It's 2010 and I've recently stumbled upon a currently active and circulating malicious and fraudulent blackhat SEO campaign successfully enticing hundreds of thousands globally into interacting with a multi-tude of rogue and malicious software also known as scareware.
In this post I'll profile the campaign discuss in-depth the tactics techniques and procedures of the cybercriminals behind it and provide actionable intelligence on the infrastructure behind it.
Related malicious domains known to have participated in the campaign:
hxxp://ozeqiod.cn?uid=213 - redirector - 64.86.25.201 - hxxp://bexwuq.cn
Sample URL redirection chain:
hxxp://ymarketcoms.cn/?pid=123
Related malicious domains known to have responded to the same malicious C&C server IPs (64.86.25.201):
hxxp://bombas101.com
hxxp://trhtrtrbtrtbtb.com
hxxp://opensearch-zone.com
hxxp://imaera.cn
hxxp://ariexa.cn
hxxp://ozeqiod.cn
hxxp://ariysle.cn
hxxp://ajegif.cn
hxxp://adiyki.cn
hxxp://acaisek.cn
hxxp://yvamuer.cn
hxxp://protectinstructor.cn
hxxp://blanshinblansh.net
hxxp://kostinporest.net
Related malicious domains known to have participated in the campaign:
hxxp://azikyxa.cn
hxxp://befaqki.cn
hxxp://ataini.cn
hxxp://atoycri.cn
hxxp://bimpuj.cn
hxxp://bekajop.cn
hxxp://bexwuq.cn
hxxp://azywoax.cn
hxxp://azaijy.cn
We'll continue monitoring the campaign and post updates as soon as new developments take place.
Monday, October 22, 2018
Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild Serves Scareware
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com