Dissecting a Scareware-Serving Black Hat SEO Campaign Using Compromised .NL/.CH Sites

Over the past week, I've been tracking -- among the countless number of campaigns currently in process of getting profiled/taken care of internally -- a blackhat SEO campaign that's persistently compromising legitimate sites within small ISPs in the Netherlands and Switzerland, for scareware-serving purposes.

Although this beneath the radar targeting approach is nothing new, it once again emphasizes on a well proven mentality within the cybercrime ecosystem - collectively the hundreds of thousands of low profile sites, if well poisoned with bogus/timely/relevant blackhat SEO content, can outpace the hijacked traffic from a high profile site due to the shorter time frame it would take for the the administrators to clean it up/ quicker community members' reaction based on prioritization due to the importance of the site.

What's particularly interesting about the campaign, is the fact that the redirectors/scareware domains were previously parked within our "dear friends at AS31252, STARNET-AS StarNet Moldova. Go through related posts on STARNET-AS StarNet Moldova:
Let's dissect the campaign, expose the complete portfolio of scareware/redirector domains, emphasize on the monetization vector and how this blackhat SEO campaign is using the same scareware affiliate network like the one campaigns launched through Gumblar's infrastructure (Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign) continue using.

Once the self.location.href = condition is met, the following redirectors take place, until the user is exposed to the ubiquitous "You're infected" screen:

- dotyuzcifl.ru/liq/?st= - - Email: kireev@ravermail.com (NS: ns1.freemobiledns.mobi Email: akorn1022@gmail.com)
    - errgxhxzerr.co.cc/r/feed.php?k= -, AS27716, ASEVELOZ - Email: andrew_bush52@hotmail.com
    - errgxhxzerr.co.cc/tube/?k=
    - errgxhxzerr.co.cc/r/sss.php
        - www4.protection-guard89.co.cc -, AS46664 - Email: abc.emm@gmail.com
        - www1.virus-detection50.co.cc/?p=p52 -, AS47869, NETROUTING-AS - Email: abc.emm@gmail.com

- Detection rate:
packupdate9_289.exe - Win32/TrojanDownloader.FakeAlert.AEY - 6/ 42 (14.3%)
MD5   : 3e4920aa3ff24db64372ae96854f3f02
SHA1  : 75bcb6acf5ff65269bfc5f685e5d03688b8b1ade
SHA256: 7272f889520cd1d1898ccd91f1b01835cf53f06b452041baae0336796ff09fd7

Responding to, AS47869, NETROUTING-AS are also the following domains:
www1.virus-detection50.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection51.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection52.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection53.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection54.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection55.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection56.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection57.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection58.co.cc/?p=p52 - Email: abc.emm@gmail.com
www1.virus-detection59.co.cc/?p=p52 - Email: abc.emm@gmail.com
www2.mypersonalshield70.in - Email: gkook@checkjemail.nl
www2.mypersonalshield71.in - Email: gkook@checkjemail.nl
www2.mypersonalshield72.in - Email: gkook@checkjemail.nl

It gets even more interesting, and cybercrime ecosystem-friendly, when we see that one of the scareware redirector domains, has been registered with the same email as the scareware domain redirector used in the monetization vector of Gumblar's campaigns.

The currently used uramozat.cz.cc /scanner10/?afid=76 -, AS50109, HOSTLIFE-AS WIBO PROJECT LLC - Email: ydeconspi@nice-4u.com is registered using the same email as the recently used hoopdotami.cz .cc/scanner5/?afid=24 - - Email: ydeconspi@nice-4u.com from the "Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign".

This centralization of monetization networks ultimately serves best the security industry and law enforcement, and remains a trend rather than a fad.

Responding to are also the following affiliate redirector domains:
sulphomihin.cz.cc - Email: ydeconspi@nice-4u.com
suppcorfoke.cz.cc - Email: ydeconspi@nice-4u.com
swinumlobzua.cz.cc - Email: ydeconspi@nice-4u.com
taitretarjus.cz.cc - Email: ydeconspi@nice-4u.com
talinighge.cz.cc - Email: ydeconspi@nice-4u.com
tangmomawigg.cz.cc - Email: ydeconspi@nice-4u.com
taniverwea.cz.cc - Email: ydeconspi@nice-4u.com
tedroidragin.cz.cc - Email: ydeconspi@nice-4u.com
tifucacel.cz.cc - Email: ydeconspi@nice-4u.com
ungelacoc.cz.cc - Email: ydeconspi@nice-4u.com
unriprazzhalf.cz.cc - Email: ydeconspi@nice-4u.com
uramozat.cz.cc - Email: ydeconspi@nice-4u.com
vochicorneu.cz.cc - Email: ydeconspi@nice-4u.com
voihuavino.cz.cc - Email: ydeconspi@nice-4u.com
voldcafuri.cz.cc - Email: ydeconspi@nice-4u.com
weineitronty.cz.cc - Email: ydeconspi@nice-4u.com
wintotersstal.cz.cc - Email: ydeconspi@nice-4u.com
worddreamelpa.cz.cc - Email: ydeconspi@nice-4u.com
wordrochosom.cz.cc - Email: ydeconspi@nice-4u.com
xboxunechin.cz.cc - Email: ydeconspi@nice-4u.com
ydeconspi.cz.cc - Email: ydeconspi@nice-4u.com
zilrebelma.cz.cc - Email: ydeconspi@nice-4u.com
zukavito.cz.cc - Email: ydeconspi@nice-4u.com
Complete list of the URLs for compromised sites (CURRENTLY ACTIVE) hosted at AS15547, TVS2NET-NETPLUS Servicing cable-network customer in CH.
abitasion.ch /ilIucpUWAeima
abitasion.ch /ilOeUSbRtm/
abmontage.ch /73NJub8iWea/
absteam.ch /UfHZl8Qm7/
accueiletpartagesuisse.ch /WbVc0fiHIabe/
accueiletpartagesuisse.ch /Wbytpauohcjk/
adikt-a.ch /isisAuMOImXW/
adikt-a.ch /isIWcgUV7L/
adsite.ch /lAULixdSoWmA/
adumas.ch /QVxaomZ7er
aemo-valais.ch /uaIagow/
aerobic-chablais.ch /IYMy3IAejmiq/
aerobic-chablais.ch /IYuMW8yHJ/
a-fauchere.ch /rU8alutON/
agpinstallations.ch /WAoxnHauvyUi/
agpinstallations.ch /WAwANoXv9rek/
alayra.ch /ufgMxORjbNz9i/
alex-xxxl.ch /u9VUyo9hw/
alpirama.ch /A0Sc3Iu/
alterfamiliae.ch /RgauIMVZ/
ametys.ch /IZ2eblxoL3tSN/
ametys.ch /IZbAaYy/
amis-orgue-moudon.ch /WuIatdWMbRSg/
amis-orgue-moudon.ch /WuYUoH3/
apf-hev-fr.ch /drkoUqjx/
artdidier.ch /vZkR7ap2gQiAU/
artefax.ch /u8oApWua/
artefax.ch /u8qrYoi8ASh/
artisanatbramoisien.ch /jRVAEWyXqLsM/
artisane.ch /Scg3lEv/
artisan-fondeur.ch /RX0y9OdUu/
artist-e.ch /j8WfiIEa/
asb-coaching.ch /uJWOIdHeuai/
atelier-bois.ch /skJun0elUgM8/
ateliercube.ch /3bqNHnLy/
attoufoula-al-baria.ch /scWZHibIemAqr/
autoecole-sion.ch /kuWcUM3yn9xgo/
aux-doigts-de-fee.ch /eooVapJNWcuHx/
auxpetitsbois.ch /8OxIaoWeydbc7/
avgf.ch /xr3t0uvanegb/
avmep.ch /niyW3RHiaoE/
avmep.ch /nizXOdumW/
avosbagages.ch /ebaAuynxel2L/
avta.ch /Zu0VoixA/
banques-assurances.ch /WEeyt7iUYL/
batibois.ch /hgAbavx/
batibois.ch /hghkyUNO9/
bconseils.ch /tAIUzJVn/
bc-production.ch /9XupRmIbE/
bdelfolie.ch /ushj20miJW9wu/
bdelfolie.ch /usIUomaYfWeN/
becoval.ch /aVUqW9xYbp/
bedat-conseils.ch /AUyYRtuhWrpA/
belfid.ch /ftRbtgl3/
bellodelledonne.ch /oX0kUuN/
bellodelledonne.ch /oXoNgekf7i/
bestwear.ch /j0iyeJ3v/
bienecrire.ch /YAE9ldiakvy/
biocave.ch /AuhuwoAUxOI3W/
birman.ch /Z7MoeVXgAafL/
blanchival.ch /ANabQIgk0zeO/
blanchival.ch /ANJjlQgHb/
bnbmorel.ch /yfE3AyWoQx8/
bonnes-occases.ch /HlYMhcE/
bouquins.ch /IWH0dAa/
cafepsy.ch /ZoiAcIWlRM/
calzolarorocco.ch /9a8aYRjIrW/
camping-sedunum.ch /SvvMQjsem/
canadulce.ch /wuIlMriaN/
canadulce.ch /wuQYryJ/
carrgeiger.ch /ehsVy2uXxoAWE/
carte-menu.ch /JQinNyA/
castalie.ch /cq3xeyWmjaf/
catherineritter.ch /AdUJiRq/
catherineritter.ch /AdUqRAiSnNsyv/
cavedegoubing.ch /ERNzcu9iagdo/
cave-des-chevalieres.ch /WuunyOq/
celinerenaud.ch /Qj7dHcLo/
celinerenaud.ch /QjZoUyaJ/
centre-autos.ch /lNUYRuWnA/
cere-sa.ch /IyEHdVqAIYbXL/
cere-sa.ch /IyknWJr/
cgt.ch /egAaVUfne/
chalets-for-sale.ch /SaNXWcvU/
chavaz-archi.ch /8iAZxEaJ/
chavaz-archi.ch /8iQOjlS/
cretillons.ch /ianeZc2/

Responding to (the original redirector domains dotyuzcifl.ru; errgxhxzerr.co.cc), AS27716, ASEVELOZ Eveloz are the remaining domains part of the scareware/redirection/Fake Adobe Player (tube/Adobe__Flash__Player.exe) campaign.

- Detection rate:
Adobe__Flash__Player.exe - Heuristic.BehavesLike.Win32.Suspicious.H - 11/ 42 (26.2%)
MD5   : 8a10909c487a739e85028a19a1e898dc
SHA1  : d9f7d78fe245f8df04fa398835b52d5a2c2d6af7
SHA256: 63befe78a7895a8efc6d893491d8f77ef8ada1cd52d562587490a79f29b65336

- Upon execution phones back to:
qualattice.com - - Email: trough@mobiletonight.com
jaxcage.net -, AS6851, BKCNET "SIA" IZZI - Email: delee@easteroffers.com
mybubblebean.com -, AS6851, BKCNET "SIA" IZZI - Email: place@popupquote.com
freejaxbird.net - - Email: delee@easteroffers.com

07tqqwem.ru - Email: pishkov@rbcmail.ru
0qhe7y6o.ru - Email: pishkov@rbcmail.ru
0st44x7z.ru - Email: stroganov@mail.ru
0w6scx6a.ru - Email: goncharov@rapworld.com
20xzpzga.ru - Email: danilov@boatnerd.com
23qjmdic.ru - Email: lebedev@rapworld.com
28iue5ri.ru - Email: kireev@bgay.com
28jnbuak.ru - Email: kirillov@ravermail.com
2poaxz3k.ru - Email: alekseev@land.ru
2tmo2ba2.ru - Email: kustov@remixer.com
30zcz8ot.ru - Email: slabkov@bigmailbox.net
32iafdnp.ru - Email: erohin@intimatefire.com
3a0stbqe.ru - Email: golodnikov@blida.info
3jruf6nc.ru - Email: taranov@inorbit.com
40ktc2tn.ru - Email: antonov@insurer.com
4hp2ag6c.ru - Email: belov@kidrock.com
4mausx2w.ru - Email: lavrov@blackcity.net
4y8pqcby.ru - Email: pokatilov@realtyagent.com
5eqq3sgj.ru - Email: abakumov@smtp.ru
5gsco2w5.ru - Email: davidov@bikermail.com
5q4eyd2w.ru - Email: stepanov@pop3.ru
5znhff2s.ru - Email: kalinin@boarderzone.com
6ojj8sks.ru - Email: patralov@bigheavyworld.com
6pgsqndh.ru - Email: baklanov@mail333.com
83qndvnj.ru - Email: taranov@relapsecult.com
868r5e0b.ru - Email: udalov@rastamall.com
8n7pnyyr.ru - Email: patralov@front.ru
8reclame.ru - Email: kirikov@billssite.com
atyyyopg.ru - Email: viktorov@bikerheaven.net
azaamdwo.ru - Email: samsonov@bikermail.com
bvo62o0i.ru - Email: kirillov@rastamall.com
c28xd2ck.ru - Email: luzgin@front.ru
cf8sagkn.ru - Email: alekseev@ratedx.net
ckmdbrio.ru - Email: ulyanov@rapworld.com
crosslinks-services.ru - Email: ekomasov@kidrock.com
csokolom.ru - Email: kirikov@irow.com
cw5k47ye.ru - Email: viktorov@bicycling.com
duz5n2ca.ru - Email: belov@billssite.com
dwunvuum.ru - Email: stepanov@pop3.ru
ea7xh4vw.ru - Email: goncharov@repairman.com
err39hxzerr.co.cc - Email: andrew_bush52@hotmail.com
err3ghxzerr.co.cc - Email: andrew_bush52@hotmail.com
err5phxzerr.co.cc - Email: andrew_bush52@hotmail.com
err61hxzerr.co.cc - Email: andrew_bush52@hotmail.com
err6ehxzerr.co.cc - Email: andrew_bush52@hotmail.com
err6jhxzerr.co.cc - Email: andrew_bush52@hotmail.com
err8jhxzerr.co.cc - Email: andrew_bush52@hotmail.com
err8whxzerr.co.cc - Email: andrew_bush52@hotmail.com
errb9hxzerr.co.cc - Email: andrew_bush52@hotmail.com
errbehxzerr.co.cc - Email: andrew_bush52@hotmail.com
errbqhxzerr.co.cc - Email: andrew_bush52@hotmail.com
errcihxzerr.co.cc - Email: andrew_bush52@hotmail.com
errdhhxzerr.co.cc - Email: andrew_bush52@hotmail.com
errekhxzerr.co.cc - Email: andrew_bush52@hotmail.com
errfdhxzerr.co.cc - Email: andrew_bush52@hotmail.com
errgqhxzerr.co.cc - Email: andrew_bush52@hotmail.com
errgthxzerr.co.cc - Email: andrew_bush52@hotmail.com
errguhxzerr.co.cc - Email: andrew_bush52@hotmail.com
errgvhxzerr.co.cc - Email: andrew_bush52@hotmail.com

f50rbdb8.ru - Email: samsonov@kidrock.com
fbbktj2z.ru - Email: zhukov@kidrock.com
fimpvs8t.ru - Email: zhuravlev@blackvault.com
fppf2h28.ru - Email: danilov@pochta.ru
gayq8rgx.ru - Email: kovalev@blackcity.net

gztyue8w.ru - Email: kirillov@boatnerd.com
h6poe6or.ru - Email: beglov@inorbit.com
hc6zxms4.ru - Email: lebedev@intimatefire.com
hem3oxjh.ru - Email: ulyanov@boarderzone.com
hszwwvjq.ru - Email: kustov@fromru.com
i2wv8rdm.ru - Email: shedrin@billssite.com
i4nhjopf.ru - Email: antonov@fromru.com
i7in0b64.ru - Email: ulyanov@kinkyemail.com
ihbkbzcm.ru - Email: abdulov@iname.com
io0yfyc8.ru - Email: molchanov@repairman.com
j6yeky7p.ru - Email: bazhenov@krovatka.su
j7k6xze2.ru - Email: vasilev@pop3.ru
jimm2rusru.ru - Email: kustov@rapworld.com
jimm4fan09.ru - Email: antonov@blida.info
jimmjimm895.ru - Email: kuznecov@insurer.com
jimmkolesoru.ru - Email: naumov@boarderzone.com
jimmonline0.ru - Email: miheev@gmail.com
jimmplum2.ru - Email: vishnevskiy@pop3.ru
jimmthebest1.ru - Email: aleksandrov@blackcity.net
jnano5gh.ru - Email: zhukov@realtyagent.com
jokerjokk.ru - Email: beglov@blida.info
kefpvbsi.ru - Email: kalinin@boarderzone.com
kfgemaae.ru - Email: ulyanov@bigmailbox.net
koliander.ru - Email: zaicev@insurer.com
liononlinensd.ru - Email: nikitin@rastamall.com
lokipol.ru - Email: kirikov@bikerheaven.net
mjbims7m.ru - Email: pishkov@ravermail.com
mrt0zqcb.ru - Email: shedrin@pochtamt.ru
mxek5t5g.ru - Email: beglov@repairman.com
ni2m4kua.ru - Email: zhukov@bikermail.com
nv8os6yt.ru - Email: kuznecov@mail.ru
o3wg4sya.ru - Email: abakumov@bolbox.com
ocggnaif.ru - Email: zaicev@iname.com
ofz5qzgu.ru - Email: zaicev@ravermail.com
oh7iumr7.ru - Email: belov@inorbit.com

onlinefeeds.ru - Email: beglov@insurer.com
onlinegearsd.ru - Email: luzgin@smtp.ru
onlinejimmmovse.ru - Email: abakumov@realtyagent.com
onlineonlkiok.ru - Email: kirillov@billssite.com
pgvvua6j.ru - Email: goncharov@bicycling.com
pororkol.ru - Email: erohin@bikerider.com
prc6t7z3.ru - Email: kirikov@pochtamt.ru
psxdv0nr.ru - Email: zhukov@inbox.ru
pvbsiy5y.ru - Email: komarov@kinkyemail.com
q3ysg05s.ru - Email: golodnikov@insurer.com
qbecqe0s.ru - Email: ulyanov@bicycling.com
qec5beqn.ru - Email: morozov@pochta.ru
qfnye2t7.ru - Email: bednyakov@irow.com
qpsxdv0n.ru - Email: viktorov@blackcity.net
rikosdhu.ru - Email: pokatilov@pisem.net
ronaldknol.ru - Email: taranov@smtp.ru
rs3gpd0m.ru - Email: alekseev@bicycledata.com
rudjimmdjimm.ru - Email: alekseev@boarderzone.com
s4gvhd35.ru - Email: lebedev@blackvault.com
s748eop4.ru - Email: aleksandrov@repairman.com
sgivnn0t.ru - Email: volkov@repairman.com
stpf6qpv.ru - Email: bednyakov@relapsecult.com
sv4wmtxj.ru - Email: ivanov@bikerider.com
t0a2afyq.ru - Email: ivanov@boatnerd.com
t3tzynvj.ru - Email: bazhenov@rapstar.com
trustincompanies.ru - Email: abdulov@insurer.com
u5fyfzjt.ru - Email: polovov@rbcmail.ru
ucf47vnu.ru - Email: abdulov@bikerider.com
uplcash.com - Email: director@climbing-games.com
v5w3xgzn.ru - Email: morozov@rbcmail.ru
vgksry7k.ru - Email: vishnevskiy@land.ru
w8iroomb.ru - Email: golodnikov@pop3.ru
x7p03g0j.ru - Email: kirikov@front.ru
xni27ftd.ru - Email: timofeev@mail.ru
xsd3id8t.ru - Email: kovalev@pochta.ru
xthjrgxz.ru - Email: pokatilov@insurer.com
xu44i03y.ru - Email: arhipov@insurer.com
yi0ewtmd.ru - Email: antonov@blackvault.com
yp7o07nq.ru - Email: golodnikov@rbcmail.ru
z26hggcb.ru - Email: pokatilov@fromru.com
z656cvje.ru - Email: slabkov@boatnerd.com
zsrd4xj5.ru - Email: kuznecov@iname.com
zznks8fh.ru - Email: bulaev@registerednurses.com

Could we have a blackhat SEO campaign, without a Koobface gang connection? Appreciate my rhetoric. Parked at, again within AS27716, ASEVELOZ Eveloz are the following domains:
35l3cv2oywwycrfz1yo3.com - Email: michaeltycoon@gmail.com
4idmcxlczdy52yh7rklb.com - Email: michaeltycoon@gmail.com
56ml7zj047l0x6wm9v6y.com - Email: michaeltycoon@gmail.com
8vsgzuu084e9i8ohl5nn.com - Email: michaeltycoon@gmail.com
aatyamlkpgxp8h3m17ky.com - Email: michaeltycoon@gmail.com
bvzpvunifooe8t946d2p.com - Email: michaeltycoon@gmail.com
i905jzsht33cd4kfcqvh.com - Email: michaeltycoon@gmail.com
jhn72w76khysuxdgj0bo.com - Email: michaeltycoon@gmail.com
k78ju8lyzratna0c5r7m.com - Email: michaeltycoon@gmail.com
lrbx4hzznbdmedfk4xrd.com - Email: michaeltycoon@gmail.com
ls1eepnzj784nid96prn.com - Email: michaeltycoon@gmail.com
n0itv7fh7qscrfse3i1i.com - Email: michaeltycoon@gmail.com
pdusxsiuedamjc83qlpi.com - Email: michaeltycoon@gmail.com
rabotaetpolubomu.net - Email: michaeltycoon@gmail.com
t0vqred4itv4pmo488k9.com - Email: michaeltycoon@gmail.com
thmyb0s6se5febs0ghb8.com - Email: michaeltycoon@gmail.com
u5a05q1dnmr4jwqrnav3.com - Email: michaeltycoon@gmail.com
uq1wedg9tr523wbafdzp.com - Email: michaeltycoon@gmail.com
vk4j2x7n49nq1il9vm5h.com - Email: michaeltycoon@gmail.com
ysut5gx094w2dddjtswh.com - Email: michaeltycoon@gmail.com

Deja vu! Where do we know the michaeltycoon@gmail.com email from? From the "A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang" campaign, and in particular from the fact that it was once directly connected to the Koobface gang -- this is not an email that was used to register a domain belonging to the scareware affiliate network, instead it's an email used to register a client-side exploits serving domain parked on the same IP where a hardcore Koobface C&C from Koobface 1.0's infrastructure was responding to - urodinam.net
  • Dissecting the Mass DreamHost Sites Compromise - "Moreover, on the exact same IP where Koobface gang's urodinam.net is parked, we also have the currently active 1zabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com, serving client side exploits using the Yes Malware Exploitation kit - /temp/cache/PDF.php; admin panel at: 1zabslwvn538n4i5tcjl.com /temp/admin/index.php"
Blackhat SEO campaigns, migration from the Koobface-friendly AS31252, STARNET-AS StarNet Moldova, plus a direct connection established as once a customer is migrating, he's usually taking all of his dirty luggage with him, proves that, there's no such thing as coincidence within the cybercrime ecosystem, there's just a diverse infrastructure where everyone appears to be self-serving their needs as a service, consequently forwarding responsibility for someone else's actions to the infrastructure they are abusing.

Related blackhat SEO/scareware monetization assessments:
Dissecting the 100,000+ Scareware Serving Fake YouTube Pages Campaign
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign - Part Two
Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign
The ultimate guide to scareware protection
A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang

Massive Scareware Serving Blackhat SEO, the Koobface Gang Style

A Peek Inside the Managed Blackhat SEO Ecosystem
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign

They are back again (Spamvertised Amazon "Verify Your Email", "Your Amazon Order" Malicious Emails; Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign) for a fresh start of the week, with a currently ongoing spam campaign, serving scareware and client-side exploits, using a "Thank you for your payment"/"Thank you for your EXPRESS payment" themed subjects impersonating popular brands such as Best Buy, Macy's, Target and Evite.

Let's dissect the campaign, its structure, emphasize on the monetization strategy, and expose the complete portfolio of the domains involved in the campaign.

Sample email:
"Subject :Thank you for your payment Don’t miss a thing – Add support@e.macys.com to your email address book! Click here if you are unable to see images in this email.

1. Sign in on macys.com at https://www.macys.com/myinfo/index.ognc
2. Click on “My Account” – “My Profile” at https://www.macys.com/myinfo/profile/index.ognc
3. Uncheck the box Receive email notification when statements are available to view online and when payments are due.
4. Click on “Update Profile”
5. Expect the change to take place in 3 days
©2009 macys.com Inc., 685 Market Street, Suite 800, San Francisco, CA 94105. All rights reserved.

Compared to previous campaigns, the directory structure (fast fluxed :8080/index.php?pid=10; maliciousurl.ru /QWERTY.js; maliciousurl.ru /ODBC.js; LAN.js; Access.js; End_User.js etc.) of this one remains virtually the same, depending, of course, on the angle you choose for dissecting it.

Sample campaign structure:
- musicsgeneva.com /x.html - "PLEASE WAITING 4 SECOND..."
- opus22.org /x.html - "PLEASE WAITING 4 SECOND..."
- shamelessfreegift.com /x.html - "PLEASE WAITING 4 SECOND..."
- physicianschoiceonline.com /x.htm - "PLEASE WAITING 4 SECOND..."
    - baymediagroup .com:8080/index.php?pid=10 - client-side exploits -;;;; - Email: fb@bigmailbox.ru
        - hoopdotami.cz .cc/scanner5/?afid=24 - - scareware monetization

- Detection rate:
antivirus_24.exe - Trojan.Win32.FraudPack.berq - Result: 16/42 (38.1%)
File size: 166912 bytes
MD5...: b3cd297c654d3be52ffeb5f6a5ff13b4
SHA1..: bae889dd8ac7b22ec5f5649d6e0c073c8e2119d5

Upon execution, the sample phones back to:
httpsstarss.in /httpss/v=40&step=2&hostid= - - Email: stevieksbaiz@hotmail.com
httpstatsconfig.com /getfile.php?r= - - Email: httpstatsconfig.com@evoprivacy.com

Responding to are also:
ns1.desktopsecurity2010ltd.com - Email: sixtakidlt2@hotmail.com

Domains using the same name server, ns1.freedomen.info - - Email: mail@vetaxa.com
adsonlineinc.com -
picmonde.com -
bonblogger.com -
h2fastpornpics.com -
celebsfinectpics.com - - Email: temp.for.loan@gmail.com
celebsfreeimages.com - - Email: hannigey233@hotmail.com
picindividuals.com -
picbloggerprojet.com -
hippocounter.info -
genesisbeta.net -

Name servers of notice:
ns1.getyourdns.com -
ns2.getyourdns.com -
ns3.getyourdns.com -
ns4.getyourdns.com -
ns1.instantdnsserver.com - - Email: depot@infotorrent.ru
ns2.instantdnsserver.com -
ns3.instantdnsserver.com -
ns4.instantdnsserver.com -

Client-side exploits serving domains part of the campaign:
aquaticwrap.ru - Email: vibes@freenetbox.ru
aroundpiano.ru - Email: vibes@freenetbox.ru
baybear.ru - Email: vibes@freenetbox.ru
baymediagroup.com - Email: fb@bigmailbox.ru
bayjail.ru - Email: bushy@bigmailbox.ru
betaguy.ru - Email: vibes@freenetbox.ru
blockoctopus.ru - Email: semi@freenetbox.ru
budgetdude.ru - Email: totem@freenetbox.ru
chaoticice.ru - Email: vibes@freenetbox.ru
clannut.ru - Email: totem@freenetbox.ru
clockledge.ru - Email: totem@freenetbox.ru
coldboy.ru - Email: totem@freenetbox.ru
countryme.ru - Email: totem@freenetbox.ru
dayemail.ru - Email: totem@freenetbox.ru
diseasednoodle.ru - Email: vibes@freenetbox.ru
discountprowatch.com - Email: bike@fastermail.ru
dyehill.ru - Email: angles@fastermail.ru
easychurch.ru - Email: vibes@freenetbox.ru
economypoet.ru - Email: semi@freenetbox.ru
envirodollars.ru - Email: vibes@freenetbox.ru
forhomessale.ru - Email: dull@freemailbox.ru
galacticstall.ru - Email: vibes@freenetbox.ru
getyourdns.com - Email: fb@bigmailbox.ru
hairyartist.ru - Email: vibes@freenetbox.ru
lonelyzero.ru - Email: vibes@freenetbox.ru
lovingmug.ru - Email: vibes@freenetbox.ru
lowermatch.ru - Email: vibes@freenetbox.ru
luckyfan.ru - Email: vibes@freenetbox.ru
malepad.ru - Email: semi@freenetbox.ru
matchsearch.ru - Email: semi@freenetbox.ru
microlightning.ru - Email: vibes@freenetbox.ru
mindbat.ru - Email: semi@freenetbox.ru
mealpoets.ru - Email: totem@freenetbox.ru
nutcountry.ru - Email: dying@qx8.ru
obscurewax.ru - Email: vibes@freenetbox.ru
oceanobject.ru - Email: semi@freenetbox.ru
parkperson.ru - Email: semi@freenetbox.ru
penarea.ru - Email: dying@qx8.ru
ponybug.ru - Email: dying@qx8.ru
pocketbloke.ru - Email: angles@fastermail.ru
programability.ru - Email: dying@qx8.ru
rancideye.ru - Email: vibes@freenetbox.ru
rawscent.ru - Email: vibes@freenetbox.ru
recordsquare.ru - Email: totem@freenetbox.ru
rescuedtoilet.ru - Email: vibes@freenetbox.ru
riotassistance.ru - Email: angles@fastermail.ru
scarletpole.ru - Email: vibes@freenetbox.ru
secondgain.ru - Email: vibes@freenetbox.ru
shortrib.ru - Email: vibes@freenetbox.ru
slaveperfume.ru - Email: totem@freenetbox.ru
sodacells.ru - Email: dying@qx8.ru
smelldrip.ru - Email: totem@freenetbox.ru
starvingarctic.ru - Email: vibes@freenetbox.ru
stagepause.ru - Email: totem@freenetbox.ru
sweatymilk.ru - Email: vibes@freenetbox.ru
tartonion.ru - Email: vibes@freenetbox.ru
tunemug.ru - Email: tips@freenetbox.ru
wearyratio.ru - Email: vibes@freenetbox.ru
yummyeyes.ru - Email: vibes@freenetbox.ru

UPDATED: Thursday, August 12, 2010: Historical OSINT for client-side exploit serving domains part of Gumblar's campaigns for April/May 2010 using hostdnssite.com (Email: cop@qx8.ru) name server:
bestdarkman.info - Email: wwww@qx8.ru
bestwebclub.info - Email: asleep@5mx.ru
buyfootjoy.info - Email: mellow@5mx.ru
carswebnet.info - Email: mynah@freenetbox.ru
cityrealtimes.info - Email: asleep@5mx.ru
clandarkguide.info - Email: mellow@5mx.ru
clandarksky.info - Email: wwww@qx8.ru
darkangelcam.info - Email: mellow@5mx.ru
darkbluecoast.info - Email: wwww@qx8.ru
darksidenetwork.info - Email: mellow@5mx.ru
digitaljoyworld.info - Email: mellow@5mx.ru
eroomsite.info - Email: feint@qx8.ru
esunsite.info - Email: wwww@qx8.ru
extrafreeweb.info - Email: mynah@freenetbox.ru
feedandstream.info - Email: mynah@freenetbox.ru
gloomyblack.info - Email: wwww@qx8.ru
homesweetrv.info - Email: mynah@freenetbox.ru
indiawebnet.info - Email: mynah@freenetbox.ru
joylifein.info - Email: mellow@5mx.ru
joysportsworld.info - Email: mellow@5mx.ru
justroomate.info - Email: feint@qx8.ru
kenjoyworld.info - Email: mellow@5mx.ru
learnwebguide.info - Email: mynah@freenetbox.ru
luxurygenuine.info - Email: asleep@5mx.ru
myfeedsite.info - Email: feint@qx8.ru
newsuntour.info - Email: wwww@qx8.ru
oneroomhome.info - Email: feint@qx8.ru
realshoponline.info - Email: asleep@5mx.ru
redsunpark.info - Email: feint@qx8.ru
roomstoretexas.info - Email: feint@qx8.ru
suncoastatlas.info - Email: feint@qx8.ru
sunstarvideo.info - Email: feint@qx8.ru
supersunbeds.info - Email: feint@qx8.ru
superwebworld.info - Email: asleep@5mx.ru
sweetpeapots.info - Email: mynah@freenetbox.ru
sweetteenzone.info - Email: mynah@freenetbox.ru
thedarkwaters.info - Email: wwww@qx8.ru
thejoydiet.info - Email: mellow@5mx.ru
therealclamp.info - Email: drum@maillife.ru
thesunchaser.info - Email: wwww@qx8.ru
thesweetchild.info - Email: mynah@freenetbox.ru
theultimateweb.info - Email: asleep@5mx.ru
theyellowsun.info - Email: feint@qx8.ru
webguidetv.info - Email: asleep@5mx.ru
webnetenglish.info - Email: mynah@freenetbox.ru
yourprintroom.info - Email: feint@qx8.ru
yoursweetteen.info - Email: mynah@freenetbox.ru 

UPDATED: Friday, August 13, 2010:
The use of Yahoo Groups is still ongoing. Sample URL: groups.yahoo .com/group/nfldcsyi/message which includes a link to perfectpillcool .com:8080.

The campaign is ongoing, updates will be posted as soon as new developments emerge.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Summarizing Zero Day's Posts for July

The following is a brief summary of all of my posts at ZDNet's Zero Day for July, 2010. You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

Recommended reading:
01. Image Gallery: June's cyber threat landscape
02. The Pirate Bay hacked through multiple SQL injections
03. Does Microsoft's sharing of source code with China and Russia pose a security risk?
04. Report: Apple had the most vulnerabilities throughout 2005-2010
05. Malware Watch: Malicious Amazon themed emails in the wild
06. RSA: Banking trojan uses social network as command and control server
07. Middle East countries: the BlackBerry is a national security threat
08. Image Gallery: Avast! Antivirus office in Prague, Czech Republic
09. Image Gallery: Introduction to Avast! Antivirus version 5.1
10. Image Gallery: The (European) Antivirus market - current trends
11. Google tops comparative review of malicious search results

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.