UPDATED: DocStoc has removed all the participating profiles and their documents.
A currently ongoing scareware campaign is using celebrity-themed blackhat SEO tactics in order to hijack legitimate traffic by abusing the popular DocStoc and Scribd document-sharing services. What's the single most interesting thing about this campaign anyway? It's fact that one of the domains parked on the same IP that the rest of the malware and exploit serving ones are -- they naturally multitask and engage in drive-by attacks -- newsoff .net has been registered with the same email pvcprotect@gmail.com as the original gumblar .cn domain.
Once the user clicks on the bogus video window embedded as an active document, which as matter of fact doesn't issue any warning that the user is leaving the site, a redirection takes place through shurus .net/in.cgi?3 -> b.corlock .net/main.html - 188.165.65.173 - Email: jessica357ass@gmail.com where the user is asked to download load.exe.
Parked on the same IP is the rest of the domains portfolio, which is also involved in separate drive-by campaigns:
offnews .cn - Email: cuitiankai@googlemail.com
newsoff .net - Email: pvcprotect@gmail.com - Ooh la la, the original gumblar .cn has been registered with the same email
curah .net - Email: jessica357ass@gmail.com
corlock .net - Email: jessica357ass@gmail.com
klirok .net - Email: jessica357ass@gmail.com
murrr .net - Email: jessica357ass@gmail.com
shurus .net - Email: jessica357ass@gmail.com
Sample Scribd activity per username:
lupan13 - 1,148 documents; 3,301 total reads
jess357 - 877 documents; 15,202 total reads
mumukan - 875 documents; 19,791 total reads
cekalo - 874 documents; 2,926 total reads
Sample Docstoc activity per username:
valaman - Docs: 460; Views: 13224
zalupa - Docs: 407; Views: 14397
monilit - Docs: 871; Views: 5265
babaka - Docs: 252; Views: 183
namaska - Docs: 139; Views: 8
rumaska - Docs: 829; Views: 172
zuzya - Docs: 748; Views: 280
malina13 - Docs: 66; Views: 15377
yoqeojegu - Docs: 9; Views: 3284
ryjokoleqayebi - Docs: 10; Views: 326
jopan13 - Docs: 397; Views: 43876
iculyodysocehi - Docs: 10; Views: 3721
lupan13 - Docs: 414; Views: 29275
Upon execution it drops the Home AntiVirus 2010 scareware which features a "Spyware Alert!" security warning explaining the dangers of Worm.Win32.NetSky. The scareware (SetupAdvancedVirusRemover.exe) is downloaded from downloadavr13 .com - 193.104.110.50 - Email: noxim@maidsf.ru. Parked on the same IP is a well known portfolio of scareware domains, first observed in July and most recently in September:
10-open-davinci .com
advanced-virusremover2009 .com - Email: giogr@ua.fm
advancedvirus-remover2009 .com - Email: jopa@gmail.com
advanced-virus-remover2009 .com - Email: masle@masle.kz - seen in July, 2009
advancedvirusremover-2009 .com - Email: eptit@eptit.us
advanced-virusremover-2009 .com - Email: support@antivirus-xp-pro2009.com
advancedvirus-remover-2009 .com - Email: tt1@ua.fm
advanced-virus-remover-2009 .com - Email: ubiv@i.ua
advancedvirusremover-2010 .com - Email: noxim@maidsf.ru
advanced-virus-remover-2010 .com - Email: noxim@maidsf.ru
anti-virus-xp-pro2009 .com - Email: chen.poon1732646@yahoo.com
best-scan .biz - Email: noxim@maidsf.ru
best-scan .com - Email: noxim@maidsf.ru
best-scan-pc .biz - Email: noxim@maidsf.ru
best-scanpc .com - Email: alex@mail.ge
best-scan-pc .com
best-scanpc .net
best-scan-pc .net
coolcount1 .com - Email: noxim@maidsf.ru
coolcount2 .com - Email: noxim@maidsf.ru
downloadavr10 .com - Email: noxim@maidsf.ru
downloadavr11 .com - Email: noxim@maidsf.ru
downloadavr12 .com - Email: noxim@maidsf.ru
downloadavr13 .com - Email: noxim@maidsf.ru
downloadavr3 .com - Email: support@antivirus-xp-pro2009.com
downloadavr4 .com - Email: tt1@ua.fm
downloadavr5 .com - Email: vs@ua.km
downloadavr6 .com - Email: alex@i.ua
downloadavr7 .com - Email: noxim@maidsf.ru
downloadavr8 .com - Email: noxim@maidsf.ru
downloadavr9 .com - Email: noxim@maidsf.ru
hard-xxx-tube .com
malware-scan .net - Email: noxim@maidsf.ru
malware-scaner .net - Email: noxim@maidsf.ru
masterhost.co .in - Email: pricklyy@mail.ru
onlinescanxppro .com - Email: chen.poon1732646@yahoo.com
pc-scanner .info - Email: noxim@maidsf.ru
pc-scanner-2010 .net - Email: noxim@maidsf.ru
pc-scannerr .biz - Email: noxim@maidsf.ru
pc-scannerr .com - Email: noxim@maidsf.ru
pc-scannerr .info - Email: noxim@maidsf.ru
pc-scannerr .net - Email: noxim@maidsf.ru
pc-scannerr .us - Email: noxim@maidsf.ru
testavrdown .com - Email: support@antivirus-xp-pro2009.com
testavrdownnew .com - Email: mamed@i.ua
trucount3005 .com - Email: chen.poon1732646@yahoo.com - money-mule recruitment connection
trucountme .com - Email: valentin@gergiea.kz - already profiled
white-xxx-tube .com - Email: noxim@maidsf.ru
xxx-white-tube .biz - Email: noxim@maidsf.ru
xxx-white-tube .net - Email: gnom@gnom.ge
DocStoc and Scribd have been notified.
Related posts:
The Ultimate Guide to Scareware Protection
Scareware Campaign Using Google Sponsored Links
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding
Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
A Peek Inside the Managed Blackhat SEO Ecosystem
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot
This post has been reproduced from Dancho Danchev's blog.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Thursday, December 03, 2009
Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment