rebuwe .net -
sivezo .net -
mipola .net -
kowipe .net -
kerobo .net -
gelupe .net -
fuquwe .net -
hyduve .net -
bisehu .net -
wypule .net -
xylucy .net -
xulady .net -
lyqyte .net -
nimygu .net -
zuziki .net -
symiza .net -
bisehu .net -
msrxdk .com - - Email: charlenecrewshgkn@yahoo.com
kimuka .net - - Email: charlenecrewshgkn@yahoo.com
ylkbin .com -

Portfolio of scareware domains participating in the blackhat SEO campaing, parked at;;;;;;;;;;;;;;
reliable-scanner01 .com - Email: info@cansupply.com
superb-virus-scan07 .com - Email: tours@admiralgroup.co.uk
antivirus-online-scan8 .com - Email: webmaster@TangoDance.cn
best-antivirus3 .com - Email: info@legtimeprime.com
live-virus-scanner5 .com - Email: info@infy-tasks.com
antivirus-online-scan4 .com - Email: pranky-marie@yahoo.com
antispyware-scanner5 .com - Email: janny.mar123@yahoo.com
antivirus-online-scan5 .com - Email: pranky-marie@yahoo.com
live-virus-scanner7 .com - Email: info@infy-tasks.com
clean-all-spyware .com - Email: jdemagis@rocheste.ganet.com 
getyoursecuritynowv2 .com - Email: info@meat-beaf.com.cn
getyourantivirusv3 .com - Email: info@meat-beaf.com.cn
getyourpcsecurev3 .com - Email: info@meat-beaf.com.cn
antivirus-scannerv12 .com - Email: info@chinatownnetwork.com.cn
safeonlinescannerv4 .com - Email: steg.greg1992@yahoo.com
check-for-malwarev3 .com - Email: al@bis-solutions.com
check-your-pc-onlinev3 .com - Email: al@bis-solutions.com
searchurlguide .com - - Email:powell.john11@gmail.com
securitypad .net - - Email: gertrudeedickens@text2re.com
prestotunerst .cn - - Email: unitedisystems@gmail.com
officesecuritysupply .com - Email: Ronald.T.Samora@spambob.com
securityread .com - Email: Anna.R.Helm@dodgit.com
scanasite .com - Email: Carol.J.Hipp@mailinator.com
cheapsecurityscan .com - Email: Kevin.L.Linkous@trashymail.com
securitysupplycenter .com - Email: Janet.R.Vasquez@spambob.com
best-folder-scanv3 .com - Email: info@best-util-til.com
online-best-scanv3 .com - Email: public@cropfactor.in
online-defenderv9 .com - Email: public@cropfactor.in
antispyware-live-scanv3 .com - Email: ervin1981rolf@yahoo.com
antispywarelivescanv5 .com - Email: sales.in@bauhmerhhs.com

antispyware-online-scanv7 .com - Email: ervin1981rolf@yahoo.com
basicsystemscannerv8 .com - Email: changhong@corpdefence.cn
bestpersonalprotectionv2 .com - Email: cfaa1996@yahoo.com.cn
bestpersonalprotectionv7 .com - Email: cfaa1996@yahoo.com.cn
computer-antivirus-scanv9 .com - Email: melaniestarmelanie@yahoo.com
fastvirusscanv6 .com - Email: info@rasystems.com
govirusscanner .com - Email: contact@demoninchina.com
mysafecomputerscan .com - Email: acurtis@stevens.com
onlineantispywarescanv6 .com - Email: czoao@hotmail.com
online-antivir-scanv2 .com - Email: iren.g@sysintern.in
onlinebestscannerv3 .com - Email: info@srilanka.cn
onlinepersonalscanner .com - Email: info@srilanka.cn
onlineproantivirusscan .com - Email: addworld@freebbmail.com
online-pro-antivirus-scan .com - Email: findz@freebbmail.com

onlineproantivirusscanner .com - Email: findz@freebbmail.com
online-secure-scannerv2 .com - Email: iren.g@sysintern.in
personalantivirusprotection .com - Email: info@Wholesaler.cn
personalfolderscanv2 .com - Email: hfbeauty@yahoo.com
premium-antispy-scanv3 .com - Email: Ktrivedi@go2uti.com
premium-antispy-scanv7 .com - Email: Ktrivedi@go2uti.com
premium-antivirus-scanv6 .com - Email: Ktrivedi@go2uti.com
private-antivirus-scannerv2 .com - Email: webmaster@parun.co.kr
privatevirusscannerv8 .com - Email: info@rasystems.com
secure-antispyware-scanv3 .com - Email: info@prrp.de
securepersonalscanner .com - Email: info@prrp.de
secure-spyware-scannerv3 .com - Email: info@prrp.de
secure-virus-scannerv5 .com - Email: info@prrp.de
securityfolderprotection .com - Email: info@Wholesaler.cn
spyware-scannerv2 .com - Email: hanan.abdelrazek@bibalexy.org
spywarescannerv4 .com - Email: hanan.abdelrazek@bibalexy.org

Sampled scareware from the last 24 hours phones back to mineralwaterfilter .com - Parked there are also: june-crossover .com; goldmine-sachs .com; momentstohaveyou .cn. More sampled scareware phones back to a new domain Phones back to pencil-netwok .com (, parked there are the rest of the phone back locations for the rest of the scareware such as mineralwaterfilter .com; june-crossover .com; goldmine-sachs .com; bestparishotelsnow .com

A second sampled scareware phones back to a different location - Parked there are the rest of the domains in their scareware portfolio:
bestscanpc .org
bestscanpc .biz
downloadavr2 .com
downloadavr3 .com
trucount3005 .com
antivirus-scan-2009 .com
antivirusxppro-2009 .com
advanced-virus-remover-2009 .com
advanced-virus-remover2009 .com
advanced-virusremover2009 .com
bestscanpc .com
xxx-white-tube .com
blue-xxx-tube .com
trucountme .com
10-open-davinci .com
vs-codec-pro .com
vscodec-pro .com
download-vscodec-pro .com
v-s-codecpro .com
antivirus-2009-ppro .com
onlinescanxppro .com
downloadavr .com
bestscanpc .info
bestscanpc .net
bestscanpc .biz

New/historical redirection domains used in the campaign, this time parked at locations as noted:
beststarwars .cn - Email: allisonh@soeconline.org
mashroomtheory .cn - Email: webmaster@TangoDance.cn
space2009city .cn - Email: webmaster@TangoDance.cn
messengerinfo .cn - Email: allisonh@soeconline.org
greattime2009 .cn - Email: webmaster@seniorstuds.com.ar
iwanttowin .cn - Email: webmaster@seniorstuds.com.ar
hardnut .cn - Email: tan.mei.sie@monash.com.my
sitemechanics .cn - info@powertrackers.com
exceldocumentsinfo .cn - Email: info@powertrackers.com
chinafavorites .cn - Email: cmo@ci.springfields.or.us
best-live-lottery .cn - Email: info@powertrackers.com
adeptofmastery .cn - Email: info@powertrackers.com
trytowintoday .cn - Email: info@powertrackers.com
bulkdvdreader .cn - - Email: info@powertrackers.com
style-everywhere .com - - Email: angy.helm21@yahoo.com 
clicksick .cn - - Email: webmaster@clicksick.cn 
supportyourcountry .cn - Email: cmo@ci.springfields.or.us
wheels-on-fire .cn - - Email: epron.sales@epron.com.hk
stillphotoshots .cn - - Email: epron.sales@epron.com.hk
delayyouranswer .cn - Email: info@globaltechs.com.cn
getbestsales .cn - Email: info@globaltechs.com.cn
library-presents .cn - Email: hanzellandgretell@googlemail.com
in-t-h-e .cn - (Layered Technologies, Inc.) - Email: admin@in-t-h-e.cn
bestwishestoyou .cn - - Email: hanzellandgretell@googlemail.com
library-presents .cn - - Email: hanzellandgretell@googlemail.com
getbestsales .cn - - Email: info@globaltechs.com.cn 
aware-of-future .cn - Email: info@globaltechs.com.cn 
nothing-to-wear .cn - Email: steg.greg1992@yahoo.com
newsmediaone .com - - Email: advertizers@newsmediaone.com
bapoka .net -
stylestats1 .net - - Email: grem@yahoo.com
luckystats .org - Email: director@climbing-games.com
luckystats1 .com - Email: grem@yahoo.com
lifewepromote .cn - Email: ruixiang.guo@yahoo.com
securecommercialnews .cn - Email: contacts@swedbank.com.cn
snowboard2009 .cn - Email: weinwein2@yahoo.com
nothern-ireland .cn - Email: accabj@cn.accaglobal.com
goldensunshine .cn - Email: info@tartirtar.com
steplessculture .cn - Email: info@myfibernetworks.cn
vipsoccermanager .cn - Email: opressor1992@yahoo.com
b2b-forums .cn - Email: weinwein2@yahoo.com
rondo-trips .cn - Email: acurtis@stevens.com
mywatermakrs .cn - Email: shanghaihuny@yahoo.com
gazsnippets .cn - Email: acurtis@stevens.com
bestvanillaresorts .cn - Email: opressor1992@yahoo.com
personalrespect .cn - Email: weinwein2@yahoo.com
consensualart .cn - Email: shanghaihuny@yahoo.com
yourholidaytoday .cn - Email: opressor1992@yahoo.com
guidetogalaxy .cn - Email: stp9014@yahoo.com

Among the new monetization tactics used are the typical pay-per-click malware-friendly search engines which act as both, redirectors to phony sites/scams, as well as keyword blackholes which help them assess the popularity for a particular keyword, and therefore start pushing it more aggressively through a process called synonymization.

Interestingly, they're exclusively using the compromised .co.uk, as well as purely malicious blackhat SEO domains for scareware serving purposes, but continue using the ones they operate under the free DNS service providers for monetization through the bogus search engines. The domains used in this monetization approach are as follows:

rivasearchpage .com - - Email: support@ruler-domains.com
triwoperl .com - - Email: florenzaluwemba@gmail.com
tropysearch .us - - Email: tech@add-manager.com
glorys .info (glorys .info/red/cube.js) - - - Email: kor4seo@rambler.ru
funnyblogetc .info/go.php -  - Email: tigerwood1@nm.ru

triwoperl.com's front page is currently relying on the go.live.com javascript obfuscation. Deobfuscated it redirects to fi97 .net/jsr.php?uid=dir&group=ggl&keyword=&okw=&query=", deja vu again - fi97 .net was used in the Ukrainian "fan club's" blackhat SEO campaign in June.

Monitoring of the campaign and takedown actions would continue, with an emphasis on the RBN connection from a related blackhat SEO campaign from last year. The gang is not going away anytime soon, but their campaigns definitely are.

Related posts:
A Peek Inside the Managed Blackhat SEO Ecosystem
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 

This post has been reproduced from Dancho Danchev's blog.

No comments:

Post a Comment