Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Sunday, October 21, 2018

Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild

It's 2008 and I recently came across to a pretty decent portfolio of rogue and fraudulent malicious scareware-serving domains successfully acquiring traffic through a variety of black hat SEO techniques in this particular case the airplane crash of the Polish president.

Related malicious domains known to have participated in the campaign:
hxxp://sarahscandies.com
hxxp://armadasur.com
hxxp://gayribisi.com
hxxp://composerjohnbeal.com
hxxp://preferredtempsinc.com
hxxp://ojaivalleyboys.com
hxxp://homelinkmag.com
hxxp://worldwidestones.com
hxxp://silsilaqasmia.com
hxxp://vidoemo.com
hxxp://channhu.com
hxxp://ideasenfoco.com

Related malicious domains known to have participated in the campaign:
hxxp://homeownersmoneysaver.com
hxxp://preferredtempsinc.com
hxxp://sarahscandies.com
hxxp://channhu.com
hxxp://intheclub.com
hxxp://internetcabinetsdirect.com
hxxp://silentservers.com
hxxp://ojaivalleyboys.com

Related malicious domains known to have participated in the campaign:
hxxp://indigo-post.com
hxxp://jacksonareadiscgolf.com

Related malicious domains known to have participated in the campaign:
hxxp://werodink.com
hxxp://jingyi-plastic.com
hxxp://impressionsphotographs.com

Sample URL redirection chain:
hxxp://cooldesigns4u.co.uk/sifr.php
- hxxp://visittds.com/su/in.cgi?2 - 213.163.89.55 - Email: johnvernet@gmail.com
- hxxp://scaner24.org/?affid=184 - 91.212.127.19 - Email: bobarter@xhotmail.net

Redirectors parked on 213.163.89.55 (AS49544, INTERACTIVE3D-AS Interactive3D) include:
hxxp://google-analyze.org
hxxp://alioanka.com
hxxp://robokasa.com
hxxp://thekapita.com
hxxp://rbomce.com
hxxp://kolkoman.com
hxxp://nikiten.com
hxxp://rokobon.com
hxxp://odile-marco.com
hxxp://ramualdo.com
hxxp://omiardo.com
hxxp://nsfer.com
hxxp://racotas.com
hxxp://foxtris.com
hxxp://mongoit.com
hxxp://mangasit.com
hxxp://convart.com
hxxp://baidustatz.com
hxxp://google-analyze.cn
hxxp://statanalyze.cn
hxxp://reycross.cn
hxxp://m-analytics.net
hxxp://yahoo-analytics.net

We've already seen hxxp://google-analyze.org and hxxp://yahoo-analytics.net in several related mass compromise of related Embassy Web Sites.

We'll continue monitoring the campaign and post updates as new developments take place.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com