Monday, March 07, 2011

Compromised University Leads to Fraudulent Google Brand-jacked Pharmaceutical Ads


An exploited web application vulnerability within Cochise County Online University CMS (moodle.cochise.az.gov/user), is currently resulting in a blackhat SEO campaign (1,890 pages) leading to fraudulent Google brand-jacked pharmaceutical pages.

Naturally, once the compromise took place, the cybercriminals started considering the blackhat SEO content farm themed for pharmaceutical scams, as parts of their infrastructure and spamvertised links to it across multiple web forums.

Ther redirection chain is as follows:
- moodle.cochise.az.gov/user - random pharmaceutical content
    - goodmedk.com
        - gooqpilly.com
        - 50.22.28.50

goodmedk.com/whftltyixallwke6hoqstgzsiq.html -     77.67.80.48, AS3257 - Email: jognbroownn@usa.com
goodmedk.com/kavglmapejes7bdfg6mf8d.py
goodmedk.com/hxinlaresbnzbikmnatmck.py
goodmedk.com/huvtleikspann6hoqstgzsiq.html
goodmedk.com/txajlatev0egij9pi-g.pl
goodmedk.com/tldhlaoet8cegh7ng9e.html



Redirectors used:
gooqpilly.com
- 77.67.80.42, AS3257 - Email: jognbroownn@usa.com
50.22.28.50/c.php - 50.22.28.50-static.reverse.softlayer.com


Redirects to the following currently active fraudulent online pharmacies:
pillshealthmedsplus.net - 89.114.9.82 - Email: acquit@bz3.ru
allrxtabs.com - 91.212.135.69 - Email: rxrevenue@gmail.com
canadianselect.net - 89.149.196.197 - Email: canadianselect.net@protecteddomainservices.com
worldselectshop.com - 95.211.1.82 - Email: worldselectshop.com@protecteddomainservices.com
generic-pills-online.eu - 95.163.15.207
menhealth-pharmacy.co.uk - 109.237.213.194
4rx.com - 174.127.67.233 - Email: webmaster@4rx.com

The hijacking of a trusted brand such as Google shouldn't be surprising, as it's an inseparable part of social engineering driven abuse of the trust-chain. From Google's name to the visual impersonation of Google Search this campaign demonstrates exactly the same.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

No comments:

Post a Comment