Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Monday, March 07, 2011
Compromised University Leads to Fraudulent Google Brand-jacked Pharmaceutical Ads
An exploited web application vulnerability within Cochise County Online University CMS (moodle.cochise.az.gov/user), is currently resulting in a blackhat SEO campaign (1,890 pages) leading to fraudulent Google brand-jacked pharmaceutical pages.
Naturally, once the compromise took place, the cybercriminals started considering the blackhat SEO content farm themed for pharmaceutical scams, as parts of their infrastructure and spamvertised links to it across multiple web forums.
Ther redirection chain is as follows:
- moodle.cochise.az.gov/user - random pharmaceutical content
- goodmedk.com
- gooqpilly.com
- 50.22.28.50
goodmedk.com/whftltyixallwke6hoqstgzsiq.html - 77.67.80.48, AS3257 - Email: jognbroownn@usa.com
goodmedk.com/kavglmapejes7bdfg6mf8d.py
goodmedk.com/hxinlaresbnzbikmnatmck.py
goodmedk.com/huvtleikspann6hoqstgzsiq.html
goodmedk.com/txajlatev0egij9pi-g.pl
goodmedk.com/tldhlaoet8cegh7ng9e.html
Redirectors used:
gooqpilly.com - 77.67.80.42, AS3257 - Email: jognbroownn@usa.com
50.22.28.50/c.php - 50.22.28.50-static.reverse.softlayer.com
Redirects to the following currently active fraudulent online pharmacies:
pillshealthmedsplus.net - 89.114.9.82 - Email: acquit@bz3.ru
allrxtabs.com - 91.212.135.69 - Email: rxrevenue@gmail.com
canadianselect.net - 89.149.196.197 - Email: canadianselect.net@protecteddomainservices.com
worldselectshop.com - 95.211.1.82 - Email: worldselectshop.com@protecteddomainservices.com
generic-pills-online.eu - 95.163.15.207
menhealth-pharmacy.co.uk - 109.237.213.194
4rx.com - 174.127.67.233 - Email: webmaster@4rx.com
The hijacking of a trusted brand such as Google shouldn't be surprising, as it's an inseparable part of social engineering driven abuse of the trust-chain. From Google's name to the visual impersonation of Google Search this campaign demonstrates exactly the same.
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment