In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, spreading, malicious, software, largely, relying, on, a, pre-defined, set, of, compromised, hosts, for, the, purpose, of, spreading, malicious, software, further, expanding, a, specific, botnet's, infected, population, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, access, to, the, infected, hosts, largely, relying, on, an, affiliate-based, type, of, monetizing, scheme.
In, this, post, we'll, profile, a, currently, circulating, malicious, black, hat, SEO (search engine optimization), campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.
Sample, portfolio, of, affected, Web, sites:
hxxp://austinluce.co.uk
hxxp://naukatanca.co.uk
hxxp://truenorthinnovation.co.uk
hxxp://robsonsofwolsingham.co.uk
hxxp://daviddewphotography.co.uk
Sample, URL, redirection, chain:
hxxp://sciencefirst.com/?red=haiti-earthquake-donate
- hxxp://otsosute.freehostia.com/c.html
- hxxp://scan-now24.com/go.php?id=2022&key=4c69e59ac&d=1
Sample, URL, redirection, chain:
hxxp://lipsticpi.ru/sm/r.php
- hxxp://uscaau.com/back.php
- hxxp://sekuritylistsite.com/hitin.php?land=20&affid=94801
- hxxp://mypremiumantyspywarepill.com/hitin.php?land=20&affid=94801
- hxxp://mypremiumantyspywarepill.com/index.php?affid=94801
Sample, detection, rate, for, a, sample, malicious, executable:
MD5: ebc956abadefdac794ebcd1898ea07cf
Sample, detection, rate, for, a, sample, malicious, executable:
MD5: d65a5d1ab98bd690dccd07cb6eebcba3
Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://mypremiumantyspywarepill.com/in.php?affid=94801
hxxp://greatnorthwill.com/?mod=vv&i=1&id=11-18
Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://getholidaypresent0.com - 204.12.225.83
hxxp://getholidaypresent2.com
hxxp://getholidaypresent3.com
hxxp://scan-now22.com
hxxp://scan-now23.com
hxxp://scan-now24.com
hxxp://santaclaus4.com
hxxp://getholidaypresent5.com
hxxp://getholidaypresent7.com
Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://freeantyviruspillblog.com - 213.163.91.240
hxxp://newgoodantyspywarepill.com
hxxp://mypremiumantyspywarepill.com
hxxp://freegoodantyviruspill.com
hxxp://freeantyspywarepillshop.com
hxxp://thevirustoolbox.com
We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Friday, December 23, 2016
Historical OSINT - Haiti-themed Blackhat SEO Campaign Serving Scareware Spotted in the Wild
Tags:
Blackhat SEO,
Botnet,
Cybercrime,
Fake Security Software,
Hacking,
Haiti,
Information Security,
Malicious Software,
Scareware,
Search Engine Optimization,
Security
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com