Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding

Published by Dancho Danchev under on August 10, 2009
UPDATE2: New scareware domain is in rotation - antispywarelivescanv5 .com - 83.133.123.174; 83.133.126.155; 91.212.107.5; 94.102.48.29; 94.102.51.26; 188.40.61.236 - Email: sales.in@bauhmerhhs.com. Redirection takes place through consensualart .cn - 78.46.201.89 - Email: shanghaihuny@yahoo.com. 

UPDATE: Four new domains have been introduced, again using the services of AltusHost Inc. (AS44042):

thwovretgi .com - 91.214.44.239 - Email: joby47619@msn.com
hernewdy .com - 91.214.44.152 - Email: jacub26887@lycos.com
shtifobpy .com - 91.214.44.210 - Email: hiraldo13686@hotmail.com
vodcotha .com - 91.214.44.203 - Email: jamarcus59884@yahoo.com

The redirection takes place through mywatermakrs .cn - 78.46.201.89 - Email: shanghaihuny@yahoo.com

In response to the takedown of the blackhat SEO domains used in the campaign dissected lat week, the group has responded by introducing new domains next to new redirectors and most interestingly, has started using compromised/mis-configured legitimate sites in an attempt to increase the lifecycle of the campaign by making it takedown-proof.

New blackhat SEO domains again using AS44042 ROOT-AS root eSolutions/ALTUSHOST-NET/AltusHost Inc hosting services:
fifiopod .com - 91.214.44.204 - Email: florenzaluwemba@gmail.com
trodlocho .com - 91.214.44.204 - Email: alie57575@lycos.com
ickgetaph .com - 91.214.44.209 - Email: alie57575@lycos.com
igecanneg .com - 91.214.44.205 - Email: baxter18314@yahoo.com
somveots .com - 91.214.44.203 - Email: frieda24482@msn.com
memodreydi .com - 91.214.44.240 - Email: frieda24482@msn.com
jejnahob .com -  91.214.44.206 - Email: alie57575@lycos.com
nuwofteuz .com - 91.214.44.206 - Email: frieda24482@msn.com
hyhoppeo .com - 91.214.44.239 - Email: jamarcus59884@yahoo.com
egnegvufvu .com - 91.214.44.239 - Email: ehetere29006@yahoo.com
lauzpeog .com - 91.214.44.208 - Email: ehetere29006@yahoo.com
sniozeanvo .com - 91.214.44.239 - Email: ehetere29006@yahoo.com
hebmipenn .com - 91.214.44.207 - Email: adanne43906@rocketmail.com

The cybercriminals are also attempting to use a well proven tactic - occupying as many search engine results as possible for a particular hijacked word by using identical blackhat SEO junk content at multiple domains. A similar attempt was successfully executed in January, 2009's search results poisoning campaign at Google Video, where the first ten results for a particular keyword were all malicious in their nature.

The compromised/misconfigured legitimate sites used in the campaign are serving dynamic javascript obfuscations. Here's a list of ones currently in use:
ali.zaher.101main .com
averder.cwsurf .de
beaver-cub-scout.co .uk
bebbinbears.co .uk
britishbaits .com
cancerselfhelp.org .uk
carolineengland.co .uk
casanickel.co .uk
catspro-northants.org .uk
ceiec.co .uk
cheritontennisclub.co .uk
childrenofthedrone .net
chirnside.org .uk
chris-hillman .com
chris-hillman-photography.co .uk
christine-pearson .com
cicatrixonline.co .uk
cinta.co .uk
classic-pizza.co .uk
crewshillgolfclub.co .uk
cs-photo.co .uk
dak.crep01.linux-site .net
darkhorsegraphics.co .uk
divagoddess.co .uk
fet.jujas.myftpsite .net
tferh.mi-website .es

The campaign continues switching between different redirectors parked at 83.133.123.113 for instance:
rondo-trips .cn
gazsnippets .cn
besthockeyteams .cn
allfootballmanager .cn
rollerskatesadvise .cn

honda-recycle .cn - used in the previous campaign
nothern-ireland .cn
discovernewchina .cn


An updated portfolio of scareware/fake security software, parked at 94.102.51.26; 188.40.61.236; 83.133.126.155; 91.212.107.5; 94.102.48.29 has been introduced:
bestpersonalprotectionv2 .com
onlinesecurescannerv3 .com
basicsystemscannerv3 .com
onlinebestscannerv3 .com
basicsystemscannerv6 .com
bestpersonalprotectionv7 .com
basicsystemscannerv8 .com
thankyouforscan .com
onlinepersonalscanner .com
basicsystemscanner .com
onlineproantivirusscanner .com

personalantivirusprotection .com
internetantivirusscanner .com
govirusscanner .com
iwantsweepviruses .com
personalfoldertest .com


Sampled scareware once again phones back to the thebigben .cn - Email: chu-thi-huong@giang.com and june-crossover .com - 78.46.201.90 Email: doru@sattenis.com, with more scareware parked there - purchuase-premium-software .com - Email: nagappan.krishnan@persons.us; livepaymentssystem .com - Email: mike12haro@yahoo.com; secure.livepaymentssystem .com - Email: mike12haro@yahoo.com; purchuasepremiumprotection .com - Email: Malcolm@partypants.com.

Evasion techniques are in again in place, however, this time they end up in a Russian Business Network deja vu moment from 2008. In March, 2008, ZDNet Asia and TorrentReactor followed by a large number of other high profile, high pagerank sites started activing as intermediaries to scareware campaigns, among the first such abuse of legitimate sites for scareware serving purposes.

The compromised/mis-configured web sites participating in this latest blackhat SEO campaign are surprisingly redirecting to a-n-d-the.com /wtr/router.php - 95.168.177.35 - Email: bulk@spam.lv - AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE if the http referrer condition isn't met. This very same domain -- back then parked at INTERCAGE-NETWORK-GROUP2 -- was also used in the same fashion in March, 2008's massive blackhat SEO campaigns serving scareware.

This post has been reproduced from Dancho Danchev's blog.

0 comments:

Post a Comment