Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: Exposing a Portfolio of YaBucks Pay Per Install Affiliate Network Scareware Serving Domains

Friday, October 28, 2022

Exposing a Portfolio of YaBucks Pay Per Install Affiliate Network Scareware Serving Domains - An Analysis

NOTE:

I took these screenshots in 2009.

It used to be a moment in time when scareware and pay per install affiliate-based revenue sharing fraudulent and malicious networks used to dominate the threat landscape as the primary monetization vector courtesy of the bad guys where they've managed to successfully steal basically tens of thousands in fraudulent revenue by enticing users into installing and interacting with rogue and fake security software.

In this post I'll take a deeper look inside the YaBucks rogue and affiliate-network based scareware serving network that managed to affect thousands of users globally largely based on the number of affiliates that participated in it including to also provide technical details on its Internet-connected infrastructure with the idea to assist everyone in their cyber attack and cyber campaign attribution efforts.

Sample screenshots include:

Sample domains known to have been involved in the campaign include:

hxxp://pontesmedia.com - 74.54.241.100

hxxp://matelab.com

hxxp://legochild.com

hxxp://imzee.com

hxxp://mustmake.com

hxxp://ovobundle.com

hxxp://emulehome.com

hxxp://skyaffiliate.com

hxxp://vivosearch.com

hxxp://ovocash.com

hxxp://p2passion.com

hxxp://datingnoon.com

hxxp://profilissimo.com

hxxp://flipero.com

hxxp://adware-help.com

hxxp://spacextender.com

hxxp://mybuckler.com

hxxp://iframr.com

hxxp://glintgames.com

hxxp://justares.com

hxxp://ppitalks.com

hxxp://theinstalls.com

hxxp://adwaredollars.com

hxxp://funtarget.com

hxxp://theimageoutlet.com

hxxp://petduet.com

hxxp://tivisoft.com

hxxp://softpont.com

hxxp://blogency.com

hxxp://wiiactivity.com

hxxp://bnetworks.us

hxxp://gorasoft.us

hxxp://camerabid.net

hxxp://freemediashare.net

hxxp://germek.net

hxxp://imupdates.net

hxxp://allworldstars.net

hxxp://gorasoft.net

Sample responding IPs known to have been involved in the campaign include:

hxxp://54.208.174.161

hxxp://154.72.193.28

hxxp://54.165.156.210

hxxp://54.200.75.96

hxxp://52.72.89.116

hxxp://199.184.144.27

hxxp://74.208.236.241

hxxp://74.208.21.90

hxxp://207.148.248.143

hxxp://50.63.202.104

hxxp://184.168.221.39

hxxp://52.202.22.6

hxxp://54.209.32.212

hxxp://54.208.74.215

hxxp://45.40.140.6

hxxp://68.178.213.203

hxxp://213.186.33.18

hxxp://3.223.115.185

hxxp://52.71.210.200

hxxp://23.20.239.12

hxxp://54.80.72.81

hxxp://34.102.136.180

hxxp://146.112.61.107

hxxp://204.11.56.48

hxxp://23.202.231.167

hxxp://23.217.138.108

hxxp://107.23.198.240

hxxp://35.171.109.224

hxxp://52.7.6.73

hxxp://52.71.185.125

hxxp://54.174.212.152

hxxp://52.6.224.208

hxxp://54.209.58.131

hxxp://3.224.108.191

hxxp://34.206.145.143

hxxp://18.119.154.66

hxxp://217.160.0.202

hxxp://72.32.183.55

hxxp://13.70.194.134

hxxp://52.50.218.98

hxxp://52.19.184.19

hxxp://156.245.122.96

hxxp://154.38.221.164

hxxp://180.215.252.181

hxxp://52.16.207.139

hxxp://192.163.249.115

hxxp://54.183.99.63

hxxp://46.249.46.67

hxxp://146.112.61.106

hxxp://23.202.231.168

hxxp://23.195.69.108

hxxp://185.230.63.171

hxxp://185.230.63.186

hxxp://109.234.109.84

hxxp://192.232.231.38

hxxp://50.63.202.47

hxxp://50.63.202.49

hxxp://50.63.202.59

hxxp://198.105.244.11

hxxp://184.168.221.57

hxxp://185.230.61.173

hxxp://184.168.221.36

hxxp://104.239.213.7

hxxp://34.117.168.233

hxxp://85.13.164.142

hxxp://185.230.60.173

hxxp://199.34.228.59

hxxp://103.224.182.244

hxxp://36.86.63.182

hxxp://184.168.221.65

hxxp://185.205.210.23

hxxp://204.16.144.135

hxxp://172.93.51.245

hxxp://76.223.65.111

hxxp://184.168.221.53

hxxp://218.93.250.18

hxxp://184.168.221.40

hxxp://93.89.226.17

hxxp://54.72.11.253

hxxp://198.105.254.11

hxxp://18.211.9.206

hxxp://185.53.179.7

hxxp://91.237.88.232

hxxp://52.15.160.167

hxxp://3.140.179.210

hxxp://3.141.79.17

hxxp://198.61.166.153

hxxp://69.56.252.44

hxxp://143.95.87.47

hxxp://104.24.126.199

hxxp://50.63.202.43

hxxp://23.246.252.106

hxxp://141.8.226.19

hxxp://3.143.123.90

hxxp://3.138.54.87

Sample malicious MD5s known to have been involved in the campaign include:

MD5: d3081abe4e1c1808e5e8a83a3bc1eaa2

MD5: 1aadbc70670bc05875c04c9e86c0356e

MD5: f18c7a4fed30371a0eba7eef3051234f

MD5: b492493154482d9bb6e24340d8866dec

MD5: 72e5a2dadc0711f36e84f636b7267b1b

MD5: eab74844a9b34edc1b7b3d4e84aab5ec

MD5: 322367ea2f686916a44181bf72c49726

MD5: d9f6bf40003d44ecf7b2fa697a9e73dd

Sample malicious and fraudulent C&C server domains known to have been involved in the campaign include:

hxxp://skyaffiliate.com/count.php

hxxp://funtarget.com/?m&id=61fbd50a-ef75-11e8-bc2f-00c0a8850c2a&ver=9

Stay tuned!

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Friday, October 28, 2022

Exposing a Portfolio of YaBucks Pay Per Install Affiliate Network Scareware Serving Domains - An Analysis

No comments:

Post a Comment