Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild

It's 2008 and I recently came across to a pretty decent portfolio of rogue and fraudulent malicious scareware-serving domains successfully acquiring traffic through a variety of black hat SEO techniques in this particular case the airplane crash of the Polish president.

Related malicious domains known to have participated in the campaign:
hxxp://sarahscandies.com
hxxp://armadasur.com
hxxp://gayribisi.com
hxxp://composerjohnbeal.com
hxxp://preferredtempsinc.com
hxxp://ojaivalleyboys.com
hxxp://homelinkmag.com
hxxp://worldwidestones.com
hxxp://silsilaqasmia.com
hxxp://vidoemo.com
hxxp://channhu.com
hxxp://ideasenfoco.com

Related malicious domains known to have participated in the campaign:
hxxp://homeownersmoneysaver.com
hxxp://preferredtempsinc.com
hxxp://sarahscandies.com
hxxp://channhu.com
hxxp://intheclub.com
hxxp://internetcabinetsdirect.com
hxxp://silentservers.com
hxxp://ojaivalleyboys.com

Related malicious domains known to have participated in the campaign:
hxxp://indigo-post.com
hxxp://jacksonareadiscgolf.com

Related malicious domains known to have participated in the campaign:
hxxp://werodink.com
hxxp://jingyi-plastic.com
hxxp://impressionsphotographs.com

Sample URL redirection chain:
hxxp://cooldesigns4u.co.uk/sifr.php
- hxxp://visittds.com/su/in.cgi?2 - 213.163.89.55 - Email: johnvernet@gmail.com
- hxxp://scaner24.org/?affid=184 - 91.212.127.19 - Email: bobarter@xhotmail.net

Redirectors parked on 213.163.89.55 (AS49544, INTERACTIVE3D-AS Interactive3D) include:
hxxp://google-analyze.org
hxxp://alioanka.com
hxxp://robokasa.com
hxxp://thekapita.com
hxxp://rbomce.com
hxxp://kolkoman.com
hxxp://nikiten.com
hxxp://rokobon.com
hxxp://odile-marco.com
hxxp://ramualdo.com
hxxp://omiardo.com
hxxp://nsfer.com
hxxp://racotas.com
hxxp://foxtris.com
hxxp://mongoit.com
hxxp://mangasit.com
hxxp://convart.com
hxxp://baidustatz.com
hxxp://google-analyze.cn
hxxp://statanalyze.cn
hxxp://reycross.cn
hxxp://m-analytics.net
hxxp://yahoo-analytics.net

We've already seen hxxp://google-analyze.org and hxxp://yahoo-analytics.net in several related mass compromise of related Embassy Web Sites.

We'll continue monitoring the campaign and post updates as new developments take place.

My Instagram