This summary is not available. Please
click here to view the post.
Continue reading →
It's been two months since I analyzed the proprietary email and personal information harvesting tool targeting major career web sites - "Major career web sites hit by spammers attack", received comments from Seek.com.au and Careerbuilder.com, communicated all the actionable intelligence in terms of the bogus accounts used and the related IPs to the career web sites that bothered to show interest in the attack, to come across a ghost story today - Jobsite hack used to market identity harvesting services :"A Russian gang called Phreak has created an online tool that extracts personal details from CVs posted onto sites including Monster.com, AOL Jobs, Ajcjobs.com, Careerbuilder.com, Careermag.com, Computerjobs.com, Hotjobs.com, Jobcontrolcenter.com, Jobvertise.com and Militaryhire.com. As a result the personal information (names, email addresses, home addresses and current employers) on hundreds of thousands of jobseakers has been placed at risk, according to net security firm PrevX."
All your CV are NOT belong to us, All your CV are ALREADY belong to us. Continue reading →
Last week, the ICANN has issued an official statement regarding last month's DNS hijackings of some of their domains :"The DNS redirect was a result of an attack on ICANN's registrar's systems. A full, confidential, security report from that registrar has since been provided to ICANN with respect to this attack.
It would appear the attack was sophisticated, combining both social and technological techniques, but was also limited and focused. The redirect was noticed and corrected within 20 minutes; however it may have taken anywhere up to 48 hours for the redirect to be entirely removed from the Internet. ICANN is confident that the lessons learned and new security measures since introduced will ensure there is not a repeat of this situation in future."
They also mentioned that their Wordpress blog has also been a target of a recent attack automatically exploiting vulnerable Wordpres blogs :
"In a separate and unrelated incident a few days later, attackers used a very recent exploit in popular blogging software Wordpress to target the ICANN blog. The attack was noticed immediately and the blog taken offline while an analysis was run. That analysis pointed to an automated attack. The blogging software has since been patched and no wider impact (except the disappearance of the blog while the analysis was carried out) was noted."
Go through the complete coverage of the incident, the technical details regarding it, and the actionable intelligence obtained for the NetDevilz hacking group, in case you haven't done so already. Continue reading →
Last week's mass defacement of over 300 Lithuanian sites hosted on the same ISP, an upcoming attack that was largely anticipated due to the on purposely escalated online tensions out of Lithuan's accepted legislation banning communist symbols across the counry, once again demonstrates information warfare building capabilities in action.Moreover, the attack is again relying on common prerequisites for a successful information warfare campaign, used in the Russia vs Estonia cyberattack last year. These very same Internet PSYOPS tactics ensure the success of the information warfare as a whole :
- start publicly justifying upcoming attacks based on nationalism sentiments, which in a bandwidth empowered (botnets) collectivist society ensures a decent degree of cyber mobilization. In Lithuania's case, the discussions across web forums were on purposely escalated to the point where "if you don't take action, you're not loyal to your country"
- the media as the battleground for winning the hearts and minds of the bandwidth empowered botnet masters, and position the insult against loyal nationalists next to the daily basis, thereby putting the nationalists in a "stand by" mode prompting them to take actions and to break even. In Estonia's case for instance, news broadcasts of the riots on the streets were on purposely broadcast as often as possible, mostly emphasizing on the nationalist sentiments within the crowds
- prioritizing the attack targets, distributing the targets list and ensuring the coordination in terms of the exact time and data for the attacks to take place is something that didn't happen in the public domain for the mass defacement of Lithuanian sites, the way it happened in the Estonia attack
- utilizing a people's information warfare tactic known as the malicious culture of participation, when everyone's consciously contributing bandwidth to be used/abused by those coordinating the attacks
Also, it's important to point out that by the time they announced their ambitions to attack Lithuania and other countries such as Latvia, Ukraine, and again Estonian sites, they literally put these countries in a "stay tune" mode. Here's a translated statement :
"All the hackers of the country have decided to unite, to counter the impudent actions of Western superpowers. We are fed up with NATO's encroachment on our motherland, we have had enough of Ukrainian politicians who have forgotten their nation and only think about their own interests. And we are fed up with Estonian government institutions that blatantly re-write history and support fascism," says the appeal that is being circulated on Russian Internet forums."
But why would they signal their intentions, compared to keeping them quiet and attack Lithuania surprisingly? Another relevant use of PSYOPS, namely the biased exclusiveness and keeping a non-existent status bar for the upcoming attacks. And since they can launch a coordinated attack at the country at any time without warning about it, this warning was aiming to cause confusion prompting country officials to make public statements that could later on be analyzed and a better attack strategy formed on the basis of what they said they've done to ensure the attacks don't succeed.
If they did launch DDoS attacks compared to defacing over 300 sites hosted on a single ISP, and had warned about the upcoming attacks about a week earlier, successfully shutting down the country's Internet infrastructure would have achieved a double effect, since they did warn them about the attacks, and despite that they countries couldn't prepate to fight back even though fighting back was futile right from the very beginning.
At least, that's the level of confidence they've build into capabilities.
Related posts:
Right Wing Israeli Hackers Deface Hamas's Site
Monetizing Web Site Defacements
Pro-Serbian Hacktivists Attacking Albanian Web Sites
The Rise of Kosovo Defacement Groups
A Commercial Web Site Defacement Tool
Phishing Tactics Evolving
Web Site Defacement Groups Going Phishing
Hacktivism Tensions
Hacktivism Tensions - Israel vs Palestine Cyberwars
Mass Defacement by Turkish Hacktivists
Overperforming Turkish Hacktivists Continue reading →
The folks at Ikarus Security Software seem to have enjoyed drinking of the truth serum, to come up with such a realistic retrospective of the antivirus industry for the past 10 years, summarized in a single cartoon. Congrats, keeping it realistic means taking the issues seriously, compared to living in a self-serving twisted reality on their own. There's no such thing as cat and mouse game anymore, since the mouse has gotten bigger than the cat.
Continue reading →
It's one thing to start efficiently registering thousands of email accounts at reputable email providers by automatically breaking their CAPTCHA authentication, and entirely another to build a business model on the top of it next to the opportunity to abuse if for your own malicious purposes. Which is exactly what we have here, an underground service that's selling registered accounts at Gmail, Yahoo, Hotmail and the most popular Russian email providers in the thousands. Once the inventory of registered accounts drops due to someone's purchase, it continues registering one to two email accounts per second.
Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers :
"Breaking Gmail, Yahoo and Hotmail’s CAPTCHAs, has been an urban legend for over two years now, with do-it-yourself CAPTCHA breaking services, and proprietary underground tools assisting spammers, phishers and malware authors into registering hundreds of thousands of bogus accounts for spamming and fraudulent purposes. This post intends to make this official, by covering an underground service offering thousands of already registered Gmail, Yahoo and Hotmail accounts for sale, with new ones registered every second clearly indicating the success rate of their CAPTCHA breaking capabilities at these services."
Text based CAPTCHA is so broken, that if major web sites whose services are getting abused don't at least try to slow down the efficient approach of breaking it, we are going to see an entire spamming infrastructure build on the foundation of legitimate email service providers.
Related posts:
Vladuz's Ebay CAPTCHA Populator
Spammers and Phishers Breaking CAPTCHAs
DIY CAPTCHA Breaking Service
Which CAPTCHA Do You Want to Decode Today? Continue reading →
With China trying to silence over 30,000 rioters during the weekend, by deleting forum postings and deactivating accounts mentioning the riot, Chinese bloggers have started using a widget they originally came up in order to bypass the "Great Firewall of China" by blogging backward, vertically and horizontally :"So bloggers on forums such as Tianya.cn have taken to posting in formats that China's Internet censors, often employees of commercial Internet service providers, have a hard time automatically detecting. One recent strategy involves online software that flips sentences to read right to left instead of left to right, and vertically instead of horizontally. China's sophisticated censorship regime -- known as the Great Firewall -- can automatically track objectionable phrases. But "the country also has the most experienced and talented group of netizens who always know ways around it," said an editor at Tianya, owned by Hainan Tianya Online Networking Technology Co., who has been responsible for deleting posts about the riot"
An old-school content obfuscation service that they could take advantage of, offers the opportunity to turn a short message into spam or a fake PGP encrypted file, where both parties can easily decode them to the original.
Spammmic is what I have in mind. Continue reading →
The futile attempt to directly attack the encryption algorithm used by the GPcode ransomware, is prompting Kaspersky Labs to invest in a more pragmatic solutions to the problem, with a new version of the StopGpcode tool released last week. More info :"It turns out that if a user has files that are encrypted by Gpcode and versions of those same files that are unencrypted, then the pairs of files (the encrypted and corresponding unencrypted file) can be used to restore other files on the victim machine. This is the method that the StopGpcode2 tool uses.
Where can these unencrypted files be found? They may be the result of using PhotoRec. Moreover, these files may be found in a backup storage or on removable media (e.g., the original files of photographs copied to the hard disk of a computer that has been attacked by Gpcode may still be on a camera’s memory card). Unencrypted files may also have been saved somewhere on a network resource (e.g., films or video clips on a public server) that the Gpcode virus has not reached."
As the customer support desk behind GPcode pointed out in an interview, the malware is prone to evolve, and the simplistic file deletion process will be replaced by secure file deletion in order to render all data recovery tols useless, unless of course backups of the affected data are available. They often aren't, and depending on the importance of the files encrypted, the successful ransom is all a matter of the momentum.
"A person, presumably the author of Gpcode, contacted at one of the e-mail addresses left behind by the program stated that future development efforts will likely increase the key size to 4,096 bits, "if AV companies or other (people) crack the current key, but (that's) impossible. The self-proclaimed author, who used the name "Daniel Robertson," also said that other standard techniques to defeat antivirus will be added, including polymorphic encryption, anti-heuristic features and the ability to self propagate, turning the program into a computer virus. It well pays back itself," he said"
There are even more pragmatic approaches to dealing with this problem, next to backups undermining their business model. Try following the virtual money for instance.
Continue reading →
June's threatscape that I'll summarize in this post based on all the research conducted during the month, was a very vibrant one. With the return of GPcode, a remotely exploitable flaw in the Zeus crimeware kit allowing both, researchers and malicious parties to assess the severity of a particular banker malware campaign, the increasing use of malicious doorways next to ICANN and IANA's DNS hijacking, all speak for themselves and how diverse the threats and, of course, the abilities to maintain a decent situatiational awareness about what's going on have become.01. U.K's Crime Reduction Portal Hosting Phishing Pages - nothing new here since vulnerable sites are to be "remotely file included" and SQL injected to locally host anything on behalf of a malicious party. Risk and responsibility forwarding is one thing, but having a crime reduction portal hosting phishing pages is entirely another. The phishing pages was shut down in less than 12 hours upon notification
02. Price Discrimination in the Market for Stolen Credit Cards - Tracking down "yet another stolen credit cards for sale" service in the wild, the price discremination that they applied greatly reflects the current lack of transpararency for a potential buyer of stolen credit cards, and how higher profit margins are driving the entire business model. With script kiddies running their own botnets and undermining the sophisticated botnet master's high profit margin business model by undercutting their prices, stolen credit cards are not what they used to be - an exclussive good. Nowadays, they are a commodity good and often a bargain
03. Blackhat SEO Redirects to Malware and Rogue Software - Sampling an active blackhat SEO campaign out of the hundreds of thousands currently active online, releaved a large portfolio of domains serving Zlob variants by pitching them as fake codecs that the end user should download if they are to view the non existent adult content at the sites. Where's the OSINT mean? It's in the fact that the codecs and the fake security software phone back to UkrTeleGroup Ltd's network
04. Using Market Forces to Disrupt Botnets - With the current oversupply of malware infected hosts, and botnet masters embracing the services model for anything malicious, in this post I discussed the radical security approach of puchasing already infected malware hosts on a per country basis, disinfecting them and forcing them to update all the software on the infected PCs. Of course, on an opt-in basis. The possibility to directly provide incentives for botnet hunters to shut down whatever they come across to on a daily basis, and that's a lot of botnets, is also there
05. Who's Behind the GPcode Ransomware? - The title speaks for itself, the research with enough actionable intelligence gathered in the shortest timeframe possible is already proving accurate and highly valuable. How come? Stay tuned for more developments
06. ImageShack Typosquatted to Serve Malware - In a rare instance of a creative attack combining typosquatting in order to impersonate ImageShack and serve malware by redirecting users to an image file that is actually forwarding to the binary, I was recently tipped by the folks at TrendMicro who are also following this that the site is up and running again. Not for long
07. Fake YouTube Site Serving Flash Exploits - Next to using the usual set of exploits courtesy of a commodity web malware exploitation kit, this campaign was also using flash exploits. Even more interesting is the fact that the password stealer obtained was attempting to phone back to a misconfigured malware command and control interface, basically allowing you to assess the campaign from the eyes of the "campaigner"
08. Monetizing Web Site Defacements - Web site defacements are getting monetized just like SQL injections are in order to locally host a blackhat search engine optimization campaign on a vulnerable site with a high page rank. In this post I've assessed such monetization courtesy of a web site defacer at The Africa Middle Market Fund
09. Malicious Doorways Redirecting to Malware - Yet another large domains portfolio exposed though a malicious doorway redirecting to fake porn and video sites serving Zlob variants, tracking down the initial spamming of the malicious doorways across multiple vulnerable forums and guestbooks
10. The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw - When cyber criminals get advised to patch their vulnerable versons of the Zeus Crimeware Kit, you know there's a monoculture in the crimeware market. This flaw released publicly in May, 2008, not just allows others to hijack someone's ebanking botnet, but also, vendors and researchers to better assess a vulnerable Zeus command and control location
11. Fake Celebrity Video Sites Serving Malware - When templates for fake video and adult sites are just as available as they are now, anyone can take advantage of this cheap social engineering track that seems to work just fine. Compared to relying on blackhat search optimization to acquire traffic, some of the campaigns were SQL injected at vulnerable sites in order to drive traffic to them, next to several other tactics which when combined can result in a lot of people unknowingly visiting the sites
12. Phishing Campaign Spreading Across Facebook - An internal phishing campaign was circulating across Facebook, which got taken care of thanks to coordinated efforts with Facebook's security folks. There's also an indicating tha they are currently typosquatting other social networking sites like Hi5 for instance
13. Underground Multitasking in Action - As a firm believed in taking a random sample for a particular threat segment, this was once of these cases confirming the confidence I've built into anticipating upcoming tactics and strategies to be used
14. An Update to Photobucket's DNS Hijacking - Despite that Photobucket didn't oficially acknowledge the DNS hijacking, the hosting provider the NetDevilz hacking team used issued a statement. Ironically, the Turkish hacking group used the same provider weeks later to redirect ICANN and IANA's domains to Atspace.com
15. Fake Porn Sites Serving Malware - Among the largest domains portfolio of malware serving porn sites I've exposed in a while, all of them naturally remain active since they are hosted on a partition of RBN's diverse network. Visualizing a malicious doorway or the entire ecosystem provides a better understanding at how structured the ecosystems are
16. Backdoording Cyber Jihadist Ebooks for Surveillance Purposes - Despite that in this case we have a cyber jihadist backdoording his own released books, the international intelligence community next to law enforcement are known to have expressed interest in backdooring suspect's PCs, so why not SQL inject the cyber jihadist forums themselves?
17. Right Wing Israeli Hackers Deface Hamas's Site - When you read that Hamas's site is hacked, you ask yourself the following, do they even have a web site that's up the running? The answer to which would be the fact that even Hezbollah has been maintaining an Internet infrastructure since 1998
18. ICANN and IANA's Domain Names Hijacked by the NetDevilz Hacking Group - A fact is a fact, no comment here, go through all the technical details of the hijacking, including some actionable intelligence on who's behind the hijacking
19. The Malicious ISPs You Rarely See in Any Report - Who's tolerating malicious activities on their network, and how is the RBN related to all this? Well, when combined, the tiny parts of these ISPs represent a tiny part of the Russian Business Network itself Continue reading →
The recently released badware report entitled “May 2008 Badware Websites Report" lists several Chinese netblocks tolerating malicious sites on their networks. As always, these are just the tip of the iceberg out of a relatively good sample that the folks at Stopbadware.org used for the purposes of their report. In the long term however, with the increasing prelevance of fast-fluxing, a country's malicious rating could become a variable based on the degree of dynamic fast-fluxing abusing its infrastructure in a particular moment in time. Moreover, forwarding the risk and the malicious infrastructure to malware infected hosts, and exploited web servers, creates a "twisted reality" where the countries with the most disperse infrastructure act as a front end to the countries abusing it, ones that make it in any report, since they are the abusers.The report lists the following malicious netblocks, a great update to a previous post on "Geolocating Malicious ISPs" :
- CHINANET-BACKBONE No.31,Jin-rong Street
- CHINA169-BACKBONE CNCGROUP China169
- CHINANET-SH-AP China Telecom (Group)
- CNCNET-CN China Netcom Corp.
- GOOGLE - Google Inc.
- DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
- SOFTLAYER - SoftLayer Technologies Inc.
- THEPLANET-AS - ThePlanet.com Internet Services, Inc.
- INETWORK-AS IEUROP AS
- CHINANET-IDC-BJ-AP IDC, China
With some minor exceptions though, in the face of the following ISPs you rarely see in any report - InterCage, Inc., Softlayer Technologies, Layered Technologies, Inc., Ukrtelegroup Ltd, Turkey Abdallah Internet Hizmetleri, and Hostfresh. Ignoring for a second the fact that the "the whole is greater than the sum of it's parts", in this case, the parts represent RBN's split network. Since it's becoming increasingly common for any of these ISPs to provide standard abuse replies and make it look like there's a shutdown in process, the average time it takes to shut down a malware command and control, or a malicious domain used in a high-profile web malware attack is enough for the campaign to achieve its objective. The evasive tactics applied by the malicious parties in order to make it harder to assess and prove there's anything malicious going on, unless of course you have access to multiple sources of information in cases when OSINT isn't enough, are getting even more sophisticated these days. For instance, the Russian Business Network has always been taking advantage of "fake account suspended notices" on the front indexes of its domains, whereas the live exploit URLs and the malware command and controls remained active.
And while misconfigured web malware exploitation kits and malicious doorways continue supplying good samples of malicious activity, we will inevitable start witnessing more evasive practices applied in the very short term.
Related posts:
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
HACKED BY THE RBN!
Rogue RBN Software Pushed Through Blackhat SEO
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network Continue reading →
The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today, by the NetDevilz Turkish hacking group which also hijacked Photobucket’s domain on the 18th of June. Zone-H mirrored the defacements, some of which still remain active for the time being.
Read more here - "ICANN and IANA’s domains hijacked by Turkish hacking group". A single email appears to have been used in the updated DNS records of all domains, logically courtesy of the NetDevilz team - foricann1230@gmail.comMore details will be posted as soon as they emerge.
UPDATE:
The ICANN has restored access to its domains, and as in every other DNS hijacking the correct records will be updated on a mass scale in 24/48 hours. Some press coverage :
Ankle-biting hackers storm net's overlords, hijack their domains
Hackers hijack critical Internet organization sites
No such thing as a guaranteed safe site
Good Always Comes Out of Bad
Hackers Deface ICANN, IANA Sites
ICANN publicity may have triggered malicious behavior
Turkish Hackers Relive Memories in Photobucket
ICANN Web Site Compromise
Moreover, according to an article at Computerworld, the ICANN weren't aware of the hijack :
"A spokesman for ICANN contacted Friday morning wasn't aware of the hack, and declined comment until he find out more."
Let's hope that they issue a statement on the situation once they know more about how it happened. More comments follow from the ICANN - "Turkish Hacker Group Strikes Again, This Time Victims are ICANN and IANA" :
"Latest response received by CircleID from ICANN states that the problem took place at their registrar level. A Whois look up shows Register.com as the registrar for the hacked domains. ICANN has further stated that the registrar "fixed the dns redirection within 20 minutes of us notifying them of the problem. The registrar is actively investigating what happened and has promised to report back to us on what happened."
This is the second time in a row when DNS hijacking happens through Register.com compared to Comcast.net's one done through Network Solutions. Continue reading →
Compared to historical hacktivism tensions between different nations, Israeli and Palestinian hacktivists seem to be most sensitive to "virtual fire exchange" like this one, and consequently, just like in real-life, always look and find for an excuse to engage in a conflict. Israeli hackers penetrate Hamas website :"Israeli hackers boasted Thursday about breaking into the website of Izz al-Din al-Qassam, Hamas’ military wing, which now displays a white screen and words in Arabic announcing technical difficulties. The hacker group, which calls itself Fanat al-Radical (the fanatical radicals), also said that it broke into additional terror organizations’ sites and those of various leftist movements. In a Ynet interview, a group representative who refused to reveal his name said, “We searched for relevant sites with the criteria we look for, whether leftist or anti-Zionist, and looked for loopholes. Our emphasis was always on the al-Qassam site. "The criteria are defined as anti-Zionist or anti-Jewish sites that support or assist in harming Zionism and the existence of Israel as a Zionistic, Jewish state."
The message they left :
"Hacked by XcxooXL and FENiX from Fanat Al Radical Greets: Sn4k3 Contact: Fanat.al.Radical@gmail.com "
These script kiddies using SQL injection vulnerabilities within the affected sites, since they indeed managed to deface several other as well, seem to have also participated in the 2006 cyber conflict sparkled due to the the kidnapping of three soldiers. One of their defacements remains still active (aviv.perffect-x.net/deface.html)
"We will stand against the Islam until the kidnapped soldiers, Gilad Shalit, Eldad Regev and Ehod Goldvaser will be return, We will attack arabic servers and site which support the Islam and protest against the zionism"
What if every script kiddie with a SQL injection scanners goes into politics? It's a mess already.
Related posts:
Monetizing Web Site Defacements
Pro-Serbian Hacktivists Attacking Albanian Web Sites
The Rise of Kosovo Defacement Groups
A Commercial Web Site Defacement Tool
Phishing Tactics Evolving
Web Site Defacement Groups Going Phishing
Hacktivism Tensions
Hacktivism Tensions - Israel vs Palestine Cyberwars
Mass Defacement by Turkish Hacktivists
Overperforming Turkish Hacktivists
Continue reading →
It appears that cyber jihadists are striking back at the academic and intelligence community, by binding their propaganda Ebooks with malware, then distributing them across different forums, thanks to a recently analyzed Ebook entitled "The Al-Qaeda network's timely entrance in Palestine" distributed by the Global Islamic Media Front - hat tip to Warintel.If it were posted by a newly joined forum member, it would have logically raises the suspicion that it's in fact intelligence agencies spreading malware infected Ebooks around cyber jihadist forums, but it's since this one in particular is being distributed by what looks like a hardcore cyber jihadist, it brings the discussion to a whole new level.
What are they trying to achive? Abuse the already established trust of their readers and cyber jihadist supporters in order to snoop on their Internet activities, or it's the academic and intelligence community they are trying to monitor? In times when botnets can be rented and created on demand, they seem to be more interested in infecting their enemies. Moreover, I suspect that prior to the forum posting, private messages and emails were automatically sent to notify members whose number of posts at the forum greate outpace those of average observers, perhaps the target in such an attack.
The malware is detected by 9 out of 33 antivirus scanners as Trojan.Midgare.gra. Consider reading a previous post on "Terror on the Internet - Conflict of Interest" as well as through the related posts summarizing all the cyber jihadist research I've conducted so far. Continue reading →
Ah, that RBN with its centralization mentality for the sake of ease of management and 99.999% uptime. In this very latest example of using malicious doorways redirecting to fake porn sites, consisting of over twenty different domains serving the usual Zlob malware variants, we have a decent abuse of a template for a porn site.The easy of management of such domain farms and the availability of templates for high trafficked topic segments such as celebrities and pornography, continue contributing to the increasing number of Zlob variants served through fake codecs. Moreover, once set up, the malicious infrastructure starts attracting now just generic search traffic, but also traffic coming from affiliates with whom revenue is shared on the basis of the number of people that downloaded the codec.
In this campaign, the malicious doorway that expands the entire ecosystem is located at search-top.com/in.cgi?5¶meter=drs (66.96.85.113). A redirector that appears to have been operating since 2006, according to this forum posting.What follows on-the-fly, are all the fake porn sites whose legitimately looking videos attempt to download a Zlob malware variant from a single location - vipcodec.net. Here are all the fake porn sites, and the associated campaigns in this redirection :
watchnenjoy .com/index.php?id=1287&style=white
craziestclips .com/index.php?id=1287&q=
immensevids .com
planetfreepornmovies .com/?t=1&id=1219
poweradult .net/edmund/16551689/1/&id=1219
scan-porn .net/rosalyn/1742941675/1/&id=1219
about-adult .net/emiline/108846601/1/&id=1219
service-porn .com/inde/964842117/1/&id=1219
pleasure-porn .com/elnora/648311952/1/&id=1219
porn-the .net/verge/1734135233/1/&id=1219
porn-pleasure .net/dal/1663381205/1/&id=1219
scan-porn .net/gretchen/515268975/1/&id=1219
abc-adult .com/lillah/1467790484/1/&id=1219about-adult .net/jenne/434165228/1/&id=1219
look-adult .net/ette/681831796/1/&id=1219
about-adult .net/mime/65729013/1/&id=1219
name-adult .net/alfe/550398461/1/&id=1219
group-adult .net/demerias/867452637/1/&id=1219
useporn .net/rhode/167691118/1/&id=1219
porn-look .net/hephsibah/1254235416/1/&id=1219
scan-porn .net/hence/1684651134/1/&id=1219
abc-adult .com/kendra/371598555/1/&id=1219
name-adult .net/link/1334727639/1/&id=1219
porn-the .net/flo/84660854/1/&id=1219
porn-popular .com/assene/875893411/1/&id=1219
about-adult .net/charlotta/972714195/1/&id=1219
porn-comp .com/orlando/761508522/1/&id=1219
useporn .net/jemima/1405735776/1/&id=1219
about-adult .net/obadiah/263904242/1/&id=1219
group-adult .net/douglas/1110779475/1/&id=1219
porn-look .net/lydde/1844064103/1/&id=1219
pleasure-porn .com/marcia/1627490290/1/&id=1219
service-porn .com/cono/295680123/1/&id=1219
group-adult .net/wes/1733468207/1/&id=1219
abc-adult .com/wib/648341815/1/&id=1219
scan-porn .net/greg/2064937302/1/&id=1219
contact-adult .net/maris/33184936/1/&id=1219
look-adult .net/regina/1273816838/1/&id=1219
abc-adult .com/gwendolyn/869744046/1/&id=1219
service-porn .com/carthaette/1021629112/1/&id=1219
scan-porn .net/ninell/1522355420/1/&id=1219
porn-pleasure .net/waldo/755290223/1/&id=1219
porn-the .net/green/669090607/1/&id=1219
try-adult .com/lula/447057398/1/&id=1219
visit-adult .net/jay/1021153563/1/&id=1219
contact-adult .net/rosa/849017739/1/&id=1219
name-adult .net/hannah/2111126283/1/&id=1219
about-adult .net/robin/2114086747/1/&id=1219
scan-porn .net/geraldine/921262381/1/&id=1219
contact-adult .net/christine/1821111087/1/&id=1219
porn-popular .com/frederica/364993202/1/&id=1219
about-adult .net/kerste/735582753/1/&id=1219
porn-the .net/vine/715820953/1/&id=1219
porn-the .net/newt/1835463160/1/&id=1219
try-adult .com/max/602914725/1/&id=1219porn-pleasure .net/cille/1420660046/1/&id=1219
poweradult .net/phililpa/178057959/1/&id=1219
name-adult .net/lise/1379126759/1/&id=1219
pleasure-porn .com/marianne/1083617952/1/&id=1219
poweradult .net/emile/1173468576/1/&id=1219
useporn .net/patse/155685496/1/&id=1219
helpporn .net/verna/625840253/1/&id=1219
name-adult .net/aubrey/190928373/1/&id=1219
about-adult .net/alphinias/1345158043/1/&id=1219
useporn .net/rosa/223743611/1/&id=1219
pleasure-porn .com/nerva/1509620489/1/&id=1219
helpporn .net/leet/1619667733/1/&id=1219
about-adult .net/roberta/887345003/1/&id=1219
porn-pleasure .net/tore/1032556395/1/&id=1219
useporn .net/bo/1963737386/1/&id=1219
porn-look .net/karon/136085893/1/&id=1219
poweradult .net/tense/1523522750/1/&id=1219
poweradult .net/hopp/1955964399/1/&id=1219
scan-porn .net/vanne/350822489/1/&id=1219
porn-comp .com/deb/1451360694/1/&id=1219
about-adult .net/moll/1511640690/1/&id=1219
porn-popular .com/obediah/562846948/1/&id=1219
helpporn .net/tamarra/776122096/1/&id=1219
pleasure-porn .com/aristotle/1046422029/1/&id=1219
porn-comp .com/titia/158157566/1/&id=1219
group-adult .net/gay/1297835054/1/&id=1219
porn-look .net/katherine/2136357734/1/&id=1219
helpporn .net/azubah/1197502147/1/&id=1219
porn-comp .com/claes/770105101/1/&id=1219
Associated fake porn sites :
pornbrake .com sexnitro .net
brakesex .net
pornnitro .net
adultbookings .com
qazsex .com
lightporn .net
delfiporn .net
pornqaz .com
megazporn .com
uinsex .com
xerosex .com
serviceporn .com
aboutadultsex .com
superliveporn .com
bestpriceporn .com
contactporn .net
relatedporn .com
landporno .com
adultsper .com
plus-porn .com
adultstarworld .com
cutadult .com
moviexxxhotel .com
porno-go .com
pornxxxfilm .com
porn-sea .com
review-sex .com
sureadult .com
browseadult .com
network-adult .com
timeadult .com
virtual-sexy .net
funxxxporn .com
loweradult .com
adultfilmsite .com
xxxallvideo .com
custom-sex .com
g
allerypictures .net usaadultvideo .com
adultmovieplus .com
porn-cruise .com
clubxxxvideo .com
mitadult .com
galleryalbum .net
xxxteenfilm .com
hardcorevideosite .com
helpadult .com
portaladult .net
service-sex .com
driveadult .com
access-porno .com
time-sex .com
plus-adult .com
worldadultvideo .com
key-adult .com
estatesex .com
superadultfriend .com
superporncity .com
zero-porno .com
scanadult .com
adultsexpro .com
adultzoneworld .com
porntimeguide .com
usbestporn .com
adulttow .com
look-porn .com
galleryclick .net
micro-sex .com
estatesex .com
try-sex .com
0bucksforpornmovie .com
gays-video-xxx .com
hackthegrid .com
savetop .info
vidsplanet .net
freexxxhere .com
gestkoeporno .com
tv-adult .info
gays-adult-video .com
matures-video .com
analcekc .com
tabletskard .in
molodiedevki .com
dom-porno .com
pornoaziatki .com
latinosvideo .com
geiporno .com
sweetfreeporn .com
If exposing a huge domains portfolio of currently active redirectors has the potential to ruin someone's vacation, then consider someone's vacation ruined already.
Related posts:
Underground Multitasking in Action
Fake Celebrity Video Sites Serving Malware
Blackhat SEO Redirects to Malware and Rogue Software
Malicious Doorways Redirecting to Malware
A Portfolio of Fake Video Codecs Continue reading →
With Photobucket’s recently hijacked DNS records by Turkish hacking group, the second high profile DNS hijack for the past two months next to Comcast.net's DNS hijacking in May, domain registrant impersonation attacks seems to fully work, and Tier 1 domain registrars remain susceptible to them.So far, none of these DNS hijacks served any malware, live exploits, or bogus home pages aiming to steal accounting data. However, the DNS hijacking by itself resulted in a Denial of Service attack on Photobucket, one that would have required a great deal of bandwidth if it were executed in the old fashioned frontal attack approach.
And with Photobucket still labeling the DNS hijacking as a "DNS error", their failure to admit what has actually happened is already sparkling quite a few negative comments across the Web - with a reason. Creating alternate realities when it comes to evidential proof of a hack isn't necessarily state of the art public relations. Photobucket.com's domain registrar, the Register.com comments on the DNS hijacking :
"The Photobucket site was down for a very short time and was restored immediately when we became aware of the issue." Roni Jacobson, general counsel of Register.com, said in a statement on Thursday. "We are currently investigating the source of the problem."
As well as Atspace.com's (Zettahost.com) statement left on their site regarding the DNS hijacking :
"IMPORTANT! Photobucket.com problem read here: Last night Photobucket.com DNS at register.com was hacked by malicious people that are trying to compromise our business! We are in no way affiliated with such bad deeds and cooperate with photobucket in capturing these individuals. They have pointed the domain photobucket.com to an account hosted on our systems! We have blocked that and photobucked techs have restored the domain pointing to its original location!ALL account information and pictures on photobucket.com are OK, please have patience! Unfortunately the complete DNS replication usually takes 24-48 hours and during this time caches DNS records might still point to us! The normal operation of Photobucket is restored and as soon as the replication is complete there should be no further such issues! We would like to emphasize that we are in now way responsible for what happens with photobucket and all users bumping across our systems! We are a legitimate web hosting company operating since 2003 and in no way tolerate such hacking attempts! If you have any questions please do not hesitate to contact us at abuse@zettahost.com! Thanks for your patience and understanding!"
When the affected company acts like nothing's happened, whereas multiple sources continue providing pieces of the puzzle, a statement on the measures taken to prevent that type of hijacking in the future would be better PR than denying the hijacking of the first place and the fact that they could have pointed Photobucket.com to anywhere they wanted to. Continue reading →
How many ways in which a malicious party can abuse its unauthorized access to a host, can you think of? In this example of remotely file included web backdoor (web shell), we have a malicious party that's hosting a web spammer, planning to launch a phishing attack impersonating Halifax, locally hosting blackhat SEO junk pages redirecting to rogue security software, redirecting to multiple live exploit URLs through javascript obfuscations, as well as to fake casinos and fake celebrity video sites - all from a single location.
This risk-forwarding process for all the malicious and criminal activities to the owner of the compromised web server is something usual, what's more interesting in this case is the number and diversity of the affiliations this guy has set up in order to monetize the unauthorized access by using all the possible sources of revenues like the ones I pointed on in a previous post regarding increasing monetization of web site defacements.
In fact, he seems to have built enough confidence in the new "hosting provider", that he's even hosting his blackhat SEO advetising services there. The multiple javascript obfuscations hosted locally, point to the following malicious domains which expose all the revenue generating affiliations, and even more malicious doorways :analytics-google .info/q/urchin.js
209.205.196.16/freehost22/paula2/index.php?id=0271
209.205.196.16/freehost22/paula2/exxe.php?id=0271
crklab .us/index.php
my-page-de .info/in.cgi?2&1400397
tapki .cn/1.html?92465
dificalgot .net/s/in.cgi?2?1121268b0d022308
my-page-de .info?default.cgi
magichotgaming .net
allextra .com/best/go.php?sid=2&tds-parametr1=Taryn+Manning
newextra .com/in.cgi?19&group=allextra
drivemedirect .com/soft.php?aid=0358&d=3&product=XPA securityscannersite .com/2008/3/freescan.php?aid=880358
Sampe detection rate for the casino adware, a reminder on why you shouldn't play poker on an infected table :
Scanners result : 7/33 (21.22%)Trojan.Casino.466752; W32/Casino.A.gen!Eldorado; Adware.Casino-18
File size: 466752 bytes
MD5...: b0f70441dde5c2b82ba5388f3d566576
SHA1..: 5603b1b972e2cff99d6339fbd8970278f5ff371d
To sum up - with the overall availability of templates for phishing sites, fake video sites, fake security software, as well as the ongoing traffic management tool's convergence with web malware exploitation kits, the opportunity for a malicious party to participate in different affiliate based scams on revenue sharing basis, increases. Therefore, what looked like an isolated attack, is slowly becoming an "attack in between" the rest of the malicious activities lunched by the same party. Continue reading →
Subscribe to:
Comments (Atom)
RSS Feed