Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild

October 21, 2018
It's 2008 and I recently came across to a pretty decent portfolio of rogue and fraudulent malicious scareware-serving domains successfully acquiring traffic through a variety of black hat SEO techniques in this particular case the airplane crash of the Polish president.

Related malicious domains known to have participated in the campaign:
hxxp://sarahscandies.com
hxxp://armadasur.com
hxxp://gayribisi.com
hxxp://composerjohnbeal.com
hxxp://preferredtempsinc.com
hxxp://ojaivalleyboys.com
hxxp://homelinkmag.com
hxxp://worldwidestones.com
hxxp://silsilaqasmia.com
hxxp://vidoemo.com
hxxp://channhu.com
hxxp://ideasenfoco.com

Related malicious domains known to have participated in the campaign:
hxxp://homeownersmoneysaver.com
hxxp://preferredtempsinc.com
hxxp://sarahscandies.com
hxxp://channhu.com
hxxp://intheclub.com
hxxp://internetcabinetsdirect.com
hxxp://silentservers.com
hxxp://ojaivalleyboys.com

Related malicious domains known to have participated in the campaign:
hxxp://indigo-post.com
hxxp://jacksonareadiscgolf.com

Related malicious domains known to have participated in the campaign:
hxxp://werodink.com
hxxp://jingyi-plastic.com
hxxp://impressionsphotographs.com

Sample URL redirection chain:
hxxp://cooldesigns4u.co.uk/sifr.php
- hxxp://visittds.com/su/in.cgi?2 - 213.163.89.55 - Email: johnvernet@gmail.com
- hxxp://scaner24.org/?affid=184 - 91.212.127.19 - Email: bobarter@xhotmail.net

Redirectors parked on 213.163.89.55 (AS49544, INTERACTIVE3D-AS Interactive3D) include:
hxxp://google-analyze.org
hxxp://alioanka.com
hxxp://robokasa.com
hxxp://thekapita.com
hxxp://rbomce.com
hxxp://kolkoman.com
hxxp://nikiten.com
hxxp://rokobon.com
hxxp://odile-marco.com
hxxp://ramualdo.com
hxxp://omiardo.com
hxxp://nsfer.com
hxxp://racotas.com
hxxp://foxtris.com
hxxp://mongoit.com
hxxp://mangasit.com
hxxp://convart.com
hxxp://baidustatz.com
hxxp://google-analyze.cn
hxxp://statanalyze.cn
hxxp://reycross.cn
hxxp://m-analytics.net
hxxp://yahoo-analytics.net

We've already seen hxxp://google-analyze.org and hxxp://yahoo-analytics.net in several related mass compromise of related Embassy Web Sites.

We'll continue monitoring the campaign and post updates as new developments take place.

About the author

Donec non enim in turpis pulvinar facilisis. Ut felis. Praesent dapibus, neque id cursus faucibus. Aenean fermentum, eget tincidunt.