In, a, cybercrime, dominated, by, fraudulent, propositions, historical, OSINT, remains, a, crucial, part, in, the, process, of, obtaining, actionable. intelligence, further, expanding, a, fraudulent, infrastructure, for, the, purpose, of, establishing, a, direct, connection, with, the, individuals, behind, it. Largely, relying, on, a, set, of, tactics, techniques, and, procedures, cybercriminals, continue, further, expanding, their, fraudulent, infrastructure, successfully, affecting, hunreds, of, thousands, of, users, globally, further, earning, fraudulent, revenue, in, the, process, of, committing, fraudulent, activity, for, the, purpose, of, earning, fraudulent, revenue, in, the, process.
In, this, post, we'll, discuss, a, black, hat, SEO (search engine optimization), campaign, intercepted, in, 2009, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, successfully, establishing, a, direct, connection, with, the, Koobface, gang.
The, Koobface, gang, having, successfully, suffered, a, major, take, down, efforts, thanks, to, active, community, and, ISP (Internet Service Provider), cooperation, has, managed, to, successfully, affect, a, major, proportion, of, major, social, media, Web, sites, including, Facebook, and, Twitter, for, the, purpose, of, further, spreading, the, malicious, software, served, by, the, Koobface, gang, while, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, the, use, of, fake, security, software, and, the, reliance, on, a, fraudulent, affiliate-network, based, type, of, monetizing, scheme.
Largely, relying, on, a, diverse, set, of, traffic, acquisition, tactics, including, social, media, propagation, black, hat, SEO (search engine optimization), and, client-side, exploits, the, Koobface, gang, has, managed, to, successfully, affect, hundreds, of, thousands, of, users, globally, successfully, populating, social, media, networks, such, as, Facebook, and, Twitter, with, rogue, and, bogus, content, for, the, purpose, of, spreading, malicious, software, and, earning, fraudulent, revenue, in, the, process, largely, relying, on, a, diverse, set, of, traffic, acquisition, tactics, successfully, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, the, use, of, affiliate-network, based, traffic, monetizing, scheme.
Let's, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, establish, a, direct, connection, with, the, Koobface, gang, and, the, Koobface, botnet's, infrastructure.
Sample URL, redirection, chain:
hxxp://flash.grywebowe.com/elin5885/?x=entry:entry091109-071901; -> http://alicia-witt.com/elin1619/?x=entry:entry091112-185912 -> hxxp://indiansoftwareworld.com/index.php?affid=31700 - 213.163.89.56
Sample, detection, rate, for, a, malicious, executable:MD5: bd7419a376f9526719d4251a5dab9465
Sample, URL, redirection, chain, leading, to, client-side, exploits:
hxxp://loomoom.in/counter.js - 64.20.53.84 - the front page says "We are under DDOS attack. Try later".
hxxp://firefoxfowner.cn/?pid=101s06&sid=977111 -> hxxp://royalsecurescana.com/scan1/?pid=101s6&engine=p3T41jTuOTYzLjE3Ny4xNTMmdGltZT0xMjUxNMkNPAhN
Sample, detection, rate, for, a, malicious, executable:
MD5: a91a1bb995e999f27ffc5d9aa0ac2ba2
Once, executed, a, sample, malware, phones, back, to:
hxxp://systemcoreupdate.com/download/timesroman.tif - 213.136.83.234
Sample, URL, redirection, chain:
hxxp://oppp.in/counter.js - 64.20.53.83 - the same message is also left "We are under DDOS attack. Try later"
hxxp://johnsmith.in/counter.js - 64.20.53.86
hxxp://gamotoe.in/counter.js
hxxp://polofogoma.in/counter.js
hxxp://jajabin.in/counter.js
hxxp://dahaloho.in/counter.js
hxxp://gokreman.in/counter.js
hxxp://freeblogcounter2.com/counter.js
hxxp://lahhangar.in/counter.js
hxxp://galorobap.in/counter.js
Sample, directory, structure, for, the, black, hat, SEO (search engine optimization), campaign:
hxxp://images/include/bmblog
hxxp://bmblog/category/art/
hxxp://images/style/bmblog
hxxp://photos/archive/bmblog/
hxxp://templates/img/bmblog
hxxp://phpsessions/bmblog
hxxp://Index_archivos/img/bmblog/
hxxp://bmblog/category/hahahahahah/
hxxp://gallery/include/bmblog
Sample, malicious, domains, participating, in, the, campaign:
pcmedicalbilling.com - Email: sophiawrobertson@pookmail.com
securitytoolnow.com - Email: ronaldmpappas@dodgit.com
securitytoolsclick.net - Email: ruthdtrafton@dodgit.com
security-utility.net - Email: richardrmccullough@trashymail.com
Historically on the same IP were parked the following, now responding to 91.212.107.37 domains:
online-spyware-remover.biz - Email: robertsimonkroon@gmail.com
online-spyware-remover.info - Email: robertsimonkroon@gmail.com
spyware-online-remover.biz - Email: robertsimonkroon@gmail.com
spyware-online-remover.com - Email: robertsimonkroon@gmail.com
spyware-online-remover.info - Email: robertsimonkroon@gmail.com
spyware-online-remover.net - Email: robertsimonkroon@gmail.com
spyware-online-remover.org - Email: robertsimonkroon@gmail.com
tubepornonline.biz - Email: robertsimonkroon@gmail.com
tubepornonline.org - Email: robertsimonkroon@gmail.com
Sample, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://antyspywarestore.com/index.php?affid=90400
hxxp://newsecuritytools.net/index.php?affid=90400 - 78.129.166.11 - Email: joyomcdermott@gmail.com
Sample, detection, rate, for, a, malicious, executable:
MD5: 0feffd97ffe3ecc875cfe44b73f5653b
MD5: a0d9d3127509272369f05c94ab2acfc9
Naturally, it gets even more interesting, in particular the fact the very same robertsimonkroon@gmail.com used to register the domains historically parked at the IP that is currently hosting the scareware domains part of the massive blackhat SEO campaign -- the very same domains (hxxp://firefoxfowner.cn), were also in circulation on Koobface infected host, in a similar fashion when the domains used in the New York Times malvertising campaign were simultaneously used in blackhat SEO campaigns managed by the Koobface gang -- have not only been seen in July's scareware campaigns -- but also, has been used to register actual domains used as a download locations for the scareware campaigns part of the Koobface botnet's scareware business model.
Parked, at, the, same, malicious, IP (91.212.107.37), are, also, the, following, malicious, domains:
hxxp://free-web-download.com
hxxp://web-free-download.com
hxxp://iqmediamanager.com
hxxp://oesoft.eu
hxxp://unsoft.eu
hxxp://losoft.eu
hxxp://tosoft.eu
hxxp://kusoft.eu
Sample, detection, rate, for, a, malicious, executable:
MD5: 29ff816c7e11147bb74570c28c4e6103
MD5: e59b66eb1680c4f195018b85e6d8b32b
MD5: b34593d884a0bc7a5adb7ab9d3b19a2c
The overwhelming evidence of underground multi-tasking performed by the Koobface gang, it's connections to money mule recruitment scams, high profile malvertising attacks, and current market share leader in blackhat SEO campaigns, made, the, group, a, prominent, market, leader, within, the, cybercrime, ecosystem, having, successfully, affecting, hundreds, of, thousands, of, users, globally, potentially, earning, hundreds, of, thousands, in, fraudulent, revenue, in, the, process.
Related posts:
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post"
How the Koobface Gang Monetizes Mac OS X Traffic
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model
From the Koobface Gang with Scareware Serving Compromised Site
Koobface Botnet Starts Serving Client-Side Exploits
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Koobface Botnet Redirects Facebook's IP Space to my Blog
Koobface Botnet Dissected in a TrendMicro Report
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Dissecting the Koobface Worm's December Campaign
The Koobface Gang Mixing Social Engineering Vectors
Dissecting the Latest Koobface Facebook Campaign
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Friday, December 23, 2016
Historical OSINT - Celebrity-Themed Blackhat SEO Campaign Serving Scareware and the Koobface Botnet Connection
Tags:
Blackhat SEO,
Botnet,
Cybercrime,
Fake Security Software,
Hacking,
Information Security,
Koobface,
Malicious Software,
Scareware,
Search Engine Optimization,
Security
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com