Friday, September 25, 2009

Dissecting September's Twitter Scareware Campaign

UPDATE:  4 hours after notification, Twitter has suspended the remaining bogus accounts. Until the next time, when the reCAPTCHA recognition gets cost-effectively outsourced for automatic scareware-serving purposes.

Over the last couple of days, my Ukrainian "fan club" -- fan club in a sarcastic sense due to the love, more love, even more love and gratitude shown so far -- has once against started abusing Twitter by automatically generating bogus accounts tweeting scareware serving links by syndicating Twitter's trending topics.

This traffic acquisition tactic is in fact nothing new, and in the case of this Ukrainian cybercrime enterprise, is done "in between" the rest of their malicious activities. What's worth pointing out is that just like the most recent malvertising campaign at, the Ukrainian gang keeps using domains already in circulation within their blackhat SEO campaigns, making it fairly easy to establish connections between these and the ongoing Twitter campaign.

By the time Twitter suspends the automatically registered bogus accounts, on average, 70 to 80 tweets have been published per single account. Here's the most recent list of currently active Twitter accounts tweeting scareware links: /verina1238 /knab190 /zastrow994 /gustave12 /trautwein9975 /reinke341 /ordella509 /lysa380 /weinhold344 /wachsmann1541 /weishaupt917 /scheid1265 /fitz1677 /falkner425 /opel1409 /rasche1401 /schlecht1581 /verina1238 /perahta985

The accounts are relying on identical short URLs, with the following ones still active and in circulation: /lyby2r /nx39k8 /lyby2r /mnbfox /msjjv8 /mj5wju /mxg2vo /m656h7 /nffkly /bfnpv7 /bfnsa8 /bfny8e /bfnnu4 /bfnzkk 6af3fe 649be f6b7f5 0abe74 3AoRZ 3A5DD 3AUVc 3BZqa 3C4lU

The short URLs rely on several redirectors to finally land the end user on a scareware site, such as securityland .cn and imagination-1 .com:

securityland .cn - - Email: Parked on the same IP are also:
abclllab .com
0lenfo .com
ynoubfa .cn
protectinstructor .cn
immitations-all .net
1limbo .net

imagination-1 .com- - Email: Parked on the same IP are also:
bombas10 .com
graves111 .com
iriskas .com
yvicawo .cn

Where do we know the email from? Several of the scareware domains pushed in the ongoing U.S Federal Forms Themed Blackhat SEO Campaign have been registered using it, that very same blackhat SEO whose central redirector a-n-d-the .com/wtr/router.php - - and - - (hosted by Layered Technologies, Inc.) mimics the campaign structure of 2008's massive input validation abuse attack using iFrames, courtesy of the RBN and the very first scareware campaigns.

Moreover, the same email has been used to register two of the "phone-back" domains for the scareware pushed in the blackhat SEO campaign and the malvertising attack - windowsprotection-suite .net - Email: and securemysystem .net - Email:

The following scareware domains are not just used within the Twitter campaign, some of them have also been detected as part of blackhat SEO campaigns:
ekevuc .cn -
windowspcdefender .com
smart-virus-eliminator .com
fast-systemguard .net
opyhila .cn
riwryse .cn
adijef .cn
dunhah .cn
idisuan .cn
wobcyn .cn
upuoro .cn
ucyilwo .cn
ogywuep .cn
adaengu .cn
taziqow .cn
zerkauz .cn

ejavone .cn -
fastsystem-guard .com
windowsguardsuite .com
windowssystemsuite .com
winsecuritysuite-pro .com
windows-protectionsuite .net
malwarecatcher .net
fast-scan-protect .net
fastscansecure .net
goryhe .cn
pyzuhme .cn
zydfaqe .cn
ahoize .cn
abonyag .cn
abenapi .cn
otobym .cn
abicoym .cn
nepsoym .cn
byzfalo .cn
pywudar .cn
qucgyit .cn
dahokxu .cn
lylbaov .cn
cusryw .cn

fast-scanandprotect .net
fastscanonline .com
fastsearch-secure .com
fast-systemguard .net
go-scanandsecure .net
goscan-protect .com
go-searchandscan .com
guardmyzone .net
mynewprotection .net
my-newprotection .net
my-officeguard .com
my-officeguard .net
myprotectedsystem .com
myprotected-system .com
my-protectedzone .net
myprotectionshield .com
myprotectionzone .com
my-protectionzone .com
my-protectionzone .net
myprotection-zone .net
my-saerchsecure .com
my-safetyprotection .com
my-systemprotection .net
mysystemsafety .com
my-systemscan .com
my-systemscanner .com
mysystemsecurity .com
new-scanandprotect .com

newscan-andprotect .net
new-systemprotection .com
online-scanandsecure .net
online-securescanner .net
online-systemscan .com
onlinesystemscan .net
protectand-secure .com
protectionsearch .com
safetyshield .net
safetysystem-guard .com
scanonline-protect .com
scan-system .net
scanvirus-online .net
searchandscan .net
search-scanonline .net
searchsecureguard .net
secure-systemguard .net
system-guard .net
systemguard-zone .com
systemguard-zone .net
systemprotected .net
systemscan-secure .net
trust-systemprotect .com
trust-systemprotect .net
trustsystem-protection .com
trust-systemprotection .net
windows-protectionsuite .net
windows-systemguard .net
windows-virusscan .net
winprotection-suite .com

Sampled scareware also phones-back to mysecurityguru .cn - - Email:, the same phone-back domain was used in the scareware sampled from the malvertising attack, with the same email also belonging to a scareware domain (mainsecsys .info) listed in the Diverse Portfolio of Fake Security Software - Part Twenty Two for July.

The cybercrime powerhouse behind all these attacks, continues maintaining the largest market share of systematic Web 2.0 abuse, and that includes their involvement in the Koobface botnet.

Related posts:
Dissecting Koobface Worm's Twitter Campaign
Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
The Twitter Malware Campaign Wants to Bank With You
Does Twitter’s malware link filter really work?
Commercial Twitter spamming tool hits the market
Cybercriminals hijack Twitter trending topics to serve malware
Spammers harvesting emails from Twitter - in real time
Twitter hit by multiple variants of XSS worm

This post has been reproduced from Dancho Danchev's blog.