<div style='background-color: none transparent;'></div>
Home » , , , , , » Historical OSINT - Massive Scareware Serving Campaign Spotted in the Wild

Historical OSINT - Massive Scareware Serving Campaign Spotted in the Wild

With scareware continuing to proliferate I've recently intercepted a currently active malicious and fraudulent blackhat SEO campaign successfully enticing thousands of users into interacting with the rogue and malicious software with the scareware behind the campaign successfully modifying the HOSTS on the affected host potentially exposing the user to a variety of fake search engines type of rogue and fraudulent and malicious activity.

In this post I'll provide actionable intelligence on the infrastructure behind the campaign.

Sample malicious URL known to have participated in the campaign:
hxxp://guardsys-zone.com/?p=WKmimHVmaWyHjsbIo22EeXZe0KCfZlbVoKDb2YmHWJjOxaCbkX1%2Bal6orKWekJXIZWhimmVummWIo6THodjXoGJdpqmikpVuZ21uaHFtb1%2FEkKE%3D

Sample malicious MD5 known to have participated in the campaign:
MD5: 665480a64d4f72a33120251c968e9c28

Once executed the sample modifies the HOSTS and redirects them to the following domains:
hxxp://google-reseach.com/gfeed/click.php?q=&p=1 - 66.36.243.201
hxxp://google-reseach.com/search.php?&aff=32210&saff=0&q=

Related malicious rogue and fraudulent URL known to have participated in the campaign:
hxxp://88.85.73.139/landing/

Sample rogue and fraudulent payment processed used in the campaign:
hxxp://safetyself.com/safereports/ - 88.85.73.139
Share this article :
 
Copyright © 2011. Dancho Danchev's Blog - Mind Streams of Information Security Knowledge . All Rights Reserved
Company Info | Contact Us | Privacy policy | Term of use | Widget | Advertise with Us | Site map
Template Modify by Creating Website. Inpire by Darkmatter Rockettheme Proudly powered by Blogger