Powered by Blogger.
RSS

Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild Drops Scareware

It's 2008 and I've recently stumbled upon a currently active malicious and fraudulent blackhat SEO campaign successfully enticing users into falling victim into fake security software also known as scareware including a variety of dropped fake codecs largely relying on the acquisition of legitimate traffic through active blackhat SEO campaigns in this particular case various North Korea news including Mike Tyson's daughter themed campaigns.

Related malicious domains and redirectors known to have participated in the campaign:
hxxp://fi97.net
hxxp://is-the-boss.com - Email: dantsr@gmail.com

Related malicious domains known to have participated in the campaign:
hxxp://north-korea-news.moviegator.us

Related malicious domains known to have participated in the campaign:
hxxp://petrenko.biz

Related malicious domains known to have participated in the campaign:
hxxp://teensxporn.com - 66.197.165.41 - Email: robertxssmith@googlemail.com
hxxp://aprettygirls.com
hxxp://analporntube.com
hxxp://tuexxxteen.com
hxxp://1tubexxx.com
hxxp://teenboobstube.com
hxxp://tubexxxteen.com

Related rogue YouTube accounts known to have participated in the campaign:
hxxp://www.youtube.com/user/afohebac5ar
hxxp://www.youtube.com/user/irufupol0op

Related malicious domains known to have participated in the campaign:
hxxp://get-mega-tube.com - 216.240.143.7
hxxp://get-mega-tube.com
hxxp://my-flare-tube.com
hxxp://best-crystal-tube.com
hxxp://powerful-tube.com
hxxp://cheery-tube-portal.com
hxxp://jazzy-tubs.com
hxxp://video-tube-dot.com
hxxp://my-tube-show.com

Once executed a sample malware phones back to the following malicious C&C server IPs:
hxxp://mgjmnfgbdfb.com/fff9999.php
hxxp://mgjmnfgbdfb.com/eee9999.php

Once executed a sample malware phones back to the following malicious C&C server IPs:
hxxp://imageempires.com/perce/9dc0266f8077f4b2cd9411ed48ecdda988af00003b1280c47e899830c09969686e8ccfe804c2a7ce5/c0a/perce.jpg
hxxp://imagescolor.com/item/adb0765f302764425d74c12df84cbd29185f9070bb2230a42e0958e050299908de1c5f0844c2579e3/20c/item.gif
hxxp://picturehappiness.com/werber/207/216.jpg
hxxp://archiveexefiles09.com/file.exe

Related malicious URLs known to have participated in the campaign:
hxxp://archiveexefiles09.com/softwarefortubeview.45016.exe

Related malicious URLs known to have participated in the campaign:
hxxp://archiveexefiles09.com - 91.212.65.54
hxxp://exefilesstorage.com
hxxp://exearchstortage.com
hxxp://grandfilesstore.com
hxxp://arch-grandsoftarchive.com
hxxp://hex-programmers.com
hxxp://kir-fileplanet.com

We'll continue monitoring the campaign and post updates as soon as new developments take place.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS