Monday, October 22, 2018

Historical OSINT - A Diversified Portfolio of Fake Security Software Spotted in the Wild

It's 2010 and I've recently stumbled upon yet another malicious and fraudulent domain portfolio serving a variety of fake security software also known as scareware potentially exposing hundreds of thousands of users to a variety of fake security software with the cybercriminals behind the campaign potentially earning fraudulent revenue largely relying on the utilization of an affiliate-network based type of revenue-sharing scheme.

Related malicious domains known to have participated in the campaign:
hxxp://50virus-scanner.com
hxxp://700virus-scanner.com
hxxp://antivirus-test66.com
hxxp://antivirus200scanner.com
hxxp://antivirus600scanner.com
hxxp://antivirus800scanner.com
hxxp://antivirus900scanner.com
hxxp://av-scanner200.com
hxxp://av-scanner300.com
hxxp://av-scanner400.com
hxxp://av-scanner500.com
hxxp://inetproscan031.com
hxxp://internet-scan020.com
hxxp://novirus-scan00.com
hxxp://stopvirus-scan11.com
hxxp://stopvirus-scan13.com
hxxp://stopvirus-scan16.com
hxxp://stopvirus-scan33.com
hxxp://virus66scanner.com
hxxp://virus77scanner.com
hxxp://virus88scanner.com
hxxp://antivirus-scan200.com
hxxp://antispy-scan200.com
hxxp://av-scanner200.com
hxxp://av-scanner300.com
hxxp://antivirus-scan400.com
hxxp://antispy-scan400.com
hxxp://av-scanner400.com
hxxp://av-scanner500.com
hxxp://antivirus-scan600.com
hxxp://antispy-scan600.com
hxxp://antivirus-scan700.com
hxxp://antispy-scan700.com
hxxp://av-scanner700.com
hxxp://antispy-scan800.com
hxxp://antivirus-scan900.com
hxxp://novirus-scan00.com
hxxp://stop-virus-010.com
hxxp://spywarescan010.com

Related malicious domains known to have participated in the campaign:
hxxp://antispywarehelp010.com
hxxp://internet-scan020.com
hxxp://internet-scanner020.com
hxxp://insight-scan20.com
hxxp://internet-scanner030.com
hxxp://stop-virus-040.com
hxxp://internet-scan040.com
hxxp://insight-scan40.com
hxxp://internet-scan050.com
hxxp://internet-scanner050.com
hxxp://insight-scan60.com
hxxp://stop-virus-070.com
hxxp://internet-scan070.com
hxxp://internet-scanner070.com
hxxp://insight-scan80.com
hxxp://stop-virus-090.com
hxxp://internet-scan090.com
hxxp://internet-scanner090.com
hxxp://insight-scan90.com
hxxp://antispywarehelpk0.com
hxxp://inetproscan001.com
hxxp://novirus-scan01.com
hxxp://spyware-stop01.com
hxxp://antivirus-inet01.com
hxxp://stopvirus-scan11.com
hxxp://inetproscan031.com
hxxp://novirus-scan31.com
hxxp://antivirus-inet31.com
hxxp://novirus-scan41.com
hxxp://antivirus-inet41.com
hxxp://antivirus-inet51.com
hxxp://inetproscan061.com
hxxp://novirus-scan61.com

Related malicious domains known to have participated in the campaign:
hxxp://inetproscan081.com
hxxp://novirus-scan81.com
hxxp://inetproscan091.com
hxxp://spyware-stopb1.com
hxxp://spyware-stopm1.com
hxxp://spyware-stopn1.com
hxxp://spyware-stopz1.com
hxxp://antispywarehelp002.com
hxxp://antispywarehelp022.com
hxxp://novirus-scan22.com
hxxp://antispywarehelpk2.com
hxxp://insight-scanner2.com
hxxp://spywarescan013.com
hxxp://stopvirus-scan13.com
hxxp://novirus-scan33.com
hxxp://stopvirus-scan33.com
hxxp://antispywarehelp004.com
hxxp://antispywarehelpk4.com
hxxp://spywarescan015.com
hxxp://novirus-scan55.com
hxxp://insight-scanner5.com
hxxp://stopvirus-scan16.com
hxxp://stopvirus-scan66.com
hxxp://antispywarehelpk6.com
hxxp://spywarescan017.com
hxxp://insight-scanner7.com
hxxp://antispywarehelp008.com
hxxp://spywarescan018.com
hxxp://stopvirus-scan18.com
hxxp://novirus-scan88.com
hxxp://stopvirus-scan88.com
hxxp://antivirus-test88.com
hxxp://antispywarehelpk8.com
hxxp://insight-scanner8.com
hxxp://insight-scanner9.com

Related malicious domains known to have participated in the campaign:
hxxp://10scanantispyware.com
hxxp://20scanantispyware.com
hxxp://30scanantispyware.com
hxxp://60scanantispyware.com
hxxp://80scanantispyware.com
hxxp://2scanantispyware.com
hxxp://3scanantispyware.com
hxxp://5scanantispyware.com
hxxp://7scanantispyware.com
hxxp://8scanantispyware.com
hxxp://spyware200scan.com
hxxp://spyware500scan.com
hxxp://spyware800scan.com
hxxp://spyware880scan.com
hxxp://50virus-scanner.com
hxxp://90virus-scanner.com
hxxp://antivirus900scanner.com
hxxp://antivirus10scanner.com
hxxp://virus77scanner.com
hxxp://virus88scanner.com
hxxp://net001antivirus.com
hxxp://net011antivirus.com
hxxp://net111antivirus.com
hxxp://net021antivirus.com
hxxp://net-02antivirus.com
hxxp://net222antivirus.com
hxxp://net-04antivirus.com
hxxp://net-05antivirus.com
hxxp://net-07antivirus.com

We'll continue monitoring the campaign and post updates as soon as new developments take place.