Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild Serves Scareware
It's 2010 and I've recently stumbled upon a currently active and circulating malicious and fraudulent blackhat SEO campaign successfully enticing hundreds of thousands globally into interacting with a multi-tude of rogue and malicious software also known as scareware.
In this post I'll profile the campaign discuss in-depth the tactics techniques and procedures of the cybercriminals behind it and provide actionable intelligence on the infrastructure behind it.
Related malicious domains known to have participated in the campaign:
hxxp://ozeqiod.cn?uid=213 - redirector - 64.86.25.201 - hxxp://bexwuq.cn
Sample URL redirection chain:
hxxp://ymarketcoms.cn/?pid=123
Related malicious domains known to have responded to the same malicious C&C server IPs (64.86.25.201):
hxxp://bombas101.com
hxxp://trhtrtrbtrtbtb.com
hxxp://opensearch-zone.com
hxxp://imaera.cn
hxxp://ariexa.cn
hxxp://ozeqiod.cn
hxxp://ariysle.cn
hxxp://ajegif.cn
hxxp://adiyki.cn
hxxp://acaisek.cn
hxxp://yvamuer.cn
hxxp://protectinstructor.cn
hxxp://blanshinblansh.net
hxxp://kostinporest.net
Related malicious domains known to have participated in the campaign:
hxxp://azikyxa.cn
hxxp://befaqki.cn
hxxp://ataini.cn
hxxp://atoycri.cn
hxxp://bimpuj.cn
hxxp://bekajop.cn
hxxp://bexwuq.cn
hxxp://azywoax.cn
hxxp://azaijy.cn
We'll continue monitoring the campaign and post updates as soon as new developments take place.
In this post I'll profile the campaign discuss in-depth the tactics techniques and procedures of the cybercriminals behind it and provide actionable intelligence on the infrastructure behind it.
Related malicious domains known to have participated in the campaign:
hxxp://ozeqiod.cn?uid=213 - redirector - 64.86.25.201 - hxxp://bexwuq.cn
Sample URL redirection chain:
hxxp://ymarketcoms.cn/?pid=123
Related malicious domains known to have responded to the same malicious C&C server IPs (64.86.25.201):
hxxp://bombas101.com
hxxp://trhtrtrbtrtbtb.com
hxxp://opensearch-zone.com
hxxp://imaera.cn
hxxp://ariexa.cn
hxxp://ozeqiod.cn
hxxp://ariysle.cn
hxxp://ajegif.cn
hxxp://adiyki.cn
hxxp://acaisek.cn
hxxp://yvamuer.cn
hxxp://protectinstructor.cn
hxxp://blanshinblansh.net
hxxp://kostinporest.net
Related malicious domains known to have participated in the campaign:
hxxp://azikyxa.cn
hxxp://befaqki.cn
hxxp://ataini.cn
hxxp://atoycri.cn
hxxp://bimpuj.cn
hxxp://bekajop.cn
hxxp://bexwuq.cn
hxxp://azywoax.cn
hxxp://azaijy.cn
We'll continue monitoring the campaign and post updates as soon as new developments take place.
About the author
Donec non enim in turpis pulvinar facilisis. Ut felis. Praesent dapibus, neque id cursus faucibus. Aenean fermentum, eget tincidunt.
