Who's Pushing All The "Fake Updates" Malicious Software Using Redirectors and Traffic Distribution and Redirection Systems and Tools Domains?

I've recently observed an increase in compromised or exploited to be precise in the context of abusing unfixed web application flaws such as for instance redirection notifications on high-traffic and high-profile Web sites where the ultimate goal would be to push traffic distribution and traffic management rogue domains part of a URL redirection chain where the ultimate goal would be to utilize both legitimate high-traffic and high-profile Web sites including purely malicious Web sites for the purpose of dropping malicious software on the targeted hosts.

The surprising part? The primary and entire portfolio of these traffic redirection and traffic management domain are parked on 193.106.175.18 - AS50465 - IQHost Ltd where one of the bigger domain farms is parked at hxxp://biggerfun.org.

Sample misconfigured high-traffic and high-profile Web sites that allow redirections potentially bypassing reputation filters include:

hxxp://afmonline.org/?URL=hxxp://khTrnB0WV8.biggerfun.org/khTrnB0WV8/

hxxp://whiskyparts.co/?URL=m88Z2iiER.biggerfun.org/m88Z2iiER/

hxxp://hardemancounty.org/?URL=http%3A%2F%2F1FXddDHkYN.biggerfun.org/1FXddDHkYN/

hxxp://bukkit.org/proxy.php?link=hxxp://uToqSuwC.biggerfun.org/uToqSuwC/

hxxp://www.centralsynagogue.org/?URL=hxxp://NjNr8Mkm.biggerfun.org/NjNr8Mkm/

hxxp://board-en.piratestorm.com/proxy.php?link=http%3A%2F%2Fnpn8KwBr.biggerfun.org/npn8KwBr/

hxxp://boards.theforce.net/proxy.php?link=hxxp://WihYqBBuvj.biggerfun.org/WihYqBBuvj/

hxxp://www.cutrite.com.au/?URL=hxxp://9mVRlHjF.biggerfun.org/9mVRlHjF/

Sample traffic redirection and traffic management domains involved in the campaign include:

hxxp://surelytheme.org

hxxp://bluegaslamp.org

hxxp://throatpills.org

hxxp://draggedline.org

hxxp://machinetext.org

hxxp://throatpills.org

hxxp://climedballon.org

Sample related domains known to have been involved in the campaign and are currently parked at 193.106.175.18 - AS50465 - IQHost Ltd include:

hxxp://jsqur.com

hxxp://libertader.org

hxxp://mrbotn.jsqur.com

hxxp://www.catsndogz.org

hxxp://user179.jsqur.com

hxxp://marcusdesigninc.jsqur.com

hxxp://nuvoleparlanti.jsqur.com

hxxp://fserver.jsqur.com

hxxp://download.www.windowlight.org

hxxp://mtf-misawa.jsqur.com

hxxp://cdn.jsqur.com

hxxp://dashtiha.jsqur.com

hxxp://vitkutin.jsqur.com

hxxp://permisdeconduire.jsqur.com

hxxp://olympics.jsqur.com

hxxp://emv1.vibedroom.org

hxxp://melpar-emh1.jsqur.com

hxxp://u.admin.backendjs.org

hxxp://billtieleman.jsqur.com

hxxp://descarte.jsqur.com

hxxp://4m.jsqur.com

hxxp://sn007.jsqur.com

hxxp://win24.jsqur.com

hxxp://web3449.jsqur.com

hxxp://cgxdave.jsqur.com

hxxp://cassandre.jsqur.com

hxxp://deeptrickday.org

hxxp://xxxl80.jsqur.com

hxxp://91.jsqur.com

hxxp://castlerea.jsqur.com

hxxp://dkline.jsqur.com

hxxp://daws-512.jsqur.com

hxxp://ufl.jsqur.com

hxxp://eggert.jsqur.com

hxxp://apps.jqueryj.com

hxxp://frightysever.org

hxxp://beal.jsqur.com

hxxp://survey.backendjs.org

hxxp://best-funny-quotes.jsqur.com

hxxp://jeanm.jsqur.com

hxxp://forms.admin.backendjs.org

hxxp://comtenc.jsqur.com

hxxp://dannyfilm.jsqur.com

hxxp://office.backendjs.org

hxxp://jqueryj.com

hxxp://longtail.jsqur.com

hxxp://web6201.jsqur.com

hxxp://hoytek-gw4.jsqur.com

hxxp://gazeta.jsqur.com

hxxp://www.treegreeny.org

hxxp://cpfm.jsqur.com

hxxp://asims-rdck1.jsqur.com

hxxp://indiajobscircle.jsqur.com

hxxp://babbar.jsqur.com

hxxp://gorki.jsqur.com

hxxp://gmailblog.jsqur.com

hxxp://dvan.jsqur.com

hxxp://carpinteros-aluminio.jsqur.com

hxxp://web18332.jsqur.com

hxxp://wallah.jsqur.com

hxxp://si.jsqur.com

hxxp://shems.jsqur.com

hxxp://vigen.jsqur.com

hxxp://sws.jsqur.com

hxxp://routetest.jsqur.com

hxxp://account.admin.backendjs.org

hxxp://secure-ite2-origin.jsqur.com

hxxp://mdm.backendjs.org

hxxp://_dmarc.jqueryns.com

hxxp://mdm.backendjs.org

hxxp://mntc.jsqur.com

hxxp://powerful.jsqur.com

hxxp://whitney.jsqur.com

hxxp://stream.jsqur.com

hxxp://uhost.jsqur.com

hxxp://unix3.jsqur.com

hxxp://www.florida.jsqur.com

hxxp://jkelley.jsqur.com

hxxp://derby.jsqur.com

hxxp://currier.jsqur.com

hxxp://wp.admin.backendjs.org

hxxp://frente-a-camaras.jsqur.com

hxxp://facman.jsqur.com

hxxp://b10.jsqur.com

hxxp://arehn.jsqur.com

hxxp://cprat.jsqur.com

hxxp://hpermsp.jsqur.com

hxxp://ksia.jsqur.com

hxxp://jhansen.jsqur.com

hxxp://biggerfun.org

hxxp://kodakr.jsqur.com

hxxp://samfox.jsqur.com

hxxp://apps.jsqur.com

hxxp://passe.jsqur.com

hxxp://walkman.jsqur.com

hxxp://stovallscx.jsqur.com

hxxp://antivir.jsqur.com

hxxp://link2-me.jsqur.com

hxxp://xx9.jsqur.com

hxxp://quine.jsqur.com

hxxp://v.circuspride.org

hxxp://cn.circuspride.org

hxxp://x.circuspride.org

hxxp://pay.circuspride.org

hxxp://ssl.circuspride.org

hxxp://physiology.jsqur.com

hxxp://mytabletpcuk.jsqur.com

hxxp://gdsz.jsqur.com

hxxp://daws-43-5.jsqur.com

hxxp://cfg.circuspride.org

hxxp://ip90.jsqur.com

hxxp://oily.jsqur.com

hxxp://jqueryh.org

hxxp://tamarack.jsqur.com

hxxp://macgo.jsqur.com

hxxp://interlock.jsqur.com

hxxp://cmu-cc-vma.jsqur.com

hxxp://daws91-3.jsqur.com

hxxp://norman.jsqur.com

hxxp://www.16.jsqur.com

hxxp://web3933.jsqur.com

hxxp://mta-sts.bluegaslamp.org

hxxp://212.jsqur.com

hxxp://dooly.jsqur.com

hxxp://www.bigbricks.org

hxxp://machinetext.org

hxxp://kb.windowlight.org

hxxp://catsndogz.org

hxxp://whitedrill.org

hxxp://www.neworderspath.org

hxxp://jqueryns.com

hxxp://sorteios-e-promocoes.jsqur.com

hxxp://web5422.jsqur.com

hxxp://ivtortypqfyi.greedyclowns.org

hxxp://ivtorlypqfyi.greedyclowns.org

hxxp://ivladimir.surelytheme.org

hxxp://ivbdimir.surelytheme.org

hxxp://liorida.surelytheme.org

hxxp://rota-sts.climedballon.org

hxxp://climedballon.org

hxxp://treegreeny.org

hxxp://daddygarages.org

hxxp://emperorplan.org

hxxp://bigbricks.org

hxxp://greedyclowns.org

hxxp://vibedroom.org

hxxp://backendjs.org

hxxp://dailytickyclock.org

hxxp://neworderspath.org

hxxp://devcodejs.org

hxxp://cancelledfirestarter.org

hxxp://greedyfines.org

hxxp://limeerror.org

hxxp://bluegaslamp.org

hxxp://throatpills.org

hxxp://drilledgas.org

hxxp://draggedline.org

hxxp://windowlight.org

hxxp://sevenpunches.org

hxxp://circuspride.org

hxxp://linedgreen.org

hxxp://surelytheme.org

hxxp://vivaldi-ed.group

hxxp://cashapp-renewal.com

hxxp://ing-update.info

hxxp://bankid-app.net

hxxp://commonwealth-renewal.com

hxxp://transfer-management.com

hxxp://banko-atnaujinimas.com

hxxp://s-identity-verwalten.com

hxxp://bigfat.shop

hxxp://fomzerapoze.shop

hxxp://aremonuza.shop

hxxp://hanmozapre.shop

hxxp://bamizorapa.shop

hxxp://yazevora.com

hxxp://ipko-aktualizacja.com

hxxp://halifax.signin-helpdesk.com

hxxp://signin-helpdesk.com

hxxp://hailfax.signin-helpdesk.com

hxxp://online-helpdesk-portal.com

hxxp://santander.online-helpdesk-portal.com

hxxp://jquerypure.com

hxxp://de-system-913580.xyz

hxxp://targo.de-system-913580.xyz

hxxp://be-systeem-8510598.xyz

hxxp://ns1.putinkremel.su

hxxp://notudhost.com.ru

hxxp://trsew.ru

hxxp://fashmodsite.uno

hxxp://nnnten.ru

hxxp://tenhost.com.ru

hxxp://au-08.top

hxxp://jutralalali.xyz

hxxp://gilirges.ru

hxxp://www.gilirges.ru

hxxp://ftp.gilirges.ru

hxxp://www.tanmhopisj.xyz

hxxp://tanmhopisj.xyz

hxxp://dev.urbangroup.ru

hxxp://equalizer.dev.urbangroup.ru

hxxp://vk.equalizer.dev.urbangroup.ru

hxxp://partners.urbangroup.ru

hxxp://realty-2.urbangroup.ru

hxxp://ivakino.urbangroup.ru

hxxp://gtry.ru

hxxp://serferio.ru

hxxp://forum-laikovo.urbangroup.ru

hxxp://urbangroup.ru

hxxp://myrussianland.ru

hxxp://gb2nevinsk.ru

hxxp://englishbiblioteka.ru

hxxp://aleana63.ru

hxxp://aptekaplus23.ru

hxxp://chulkovo.info

hxxp://mchedlidze.ru

hxxp://stroytransm.ru

hxxp://flystore.ru

hxxp://kino-pirat.net

hxxp://2sunss.com

hxxp://posadisvoederevo.ru

hxxp://testcosmetic.com

hxxp://vkino.me

hxxp://v1080hd.com

hxxp://r-style.com

hxxp://science-techno.ru

hxxp://kinotuz.ru

hxxp://901901.ru

hxxp://ludota.ru

hxxp://maindoor.ru

hxxp://kinoxaba.ru

hxxp://youcanexcel.ru

hxxp://gidonlinehd.ru

hxxp://kinoggo.ru

hxxp://100pdf.net

hxxp://kinoext.ru

hxxp://www.mreporter.ru

hxxp://magobr.ru

hxxp://lg-soft.ru

hxxp://anapa-new.ru

hxxp://fat-man.ru

hxxp://gracio.ru

hxxp://ikd.ru

hxxp://poseidonboat.ru

hxxp://vetla.ru

hxxp://74dom.ru

hxxp://kabrik-servis.ru

hxxp://tehnopanda.ru

hxxp://creativejournal.ru

hxxp://ufamenu.ru

hxxp://idf.ru

hxxp://sporthit.ru

hxxp://injgeo.ru

hxxp://asbank.ru

hxxp://wood-lux.ru

hxxp://lbf51b14.justinstalledpanel.com

I'll continue monitoring the campaign and will post updates as soon as new developments take place.

Looking for a Research Sponsorship

Dear blog readers,

Are you interested in sponsoring my research on my way to grab a new laptop for the holidays?

Drop me a line at dancho.danchev@hush.com to discuss and I'll do my best to deliver the results that we agree upon.

Offering my Laptop for Memorabilia Purposes

Dear blog readers,

Who wants to acquire and purchase my laptop 2015-2023 for memorabilia purposes and possibly somehow use it preserve or display it somewhere?

Related photo:

Drop me a line at dancho.danchev@hush.com

Upcoming Webinar Participation

Dear blog readers,

Check out the link here.

The Most Innovative Cyber Security Leader to Watch in 2023

Dear blog readers,

I did it. Check out the article here.

Related photos:

The Conti Ransomware Gang's OSINT Artifacts

The following is a set of OSINT artifacts courtesy of the Conti Ransomware gang.

hxxp://cc2-btc.cc

hxxp://dyncheck.com

hxxp://luxchecker.pw

hxxp://major.ms

hxxp://securecall.club

hxxp://securecall.top

hxxp://checkzilla.io

Including the following two XMPP/Jabber accounts:

mcduckgroup@exploit.im

uvoice@xmpp.jp

Typosquatted GMail Malware Domains

The following are currently active typosquatted GMail domains known to be used in malware campaigns. 

Sample domains include:

hxxp://account-disk-gmail[.]com
hxxp://account-mail-my-gmail[.]com
hxxp://account-my-mail-gmail[.]com
hxxp://account-oauth-gmail[.]com
hxxp://accounts-mail-goglemail[.]com
hxxp://accounts-mail-my-gmail[.]com
hxxp://accounts-my-mail-gmail[.]com
hxxp://accounts-oauth-gmail[.]com
hxxp://cloud-accounts-goglemail[.]com
hxxp://cloud-myaccount-goglemail[.]com
hxxp://mail-accounts-my-gmail[.]com
hxxp://mail-my-account-gmail[.]com
hxxp://mail-my-accounts-gmail[.]com
hxxp://mail-myaccount-yahoo[.]com
hxxp://mail-myaccount[.]com
hxxp://mail-myaccounts-gmail[.]com
hxxp://mail-yahoo-my-account[.]com
hxxp://mail-yahoo-myaccount[.]com
hxxp://mail-yahoo-myaccounts[.]com
hxxp://my-account-security-goglemail[.]com
hxxp://my-mail-account-gmail[.]com
hxxp://my-mail-account-yahoo[.]com
hxxp://my-mail-accounts-gmail[.]com
hxxp://my-mail-gmail[.]com
hxxp://my-mail-yahoo-accounts[.]com
hxxp://my-oauth-account-gmail[.]com
hxxp://my-security-goglemail[.]com
hxxp://my-signin-account-gmail[.]com
hxxp://my-signin-accounts-gmail[.]com
hxxp://myaccount-mail-goglemail[.]com
hxxp://myaccount-mail-my-gmail[.]com
hxxp://myaccount-my-mail-gmail[.]com
hxxp://myaccounts-gmail[.]com
hxxp://myaccounts-mail-gmail[.]com
hxxp://myaccounts-mail-my-gmail[.]com
hxxp://myaccounts-mail-yahoo[.]com
hxxp://myaccounts-my-mail-gmail[.]com
hxxp://mysecurity-goglemail[.]com
hxxp://security-accounts-goglemail[.]com
hxxp://security-my-account-goglemail[.]com
hxxp://security-my-accounts-goglemail[.]com
hxxp://security-my-goglemail[.]com
hxxp://security-myaccount-goglemail[.]com
hxxp://security-myaccounts-goglemail[.]com
hxxp://yahoo-oauth-accounts[.]com

Stay tuned!

Emennet Pasargad

The following are domains and personally identifiable email address accounts belonging to Iran's Emennet Pasargad also known as Eeleyanet Gostar and Eeleyanet Gostar.

Sample domains:

eeleyanet.com

eeleyanet.ir

Sample personally identifiable email address accounts:

sidafin@mihanmail.ir

amirhaghighi2014@yahoo.com

safary.mansoor@gmail.com

Rahimi@Live.com

faranakbehjati@yahoo.com

h.boloukat@gmail.com

Cybercrime-Friendly Forum Communities - Part Two

The following is a compilation of currently active cybercrime-friendly forum communities.
 

Cybercrime-friendly forum communities include:

hxxp://crdforum.cc/

hxxp://darkwebmafias.net/

hxxp://darkstash.com/

hxxp://crdpro.cc/

hxxp://www.cardingclub.net/

hxxp://www.russiancarders.se/

hxxp://validmarket.io/

hxxp://cardingforum.cx/

hxxp://carding.sh/

hxxp://bitcarder.com

hxxp://cardingleaks.ws/

hxxp://www.verifiedcarder.net/

hxxp://www.legitcarder.ru/

hxxp://www.crdworld.com/

hxxp://cardingmafia.to/

hxxp://cardingforum.cx

hxxp://crdforum.cc

hxxp://darkstash.com

hxxp://carders.biz

hxxp://crdpro.cc

hxxp://carders.mx

hxxp://carding-forum.com

hxxp://crdclub.su

hxxp://procrd.pw

hxxp://cardmafia.cc

hxxp://cardingforum.info

hxxp://cardingleaks.ws

hxxp://darkpro.net

hxxp://crackingforum.to

hxxp://cardingworld.ru

hxxp://darkwebmafias.ws

hxxp://leetforums.ru

hxxp://legitcarders.ws

hxxp://crdcrew.cc

hxxp://prtship.pro

hxxp://verifiedcarder.net

hxxp://legitcarder.ru

hxxp://carders.zone

hxxp://drdark.ru

hxxp://darknetweb.ru

hxxp://bpcforum.ru

hxxp://wc-club.com

hxxp://cybercarders.com

hxxp://bitorder.pw

Rewards for Justice - Dancho Danchev

The following are domains and personally identifiable information on a bulletproof hosting provider mentioned by the Conti Ransomware gang.

hxxp://school-global.ru

hxxp://youladance.ru

Телефон: +373 775 96666

E-mail: info@morene[.]host

Skype: morene[.]host

Jabber: morene@jabber[.]morene[.]host

ICQ: 700812649 / 702647156

Telegram: @hostmorene

Viber: +373 775 96666

WhatsApp: +373 775 96666

Онлайн-чат: https://morene[.]host

Full Names of Ashiyane Digital Security Team Members

The following compilation is a set of full names of Ashiyane Digital Security Team Members. 

The following are the full names of Ashiyane Digital Security Team Members:

Keyvan Sedaghati — keivan

Ramin Baz Ghandi — fr0nk

Erfan Zadpoor — PrinceofHacking

Hamid Norouzi — eychenz

Poorya Mohammadrezaei — Hijacker

Omid Norouzi — Sha2ow

Milad Bokharaei — ®Maste

Vahid Maani — WAHID 2

Kaveh Jasri — root3r

Ali Hayati — Zend

Milad Mazaheri — mmilad200

Mohammad Reza — iNJECTOR

Mohammad Mohammadi — Classic

Nima Salehi — Q7X

Milad Jafari — Milad-Bushehr

Shahin Salak Tootonchi — ruiner_blackhat

Amin Bandali — anti206

Mohammad Hadi Nasiri — unique2world

Mahdi Chinichi — Virangar

Amir Hossein Tahmasebi — __amir__

Ashkan Hosseini — Askn

Mohammad Tajik — taghva

Meghdad Mohammadi — M3QD4D

Sina Ahmadi Neshat — Encoder

Behrouz Kamalian — Behrouz_ice)

Farshid Sargheini — Azazel

Armin — n3me3iz

Mahdi K. — r3d.z0nE

Iman Honarvar — iman_taktaz

Ali Seid Nejad — Ali_Eagle

Mohammad Reza Ali Babaei — mzhacker

Navid Naghdi — elvator

Mohammad Reza Dolati — HIDDEN-HUNTER

Mehrab Akherati — AliAkh

Amin Javid — Gladiator

Cybercrime-Friendly Forum Communities

The following is a recently obtained compilation of currently active cybercrime-friendly forum communities.
 

Sample cybercrime-friendly forum communities include:

hxxp://www.darkteam.se/

hxxp://crdforum.cc/

hxxp://legitcarders.ws/

hxxp://cardingworld.ru

hxxp://carders.biz/

hxxp://carding.cm/

hxxp://cardmafia.cc/

hxxp://cardingforum.cx/

hxxp://carder.market/

hxxp://www.russiancarders.se/

hxxp://darkwebmafias.net/

hxxp://legendzforum.com/

hxxp://procrax.cx/

Iran's Afkar System Yazd Co Ransomware

The following is all the associated ransomware themed domains known to have been associated with Iran's Afkar System Yazd Co ransomware.
 

Sample domains known to have been involved in the campaign include:

hxxp://newdesk.top

hxxp://onedriver-srv.ml

hxxp://symantecserver.co

hxxp://microsoft-updateserver.cf

hxxp://msupdate.us

hxxp://service-management.tk

hxxp://aptmirror.eu

hxxp://winstore.us

hxxp://my-logford.ml

hxxp://gupdate.us

hxxp://tcp443.org

Sample email address accounts known to have been involved in the campaign include:

amirbitminer[.]gmail.com

thund3rz[.]protonmail.com

Email Address Accounts Known To Belong To Owners of E-Shops for Stolen Credit Card Details - Part Two

The following are personally identifiable email address accounts including domains known to belong to owners of E-Shops for stolen credit card data.
 

Sample email address accounts include:

admin@accessltd[.]ru

rubensamvelich@gmail[.]com

rubensamvelich@yahoo[.]com

bulbacc@rocketmail[.]com

bulbacc@yahoo[.]com

ooo.service@yahoo[.]com

dumps.cc@safe-mail[.]net

b2b.maxim@gmail[.]com

lvjiecong@yahoo[.]com[.]cn

roger.sroy@yahoo[.]com

elche011@yahoo[.]com

keikomiyahara@yahoo[.]com

dcb725@gmail[.]com

wattt80@yahoo[.]com

yurtan20@e1[.]ru

vipforexbiz@gmail[.]com

kachanaburi@yahoo[.]com

persiks@online[.]ua

alexandanns@gmail[.]com

bestdumpssu@live[.]com

admin@mycc[.]su

admin@bestdumps[.]biz

tonchang2011@yahoo[.]com

ccstoreru@yahoo[.]com

bdsupport@jabber[.]org

Stay tuned!

Email Address Accounts Known To Belong To Owners of E-Shops for Stolen Credit Card Details

The following are personally identifiable email address accounts including domains known to belong to owners of E-Shops for stolen credit card data.
 

Sample domains involved include:

ccmall.cc

track2.name

trackstore.su

magic-numbers.cc

allfresh.us

freshstock.biz

bulba.cc

approven.su

cv2shop.com

vzone.tc

ccStore.ru

dumps.cc

privateservices.ws

perfect-numbers.cc

mega4u.biz

accessltd.ru

pwnshop.cc

bestdumps.su

mycc.su

bestdumps.biz

dumpshop.bz

cardshop.bz

dumpscheck.com

Sample email address accounts involved include:

roger.sroy@yahoo[.]com

keikomiyahara@yahoo[.]com

bulbacc@yahoo[.]com

yurtan20@e1[.]ru

ccstoreru@yahoo[.]com

persiks@online[.]ua

admin@accessltd[.]ru

bestdumpssu@live[.]com

admin@mycc[.]su

admin@bestdumps[.]biz

bdsupport@jabber[.]org

Stay tuned!

Dancho Danchev’s Videos

Dear blog readers,

Find below some videos courtesy of me and stay tuned for more.

Stay tuned!

Compromised CPanel Offered for Sale

 An image is worth a thousand words.

Image Spam Generating Tool

 An image is worth a thousand words.

Crowdsourced Iran DDoS Attack Campaign

An image is worth a thousand words.

Rogue Google AdSense Campaign

 An image is worth a thousand words.

SQL Injection Attack Campaign

 An image is worth a thousand words.

Managed Spam Service

 An image is worth a thousand words.

EyeWonder iFrame Injection Attack Campaign

 An image is worth a thousand words.

Web Malware Exploitation Kit

 An image is worth a thousand words.

SQL Injection Attack Campaign

 An image is worth a thousand words.

Blackhat SEO Campaign

An image is worth a thousand words.

 

SQL Injection Attack Campaign

 An image is worth a thousand words.

Chimera Botnet

 An image is worth a thousand words.

Innovative Marketing Scareware Distributor

 An image is worth a thousand words.

China vs Iran Hacktivism Campaign

 An image is worth a thousand words.