Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

A Diverse Portfolio of Fake Security Software - Part Twenty

May 14, 2009

Has the cloudy economic climate hit the scareware business model, the single most efficient and high-liquidity monetization practice that's driving the majority of blackhat SEO and malware attacks? The affiliate networks are either experiencing a slow Q2, or are basically experimenting with profit optimization strategies.

Following the "aggressive" piece of scareware with elements of ransomware discovered in March, a new version of the rogue security software is once again holding an infected system's assets hostage until a license is purchased.

This tactic is however a great example of the dynamics of underground ecosystem (The Dynamics of the Malware Industry - Proprietary Malware Tools; The Underground Economy's Supply of Goods; 76Service - Cybercrime as a Service Going Mainstream; Zeus Crimeware as a Service Going Mainstream; Will Code Malware for Financial Incentives; The Cost of Anonymizing a Cybercriminal's Internet Activities - Part Two; Using Market Forces to Disrupt Botnets; E-crime and Socioeconomic Factors; Price Discrimination in the Market for Stolen Credit Cards; Are Stolen Credit Card Details Getting Cheaper?).

Despite the fact that it's the network of cybercriminals that pays and motivates other cybercriminals to SQL inject legitimate sites, send spam, embedd malicious code through compromised accounts and launch blackhat SEO campaigns, it cannot exist without the traffic that they provide, and is therefore competing with other affiliate networks for it.

For your blacklisting, case-building and cross-checking pleasure, currently active blackhat SEO and Koobface campaigns monetize the traffic through the following rogue domains:

yourpcshield .com (209.44.126.14) - AS10929 NETELLIGENT Hosting Services Inc. Email: bershkapull@gmail.com
virustopshield .com
totalvirushield .com
pcguardscan .com
topwinsystemscan .com
basevirusscan .com
systemvirusscan .com
bastvirusscan .com
myfirstsecurityscan .com
fastviruscleaner .com
allvirusscannow .com

freeforscanpc .com (209.44.126.241) - AS10929 NETELLIGENT Hosting Services Inc.
truevirusshield .com
totalvirusshield .com
hypersecurityshield .com
scanyourpconline .com
allowedwebsurfing .com
xvirusdescan .com
securitytrustscan .com
fullsecurityaction .com
fullvirusprotection .com
fullsecuritydefender .com
hupersecuritydot .com
trustedwebsecurity .com
greatscansecurity .com
updateyoursecurity .com

antimalware-scannerv2 .com (78.46.88.202) - AS16265 LeaseWeb AS Amsterdam, Netherlands Email: basni@lewispr.com
onlinevirusbusterv2 .com
xpvirusprotection2009 .com
total-malwareprotection .com
total-virusprotection .com
xpvirusprotection .com
bestbillingpro .com
truconv .com

safeinternettoolv1 .com (212.117.165.126; 38.99.170.9; 69.4.230.204; 78.47.91.153) - AS36351 SOFTLAYER Technologies Inc; AS24940 HETZNER-AS Hetzner Online AG RZ-Nuernberg; AS44042 ROOT-AS root eSolutions; AS174 COGENT /PSI Email: info@dmf.com.tr
antivirusquickscanv1 .com
computerscanv1 .com
antivirusbestscannerv1 .com
antiviruslivescanv3 .com
proantivirusscanv3 .com
fullantispywarescan .com
webscannertools .com
approved-payments .com

SMS Ransomware Source Code Now Offered for Sale

May 12, 2009

Remember the ransomware variant that was locking down user's PCs and demanding a premium SMS in order for them to receive the unlocking code?

In an attempt to further monetize the "innovative" practice of converging Windows-based malware and premium SMS numbers operated by the cybercriminals, a do-it-yourself version of the ransomware is currently offered for sale for a mere $15.

Here are some of its features:
- When executed presents the uset with a Blue Screen of Death style error message
- A simple auto-loading feature ensuring it will load every time the host is rebooted, completely disables the startup shell in order to become the first application to appear upon reboot
- Disables Windows Task Manager, Registry Editor, default shortcuts for terminating a program

The vendor would also like to remind its customers that "the application is for educational purposes only", next to a comment on how all of their current customers are fully satisfied with the money they're making by locking infected user's PCs. This piece of ransomware has been spreading across the Russian web space since April, and with its source code now offered for sale, it's only a matter of time before the error messages get localized to multiple languages courtesy of localization on demand cybercrime-friendly services breaking any language barrier for a spam/malware campaign.

However, from an operational security (OPSEC) perspective which I often emphasize on in order to demonstrate how efficient cybercrime facilitating tactics increase the probability of successfully tracking down the people behind a particular attack, this premium SMS based ransomware tactic is exposing the people behind the campaign much easily due to its reliance on a mobile operator, compared to GPCode's virtual money exchange approach (Who's behind the GPcode ransomware?) which given they put enought efforts, the process can be virtually untraceable.

Despite the fact that vendors have already released unlock code generators for the SMS ransomware, taking into consideration the potential for widespread ransomware campaigns through the now ubiqitous revenue generator in the form of scareware (Scareware meets ransomware: "Buy our fake product and we'll decrypt the files"), the concept is not going away anytime soon.

Related posts:
Mobile Malware Scam iSexPlayer Wants Your Money
New mobile malware silently transfers account credit
New Symbian-based mobile worm circulating in the wild Continue reading →

Dating Spam Campaign Promotes Bogus Dating Agency

May 06, 2009

From Sweet Sugar Anastasia, Svetlana, Angela, Marino4ka, Irina, Hot Julia, Ane4ka, Nastya, and Yulia, to the Lonely Polina and the malware and exploits serving girls, Russian/Ukrainian dating scams are still pretty active these days.

A recently spammed dating campaign exposes the fraudulent practices of a well known such agency (Confidential Connections) that has been changing its name, typosquatting new domains in order to remain beneath the radar, a bit of an awkward practice given their noisy spamming approach of attracting visitors.

The spam's message:

"Good day, my gentleman!

All love is probationary, a fact which frightens women and exhilarates men. I believe that unarmed truth and unconditional love will have the final word in reality. I was born in a friendly, cultured family and would like to have the same family in my own life. I love nature, flowers, music, dancing. I like to receive guests at home and spend time with friends. I always try to use opportunity to travel and see new places in the world. I have a good, quite and merry character, don't like argues and rows. I hope to meet a white man, Christian, clever. Besides I would like to meet a good person with a good sense of humor, who wants to create a good strong family. If you would be loved, love and be lovable. I am waiting for you http://iam-waiting4love .com/infinity/

Waiting for your mail
Sveetlana B."

The user is then asked to register at hifor-you .com/register.php followed by an email confirmation explaining how the agency/scam at ualadys .com (76.74.250.239 Email: Tyom13@aol.com) works:

"We view ourselves as more of MATCHMAKERS than a mere Introduction Company. We DO NOT BUY OR SELL addresses of Ladies from other agents. Rather, we take the time and effort to meet each Lady referred to us in person, interview her at length, checkout her credentials to make sure her intentions are proper, before she gets hosted as our client. It is this knowledge of the Ladies that allows us to select the right persons to introduce to each man.

Compatibility is the KEY. Our formula is simple, yet highly productive:
1. You fill out our profile, same as the Ladies
2. Select the Ladies you would like to meet
3. Until you have a predetermined amount of Ladies reply with a yes
4. During your trip meetings are scheduled on a private, one-on-one setting, with an interpreter to assist you (if you require one) We know that your time is limited when you go on trip. This is a very efficient selections process that saves your time and, in fact, allows you the extra time to really get to know the Ladies.

All meetings are one-on-one. We do not organize socials that do not work. Our service is usually based upon a male clients access to time and his available budget. The normal procedure is for a client to look through our gallery of Ladies, select the Ladies for pre-qualification, and correspond with them by e-mail or phone, than arrange a one-on-one visit. Still others, after viewing the Ladies, decide that the best overall approach would be to simply go there and meet as many women as we can arrange for them to meet, and spend time with them before making a decision.

Also experiencing first-hand their environment and culture gives the man a future understanding of his future bride. OUR PERSONAL INTRODUCTION TRIP HAS BEEN YEILDING A 95% SUCCESS RATE! Again, the reason for this is the growing frustration among the Ladies about the lack of follow through the men, Consequently, many Ladies do not respond to letters, knowing that few ever follow through. They simply wait to meet the men who go there. THUS, THE SITUATION HAS BECOME A DREAM FOR THE MAN WHO ARE SERIOUS.

During our Special Photoshoot Trips (e-mail for dates); you will get an opportunity to watch and meet new Ladies. Many times, clients pick these new Ladies because they are fresh and no one has ever met them before. We have quite a few Ladies who have never made it to the gallery because they got engaged immediately to the men who went no trips."

The agency is also reserving the right to forward the responsibility for any fraudulent activities to the girls, the majority of which do not exist at the first place in the following way:

All scam patterns have similarities that are very easy to spot if you know what to watch out for:

Usually the contact originates from a personals site where anyone can place his/her ad for free. Most often it was not you who initiated the acquaintance; you received a letter from a lovely Russian female who was interested in you. *Her* description of the partner is always very broad that will fit anybody - "kind intelligent man, age and race don't matter".

Sometimes *she* places a real nice discription and lovely, INNOCENT pictures, with honest eyes and kind smile. You will initiate the acquaintance.

It is always email correspondence; and letters are sent regularly, often every day; a new picture is sent with almost every letter.

This is very entertaining since the agency is driving traffic to its domains through spamming. The full list of spammed domains part of the campaign :
love-f-emale .com - 62.90.136.207
i-amsingle .com
for-you-from-me .com
destinycombine .com
with-hope-for-love .com
iam-waiting4love .com
allisloveandlove .com
amourwedding .com
adorelovewon .com
andiloveyoutoo .com
attractive-ladies .com
luckyheatrs .com
sunwants .com
myloving-heart .com
touchmy-heart .com
dreams-about-lady .com
fillinglove .net
createyourlove .net
buildyour-happylove .net
tender-woman .net
make-family .net

There's something "ingenious" about this type of dating scams, since the bogus dating agency can forward the scam responsibility to the non-existent girls at the first place. Moreover, despite the countless number of email credits, flowers and photos that you've purchased by using the agency's commercial services, the non-existent girl can always reserve the right not to meet or interact with you in any way. And even if there are actual girls working for the ad agency on a revenue-sharing basis, the agency silently makes money by reserving its right to ruin your return on investment no matter how much and what you spend on their site.

Now, that's a business model scamming the gullible and the lonely, which from a legal perspective -- excluding the spamming -- can in fact be legal in the country of operation due to the eventual mis-matching of characters.

UPDATE:
The people from "Confidential Connections" have a long history of spamming/scamming activities. Here are more related resources:

A first-person account:

"..ualadies... I work as a guide and translator for guys seeking a wife in Ukraine, and a client just came to me who was due to meet a girl from this agency. Im so wound up by the actions of this agency that i am going to post this thread in every scam forum i know about. Here is a short list of what they did:

1) Put him in a taxi to pick up the girl and take her to the restaurant, then charged him $80 for what should have been a $10 journey
2) Charged him $60 for a one hour translation, saying that they take a minimum charge of 4 hours ($15 an hour)..this they told him only after the meeting
3) After my client had payed (a very steep $50) to meet the girl, he got her address and decided to send her some flowers (at the local rate of 2 dollars for 1 rose, as apposed to 10 dollars a rose at the agency). The agency, upon finding out about this, called him up and shouted at him for daring to send her roses not through them (!)

4) It turned out that the girl hadn't written most of the letters the client had shared with her over a period of a year, and in fact that the agency themselves had written them, earning good money in the proccess!
5) The agency lied about the upper age limit for a guy the girl was willing to meet - they put down 60 when she had indicated 40.
6) There is more!...but i think ive written enough for you to get the idea.

Be aware of this agency! In all my time as a guide/translator i have never seen an agency that works so shambolicaly. Agencies like this ruin the reputation of the business, in which there are number of hard working honest agencies that suffer as a result."

More comments from the same person, presumably working there:
"Beware of ualadys. I live in Ukraine and know someone who works in one of the branches. Word has it that they churn out letters factory-style and often write themselves. They do not allow their girls to turn down a man who has requested to communicate with them, even if they dont want to. They did not allow me to go to their office to check them out and ask them questions. They scare the girls so that they dont get in personal contact with a guy or go to another agency. Beware!"

Exclusive photo gallery from what appears to be a scammed customer -- wedding rings are in place. The guy was initially spammed:

"On June 23rd of 2008 (that was 5 months after I gave up my relationship with my ex girlfriend), I received one email from UAladys which stated it was translated for a lady in Ukraine. Her name is Anastasia R. (ID 5008) Her introduction letter went as follows"

Thankfully, he's preserved the achive of the correspondence, exposing their practices. Continue reading →

Spamvertised Swine Flu Domains - Part Two

May 06, 2009

Continue reading →

Dissecting a Swine Flu Black SEO Campaign

May 06, 2009

Remember the Ukrainian group of cyber criminals that was responsible for last week's massive blackhat SEO campaign that was serving scareware, followed by the timely hijacking of Mickeyy worm keywords a week earlier to once again serve rogue security software?

They are back with new blackhat SEO farms which they continue monetizing through rogue security software. Time to dissect their latest campaign and expose their malicious practices.

Once having most of their previous domains blacklisted/shut down, the group naturally introduced new ones, and changed the search engine optimization theme to swine flu, in between a variation of their previous one relying on catchy titles such as USA News; BBC News; CNN News as well as Hottest info!; HOT NEWS; Official Website and Official Site.

Upon visiting the site, an obfuscated iFrame statically hosted on all of the participating domains in the form of 2qnews.07x .net/images/menu.js redirects the user to sexerotika2009 .ru/admin/red/en.php (74.54.176.50; Email: rebsdtis@land.ru). Are you noticing the directory structure similarities? Appreciate my rhetoric, it's last month's blackhat SEO gang with a new portfolio of domains.

What follows is the usual referrer check : "var ref,i,is_se=0; var se = new Array("google.","msn.","yahoo.","comcast.","aol.");" from where the user is redirected to liveavantbrowser2 .cn/go.php?id=2022&key=4c69e59ac&p=1 (83.133.123.140) acting as central redirection point to the typosquatted portfolio of rogue security software domains.

The original scareware domain vrusstatuscheck .com/1/?id=2022&smersh=a9fd94859&back=%3DjQ51TT1MUQMMI%3DN - (69.4.230.204; 38.99.170.209; 78.47.172.66; 78.47.91.153; 94.76.212.239; 94.102.48.28) is exposing the rest of the scareware (detection rate) portfolio with the following domains parked at these IPs:

antivirusbestscannerv1 .com
antivirus-powerful-scanv2 .com
antivirus-powerful-scannerv2 .com
virusinfocheck .com
vrusstatuscheck .com
adware-removal-tool .com
1quickpcscanner .com
1spywareonlinescanner .com
1computeronlinescanner .com
1bestprotectionscanner .com
securityhelpcenter .com
antivirus-online-pro-scan .com
securedonlinecomputerscan .com
antispywarepcscanner .com
securedvirusscanner .com
virusinfocheck .com
antivirusbestscannerv1 .com
antispywareupdateservice .com
platinumsecurityupdate .com
antispywareupdatesystem .com
onlineupdatessystem .com
softwareupdatessystem .com
securedpaymentsystem .com
infosecuritycenter .com
antispywareproupdates .com
securedsoftwareupdate .cn
securedupdateslive .cn
thankyouforinstall .cn
securityupdatessystem .cn
securedsystemresources .cn
securedosupdates .cn
windowssecurityupdates .cn

Once executed it downloads Microsoft's original thank you note (update.microsoft.com/windowsupdate/v6/thanks.aspx), and confirms the installation so that the blackhat SEO campaigners will receive a piece of the pie at securedliveuploads .com/?act=fb&1=0&2=0&3=kfddnffaffihlcoemdkedcaefcfaffedhfmdmboc&4=eebajfjafekaifnbddghoclg&5=22&6=1&7=63&8=31&9=0&10=1

Related phone-back locations:
liveavantbrowser2 .cn - (83.133.123.140)
securedliveuploads .com
liveavantbrowser2 .cn
awardspacelooksbig .us
crytheriver .biz
softwareupdatessystem .com
securedsoftwareupdate .cn
securedupdateslive .cn
securedosupdates .cn

Blackhat SEO subdomains at the free web site hosting services:
2qnews.07x .net
2rnews.07x .net
1news.07x .net
1knews.07x .net
1xnews.07x .net
gerandong.07x .net
kort.07x .net
30newsx.07x .net
4dnews.07x .net
4dnews.07x .net
laptop.07x .net
30newsf.07x .net

Blackhat SEO domains participating in the second multi-theme campaign:
01may2009 .us
m1m18test .us
m1m17test .us
m1m21test .us
m1m11test .us
m1m16test .us
m1m20test .us
m1m15test .us
m1m14test .us
m1m13test .us
m1m11test .us
m1m15test .us
m1m19test .us
f9o852test .us
f9o851test .us
f9o87test .us
f9o86test .us
f9o5test .us
f9o8test .us
ff7test5 .us
g2g1test .us

Blackhat SEO domains participating in the third campaign:
greg-page-boxing.6may2009 .com - 212.95.58.156
dualsaw.06may2009 .com
craigslist-killer.5may2009 .com

Upon clicking, the user is redirected to berusimcom .com/t.php?s=18&pk=, then to the SEO keyword logger at berusimcom .com/in.cgi?18&seoref=&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=nfl-draft.5may2009 .com&ppckey=, and then exposed to another portfolio of rogue security software (detection rate) at hot-porn-tubes.com/promo3/?aid=1361&vname=antivirus - 78.129.166.166; 91.212.132.12, with the following domains parked at the same IPs:

xxxtube-for-xxxtube .com
youporn-for-free .com
xtube-xmovie .com
free-xxx-central .com
xtube-downloads .com
porn-tube-movies .com
my-fuck-movies .com
niche-tube-videos-here .net
free-tube-video-central .net
tubezzz-boobezzz .net
hot-tube-tuberzzz .net

Persistence must be met with persistence. Continue reading →

Summarizing Zero Day's Posts for April

May 01, 2009

The following is a brief summary of all of my posts at ZDNet's Zero Day for April. You can also go through previous summaries for March, February, January, December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles include: Google's CAPTCHA experiment and the human factor; Conficker's estimated economic cost? $9.1 billion and Twitter hit by multiple variants of XSS worm.

01. Conficker worm's copycat Neeris spreading over IM
02. Paul McCartney's official site serving malware
03. Fake "Conficker Infection Alert" spam campaign circulating
04. Twitter hit by multiple variants of XSS worm
05. Scareware pops-up at FoxNews
06. Waledac botnet spamming fake SMS spying tool
07. Twitter worm author gets a job at exqSoft Solutions
08. Google's CAPTCHA experiment and the human factor
09. Hackers hijack DNS records of high profile New Zealand sites
10. New ransomware locks PCs, demands premium SMS for removal
11. Conficker's estimated economic cost? $9.1 billion
12. Swine flu email scams circulating
13. Online broker CommSec criticised for weak passwords, lack of SSL
14. Survey: 37% of employees would become insiders given the right incentive
15. French hacker gains access to Twitter's admin panel Continue reading →

419 Scam Artists Using NYTimes.com 'Email this' Feature

April 30, 2009

In times when more and more scammers/spammers are getting DomainKeys verified, others are finding adaptive ways to increase the probability of bypassing antispam filters.

Take for instance this 419s scam artist, that's been pretty active in his scamming attempts as of recently.

Basically, he's exploiting the fact that he's allowed to enter a message within NYTimes.com's 'Email this" feature, whereas it will successfully reach the potential victim based on clean IP reputation of NYTimes - and sadly, he's right since he's already sending scam messages through the following accounts registered at the site:

douglas_999@live.fr
douglas77@live.fr
mamadou_sanou@live.fr
markkabore0@yahoo.fr
abdelk11@hotmail.fr
sulem_musa@live.fr
davidbchirot@hotmail.com

His excuse for using NYTimes.com? - "Based on the bank high sensitiveness and security i have decided to contact you outside the bank's sever IP for a beneficial transaction."

Another scam that I've been tracking for a while is using a new "Hand bag stolen at Barcelona air port" social engineering attempt, and is attaching scanned copies of real baggage loss documents in order to improve the truthfulness of the scam. Pretty catchy if you don't know what advance fee fraud is. Continue reading →

Massive SQL Injections Through Search Engine's Reconnaissance - Part Two

April 29, 2009

From the lone Chinese SQL injectors empowered with point'n'click tools for massive SQL injection attacks, to the much more efficient and automated botnet approach courtesy of the, for instance, ASProx botnet the process of automatically fetching URLs from public search engines in order to build hit lists for verifying against remote file inclusion attacks and potential SQL injections, remains a commodity feature in a great number of newly released malware bots.

In 2004, the Santy worm advertised the feature to the not so efficiently centered hordes of script kiddies back then. Due to its simplicity, but huge potential for abuse, the concept of SQL injections through search engines reconnaissance has not only reached a real-time syndication with the latest remotely exploitable web application vulnerabilities, but has also converged with remote file inclusion checks, local file inclusion checks, and ip2geolocation to unethically pen-test a particular country going beyond its designated domain extension.

A recently released malware bot is once again empowering the average script kiddie with the possibility to take advantage of the window of opportunity for each and every remotely exploitable web application flaw featured at Milworm, based on its real-time syndication of the exploits. Moreover, the IRC based bot is also featuring a console which allows manual exploitation or intelligence gathering for a particular site.

Some of the features include:
- Remote file inclusion
- Local file inclusion checks ()
- MySQL database details
- Extract all database names
- Data dumping from column and table
- Notification issued when Google bans the infected host for automatically using it

The commoditization of these features results in a situation where the window of opportunity for abusing a partcular web application flaw is abused much more efficiently due to the fact that reconnaissance data about its potential exploitability is already crawled by a public search engine - often in real time.

The concept, as well as the features within the bot are not rocket science - that's what makes it so easy to use.

Related posts:
Massive SQL Injection Attacks - the Chinese Way
Yet Another Massive SQL Injection Spotted in the Wild
Obfuscating Fast-fluxed SQL Injected Domains
Smells Like a Copycat SQL Injection In the Wild
SQL Injecting Malicious Doorways to Serve Malware
SQL Injection Through Search Engines Reconnaissance
Stealing Sensitive Databases Online - the SQL Style
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists
Continue reading →

Spamvertised Swine Flu Domains

April 28, 2009

The people behind the ongoing swine flu spam campaign have either missed their marketing lectures, haven't been to any at all, or are simply too lazy -- their processing order is not even using SSL -- to fully exploit the marketing window opened by the viral oubreak - the majority of spamvertised domains are redirecting to your typical Canadian Pharmacy scam, instead of swine flu related templates.

Swine flu spamvertised domains:
lijgihab.cn; jihkohab.cn; litgukab.cn; namyalab.cn; waytipab.cn; ritlarab.cn; bersoxab.cn; xaqkabeb.cn; jamnibeb.cn; pahdeheb.cn; qeqyukeb.cn; qiwqoreb.cn; zajbaveb.cn; zacniyeb.cn; baqnubib.cn; zephecib.cn; texlocib.cn; fedpijib.cn;meysujib.cn; qoltujib.cn; mukwujib.cn; buljakib.cn; cutcurib.cn; bejdasib.cn; xikgosib.cn; bacnaxib.cn; kuskuzib.cn; juvyidob.cn; sowgugob.cn; buhbulob.cn; tonjotob.cn; kozgewob.cn; gasfexob.cn; pocdiyob.cn; kujroyob.cn; mirlacub.cn; kixqucub.cn; rovjudub.cn; jokrogub.cn; tusyajub.cn; gixxukub.cn; mospomub.cn; hixmipub.cn; zismerub.cn; cegfasub.cn; dimfevub.cn; qebhuvub.cn; duvlixub.cn; tiqceyub.cn; cogwibac.cn; minkucac.cn; dadwafac.cn; dilpogac.cn; jovsogac.cn; juwcolac.cn; wefmunac.cn; cexfopac.cn; wejpopac.cn; dovniqac.cn; mulsatac.cn; labwewac.cn; lirquwac.cn; latzoyac.cn; tuwbazac.cn; motjudec.cn; jicmefec.cn; qujqugec.cn; fajnahec.cn; wobfojec.cn; saybilec.cn; siyjoqec.cn; gehgixec.cn; gajdezec.cn; sgytubic.cn; cabfecic.cn; nedsicic.cn; xorpilic.cn; bulxopic.cn; kisniric.cn; beszesic.cn; hiwdosic.cn; linrudoc.cn; rijnakoc.cn; mahhekoc.cn; hahwikoc.cn; labniloc.cn; zocwoloc.cn; gommupoc.cn; yubbaqoc.cn; mefbuqoc.cn; xeclaroc.cn; qurburoc.cn; wupqatoc.cn; capjebuc.cn; wofmufuc.cn; boxxiguc.cn; zeffehuc.cn; pegvijuc.cn; bubkenuc.cn; fixfunuc.cn;

qivbiruc.cn; vahraxuc.cn; camxezuc.cn; tomyubad.cn; sohmifad.cn; sukgogad.cn; kossehad.cn; mopwijad.cn; pagtujad.cn; nohxokad.cn; pugvuqad.cn; bapvusad.cn; wekzetad.cn; lozfoyad.cn; vuppoyad.cn; forvafed.cn; cetcofed.cn; dadrofed.cn; sacvahed.cn; qoqgoled.cn; madwemed.cn; rilgeped.cn; voydewed.cn; liyxozed.cn; regmihid.cn; bujquhid.cn; damtuqid.cn; nifhosid.cn; dapfotid.cn; yofkibod.cn; roghudod.cn; gacpagod.cn; xijhihod.cn; japtikod.cn; meyrilod.cn; patjulod.cn; hixvunod.cn; towqotod.cn; ridnuxod.cn; vevteyod.cn; deqgobud.cn; lilnedud.cn; rusdehud.cn; zidpajud.cn; qibxenud.cn; xixvasud.cn; yapqitud.cn; xuldeyud.cn; nacyeyud.cn; ciknezud.cn; qiwsuzud.cn; leblidaf.cn; timpejaf.cn; vacxamaf.cn; nugnosaf.cn; xawpicef.cn; beqnahef.cn; kumhulef.cn; somnimef.cn; pejyunef.cn; zuwpikif.cn; bixvikif.cn; sajbipif.cn; vikqipif.cn; xotdaxif.cn; qalrezif.cn; xuhkudof.cn; lijsofof.cn; gimvufof.cn; kofgehof.cn; xixgikof.cn; percaqof.cn; nifjarof.cn; xivqirof.cn; rucmusof.cn; yizsatof.cn; qihqutof.cn; devqivof.cn; mijvaxof.cn; kiyvayof.cn; bubduyof.cn; pohfabuf.cn; zudsaduf.cn; tuhfehuf.cn; yaytumuf.cn; fumtinuf.cn; gibkesuf.cn; xaqqivuf.cn; wandawuf.cn; faqloyuf.cn; paqhizuf.cn; nowzacag.cn; xowjicag.cn; nolyodag.cn; tavyafag.cn; lijgihab.cn; jihkohab.cn; litgukab.cn; namyalab.cn;waytipab.cn; ritlarab.cn; bersoxab.cn; xaqkabeb.cn; jamnibeb.cn; pahdeheb.cn; qeqyukeb.cn; qiwqoreb.cn; zajbaveb.cn; zacniyeb.cn; baqnubib.cn; zephecib.cn; texlocib.cn; fedpijib.cn; meysujib.cn; qoltujib.cn; mukwujib.cn; buljakib.cn; cutcurib.cn; bejdasib.cn; xikgosib.cn; bacnaxib.cn; kuskuzib.cn; juvyidob.cn; sowgugob.cn; buhbulob.cn; tonjotob.cn; kozgewob.cn; gasfexob.cn; pocdiyob.cn; kujroyob.cn; mirlacub.cn; kixqucub.cn; rovjudub.cn; jokrogub.cn; tusyajub.cn; gixxukub.cn; mospomub.cn; hixmipub.cn; zismerub.cn; cegfasub.cn; dimfevub.cn; qebhuvub.cn; duvlixub.cn; tiqceyub.cn; cogwibac.cn; minkucac.cn; dadwafac.cn; dilpogac.cn; jovsogac.cn; juwcolac.cn; wefmunac.cn; cexfopac.cn; wejpopac.cn; dovniqac.cn; mulsatac.cn; labwewac.cn; lirquwac.cn; latzoyac.cn; tuwbazac.cn; motjudec.cn; jicmefec.cn; qujqugec.cn; fajnahec.cn; wobfojec.cn; saybilec.cn; siyjoqec.cn; gehgixec.cn; gajdezec.cn; sgytubic.cn; cabfecic.cn; nedsicic.cn; xorpilic.cn; bulxopic.cn; kisniric.cn; beszesic.cn; hiwdosic.cn; linrudoc.cn; rijnakoc.cn; mahhekoc.cn; hahwikoc.cn; labniloc.cn; zocwoloc.cn; gommupoc.cn; yubbaqoc.cn; mefbuqoc.cn; xeclaroc.cn; qurburoc.cn; wupqatoc.cn; capjebuc.cn; wofmufuc.cn; boxxiguc.cn; zeffehuc.cn; pegvijuc.cn; bubkenuc.cn; fixfunuc.cn; qivbiruc.cn; vahraxuc.cn; camxezuc.cn; tomyubad.cn; sohmifad.cn; sukgogad.cn; kossehad.cn; mopwijad.cn; pagtujad.cn; nohxokad.cn; pugvuqad.cn; bapvusad.cn; wekzetad.cn; lozfoyad.cn; vuppoyad.cn; forvafed.cn; cetcofed.cn; dadrofed.cn; sacvahed.cn; qoqgoled.cn; madwemed.cn; rilgeped.cn; voydewed.cn; liyxozed.cn; regmihid.cn; bujquhid.cn; damtuqid.cn; nifhosid.cn; dapfotid.cn; yofkibod.cn; roghudod.cn; gacpagod.cn; xijhihod.cn; japtikod.cn; meyrilod.cn; patjulod.cn; hixvunod.cn; towqotod.cn; ridnuxod.cn; vevteyod.cn; deqgobud.cn; lilnedud.cn; rusdehud.cn; zidpajud.cn; qibxenud.cn; xixvasud.cn; yapqitud.cn; xuldeyud.cn; nacyeyud.cn; ciknezud.cn; qiwsuzud.cn; leblidaf.cn; timpejaf.cn; vacxamaf.cn; nugnosaf.cn; xawpicef.cn; beqnahef.cn; kumhulef.cn; somnimef.cn; pejyunef.cn; zuwpikif.cn; bixvikif.cn; sajbipif.cn; vikqipif.cn; xotdaxif.cn; qalrezif.cn; xuhkudof.cn; lijsofof.cn; gimvufof.cn; kofgehof.cn; xixgikof.cn; percaqof.cn; nifjarof.cn; xivqirof.cn; rucmusof.cn; yizsatof.cn; qihqutof.cn; devqivof.cn; mijvaxof.cn; kiyvayof.cn; bubduyof.cn; pohfabuf.cn; zudsaduf.cn; tuhfehuf.cn; yaytumuf.cn; fumtinuf.cn; gibkesuf.cn; xaqqivuf.cn; wandawuf.cn; faqloyuf.cn; paqhizuf.cn; nowzacag.cn; xowjicag.cn; nolyodag.cn; tavyafag.cn; hujrulag.cn; sodbenag.cn; gafkiqag.cn; lijgihab.cn; jihkohab.cn; litgukab.cn; namyalab.cn; waytipab.cn; ritlarab.cn; bersoxab.cn; xaqkabeb.cn; jamnibeb.cn; pahdeheb.cn; qeqyukeb.cn; qiwqoreb.cn; zajbaveb.cn; zacniyeb.cn; baqnubib.cn; zephecib.cn; texlocib.cn; fedpijib.cn; meysujib.cn; qoltujib.cn; mukwujib.cn; buljakib.cn; cutcurib.cn; bejdasib.cn; xikgosib.cn; bacnaxib.cn; kuskuzib.cn; juvyidob.cn; sowgugob.cn; buhbulob.cn; tonjotob.cn; kozgewob.cn; gasfexob.cn; pocdiyob.cn; kujroyob.cn; mirlacub.cn; kixqucub.cn; rovjudub.cn; jokrogub.cn; tusyajub.cn; gixxukub.cn; mospomub.cn; hixmipub.cn; zismerub.cn; cegfasub.cn; dimfevub.cn; qebhuvub.cn; duvlixub.cn; tiqceyub.cn; cogwibac.cn; minkucac.cn; dadwafac.cn; dilpogac.cn; jovsogac.cn; juwcolac.cn; wefmunac.cn; cexfopac.cn; wejpopac.cn; dovniqac.cn; mulsatac.cn; labwewac.cn; lirquwac.cn; latzoyac.cn; tuwbazac.cn; motjudec.cn; jicmefec.cn; qujqugec.cn; fajnahec.cn; wobfojec.cn; saybilec.cn; siyjoqec.cn; gehgixec.cn; gajdezec.cn; sgytubic.cn; cabfecic.cn; nedsicic.cn; xorpilic.cn; bulxopic.cn; kisniric.cn; beszesic.cn; hiwdosic.cn; linrudoc.cn; rijnakoc.cn; mahhekoc.cn; hahwikoc.cn; labniloc.cn; zocwoloc.cn; gommupoc.cn; yubbaqoc.cn; mefbuqoc.cn; xeclaroc.cn; qurburoc.cn; wupqatoc.cn; capjebuc.cn; wofmufuc.cn; boxxiguc.cn; zeffehuc.cn; pegvijuc.cn; bubkenuc.cn; fixfunuc.cn; qivbiruc.cn; vahraxuc.cn; camxezuc.cn; tomyubad.cn; sohmifad.cn; sukgogad.cn; kossehad.cn; mopwijad.cn; pagtujad.cn; nohxokad.cn; pugvuqad.cn; bapvusad.cn; wekzetad.cn; lozfoyad.cn; vuppoyad.cn; forvafed.cn; cetcofed.cn; dadrofed.cn; sacvahed.cn; qoqgoled.cn; madwemed.cn; rilgeped.cn; voydewed.cn; liyxozed.cn; regmihid.cn; bujquhid.cn; damtuqid.cn; nifhosid.cn; dapfotid.cn; yofkibod.cn; roghudod.cn; gacpagod.cn; xijhihod.cn; japtikod.cn; meyrilod.cn; patjulod.cn; hixvunod.cn; towqotod.cn; ridnuxod.cn; vevteyod.cn; deqgobud.cn; lilnedud.cn; rusdehud.cn; zidpajud.cn; qibxenud.cn; xixvasud.cn; yapqitud.cn; xuldeyud.cn; nacyeyud.cn; ciknezud.cn; qiwsuzud.cn; leblidaf.cn; timpejaf.cn; vacxamaf.cn; nugnosaf.cn; xawpicef.cn; beqnahef.cn; kumhulef.cn; somnimef.cn; pejyunef.cn; zuwpikif.cn; bixvikif.cn; sajbipif.cn; vikqipif.cn; xotdaxif.cn; qalrezif.cn; xuhkudof.cn; lijsofof.cn; gimvufof.cn; kofgehof.cn; xixgikof.cn; percaqof.cn; nifjarof.cn; xivqirof.cn; rucmusof.cn; yizsatof.cn; qihqutof.cn; devqivof.cn; mijvaxof.cn; kiyvayof.cn; bubduyof.cn; pohfabuf.cn; zudsaduf.cn; tuhfehuf.cn; yaytumuf.cn; fumtinuf.cn; gibkesuf.cn; xaqqivuf.cn; wandawuf.cn; faqloyuf.cn; paqhizuf.cn; nowzacag.cn; xowjicag.cn; nolyodag.cn; tavyafag.cn; hujrulag.cn; sodbenag.cn; gafkiqag.cn; remqavag.cn

Happy blacklisting/cross-checking!

Related posts:
Inside an Affiliate Spam Program for Pharmaceuticals
Love is a Psychedelic, Too
Pharmaceutical Spammers Targeting LinkedIn
Fast-Flux Spam and Scams Increasing
Storm Worm Hosting Pharmaceutical Scams
Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings
Incentives Model for Pharmaceutical Scams Continue reading →

Massive Blackhat SEO Campaign Serving Scareware

April 22, 2009

Over the past couple of days, I've been monitoring yet another massive blackhat SEO campaign consisting of the typical hundreds of thousands of already crawled bogus pages serving scareware/fake security software.

Later on Google detected the campaign and removed all the blackhat SEO farms from its index, which during the time of assessment were close to a hundred domains with hundreds of subdomains, and thousands of pages within.

And despite that the abuse notifications for some of the central redirection domains proved effective, it took the cybercriminals approximately 24 hours to catch up, and once again start hijacking search queries, in a combination of scareware, and pay per click redirections.

It's worth pointing out that this very latest campaign is directly related to last's week's keywords hijacking blackhat SEO campaign, with both campaigns relying on identical redirection domains, and serving the same malware. Who's behind these search engine poisoning attacks? An Ukranian gang monetizing the hijacked traffic through the usual channels - scareware and reselling of the anticipated traffic.

The first stage of the campaign was relying on mainstream media titles within its pages such as USA News; BBC News; CNN News as well as Hottest info!; HOT NEWS; Official Website and Official Site, thereby making it fairly easy to expose their portfolio of domains.

Interestingly, the cybercriminals appear to have detected the activity -- certain traffic management kits can log attempts of wandering around -- and removed the titles, which combined with the typical referrer checking made the campaign a bit more evasive :

""var ref,i,is_se=0; var se = new Array("google.","msn.","yahoo.","comcast.","aol.","dead"); if(document.referrer)ref=document.referrer; else ref=""; for(i=0;i<5;i++""

Once the user visits any of the domains within the portfolio, with a referrer check confirming he used a search engine to do so, two javascripts load, one dynamically redirecting to the portfolio of fake security software, and the other logging the visit using an Ukrainian web site counter service (c.hit.ua/hit?i=6058&g=0&x=2&s=1&c=1&t=420&w=1024&h=768&d=24&0.5505934176708958&r=&u=http%3A//13news.hobby-site.com/counter.js')

The most recent list of of domains on popular DNS services is as follows. Sub-domains within are excluded since there are several hundred currently active per domain:
0kfzzl .us - 95.168.172.202 - Email: diannefostergcei@yahoo.com
52ubih .us - 95.168.172.198 - Email: joeminoryhjb@yahoo.com
5nw8b3 .us - 95.168.172.193 - Email: carolynfosteruwwi@yahoo.com
60mptk .us - 95.168.172.192 - Email: bernadettehockadayfedt@yahoo.com
6ry4nv .us - 95.168.172.191 - Email: markpackvesa@yahoo.com
77m8uh .us - 95.168.172.190 - Email: miguelbellhyes@yahoo.com
axnwpy .us - 95.168.172.204 - Email: hungsandfordoehx@yahoo.com
bumgli .us - Email: coobybrown3@gmail.com
cqxuhk .us - 95.168.172.203 - Email: michaelkoontzutae@yahoo.com
dfkghdf .us - 212.95.58.49 - Email: umora@live.com
dfwdowrly .us - Email: orest@hotmail.ru
edtbcm .us - 95.168.172.198 - Email: warrenskinnerumpi@yahoo.com
edu4life .us - Email - joh.n.ebrilo@gmail.com

fc4oih .us - 95.168.172.187 - Email: florencemclaughlinovpp@yahoo.com
fcbcwo .us - 89.149.216.146 - Email: dorisnaupkou@yahoo.com
fpq58z .us - 95.168.172.205 - Email: thomassoileautysz@yahoo.com
fzjt82 .us - 95.168.172.188 - maryevansarpl@yahoo.com
gfor8g .us - Email: christopherdockinsptdg@yahoo.com
gotpig .us - Email: BeatriceJBrown@text2re.com
hhjsuuy .us - 217.20.117.198 - Email: jarovv@gmail.com
hk2april .us - 78.159.122.123 - Email: zainez@gmail.com
hk3april .us - 78.159.122.137 - Email: zainez@gmail.com
hno6sh .us - 89.149.238.12 - Email: alfredmeadenzcy@yahoo.com
i2u6nr .us - 95.168.172.202 - Email: jameshendricksxuwg@yahoo.com
ik3trends .us - 88.214.198.14 - Email: akililewis@gmail.com
itn92j .us - Email: nicholasmanoicdmg@yahoo.com
j4vre4 .us - bettyfavorsiqzv@yahoo.com
kzq2i2 .us - 89.149.229.157 - Email: robertmitchellrswv@yahoo.com

l5ykp6 .us - 95.168.172.195 - Email: chrishuntpjzc@yahoo.com
lh85uk .us - 95.168.172.200 - Email: susannelsonggyp@yahoo.com
lp24april .us - 89.149.228.129 - Email: ramerod@gmail.com
m9nvzp .us - 89.149.216.50 - Email: jenniferduncanakcq@yahoo.com
mm00april .us - 212.95.55.115 - Email: brevno3@gmail.com
mm99april .us - 78.159.122.91 - Email: brevno3@gmail.com
n5y3m8 .us - 89.149.243.86 - Email: imogenegreenrqqr@yahoo.com
na8nw2 .us - 89.149.216.146 - Email: jeremyfitchcupl@yahoo.com
oag3h8 .us - 95.168.172.200 - Email: susanspidelesig@yahoo.com
po1april .us - 212.95.55.138 - Email: preadzz@gmail.com
po3april .us - 78.159.122.93 - Email: preadzz@gmail.com
pp6sqo .us - 95.168.172.197 - Email: connierobertsolni@yahoo.com
pr061r .us - 89.149.216.146 - Email: shirleywardauof@yahoo.com
qdhccy .us - Email: shark@nightmail.ru
qq338p .us - 89.149.221.36 - Email: debragonzalezyplu@yahoo.com

repszp .us - 89.149.221.36 - Email: christinamerrillzzhd@yahoo.com
rrgtnm .us - 95.168.172.203 - Email: josephelliskozc@yahoo.com
rt658y .us - 89.149.207.33 - Email: luannamcgeeiqwb@yahoo.com
rzi6rj .us - 95.168.172.189 - Email: leatriceporterlhbz@yahoo.com
scsrn8 .us - 95.168.172.201 - Email: donnabrownpgpa@yahoo.com
t9xu44 .us - 95.168.172.194 - Email: robertbissettezeub@yahoo.com
trfddp .us - 89.149.243.89 - Email: davidwilliamsqljt@yahoo.com
up3xv7 .us - Email: dennismontantecoco@yahoo.com
vecy5r .us - Email: merlynsmithsqxm@yahoo.com
vlj5jn .us - 95.168.172.196 - Email: angelostewartqfoq@yahoo.com
vr31qo .us - 95.168.172.199 - Email: christinearcherzhqz@yahoo.com
wk7iie .us - 95.168.172.204 - Email: jewellnakashimalgny@yahoo.com
x2ar3e .us - Email: bobbielopezeits@yahoo.com
xe24py .us - 89.149.243.138 - Email: johnbarberprfi@yahoo.com
xecuk8 .us - 95.168.172.194 - Email: lutheralfaronloz@yahoo.com
yl8ais .us - 89.149.216.147 - Email: meredithflackflub@yahoo.com
yqfvp4 .us - 78.159.96.84 - Email: julierussellnnro@yahoo.com
zvlewrms .us - Email: ygovoruhin@list.ru
zxe11d .us - 95.168.172.195 - Email: christopherlewisxghb@yahoo.com
zy7itf .us - 89.149.207.244 - Email: cindyruizixqr@yahoo.com

13news.doesntexist .com
13news.hobby-site .com
17news.endofinternet .net
18news.homeftp .org
19news.blogdns .com
19news.dnsdojo .org
19news.gotdns .com
19news.kicks-ass .org
19news.servebbs .com
22news.blogdns .com
creditratingguide. hobby-site.com
disneyearrings .hobby-site.com
flatbellydiet .hobby-site.com
hydrangacutflowers .hobby-site.com
isa-geek .org
mxzsaw .hobby-site.com
mysteryterms .hobby-site.com

The rotated scareware/fake security software domains include: scan-antispyware-4pc .com - parked at 195.88.81.93 the same portfolio of fake security software domains which I warned that by blocking you would proactively protect your customers from black hat SEO campaigns - like this one for instance
pcvistaxpcodec .com
onlinevirus-scannerv2 .com
av-antispyware .com
scan-antispy-4pc .com
fastviruscleaner .com
securityhelpcenter .com
scan-antispy-4pc .com
scanner-work-av .com
scanner-antispy-av-files .com
adwarealert .com
proantispyware .com

Download locations/related fake codec redirections:
winpcdown10 .com (194.165.4.77)
suckitnow1 .com
winpcdown99 .com
loyaldown99 .com
codecxpvista .com
wincodecupdate .com
velzevuladmin .com
tubeloyaln .com
wedare.tubeloyaln .com
lamer.tubeloyaln .com
billingpayment.netcodecs.tubeloyaln .com
videosz.tubeloyaln .com
loyal-porno .com - the same domain was recently exposed in the same blackhat SEO campaign
win-pc-defender .com
codecvistaz .com
loyalvideoz .com

Sample detection rates:
litetubevideoz .net/codec/277.exe - detection rate
winpcdown99 .com/pcdef.exe - detection rate
winpcdown99 .com/file.exe - detection rate
setup.adwarealert .com/setupxv.exe - detection rate
files.scanner-antispy-av-files .com/exe/setup_200093_1_1.exe - detection rate

Monitoring of the campaign would continue.

Related posts:
Dissecting the Bogus LinkedIn Profiles Malware Campaign
Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software
Blackhat SEO Redirects to Malware and Rogue Software
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Rogue RBN Software Pushed Through Blackhat SEO
Massive Blackhat SEO Targeting Blogspot
Blackhat SEO Campaign at The Millennium Challenge Corporation
Continue reading →

A CCDCOE Report on the Cyber Attacks Against Georgia

April 16, 2009

Following the coverage of my "Coordinated Russia vs Georgia cyber attack in progress" research in the Georgian government's official report "Russian Cyberwar on Georgia" (on page 4), I was very excited to find out that a report by NATO's Cooperative Cyber Defense Centre of Excellence entitled "Cyber Attacks Against Georgia: Legal Lessons Identified" and authored by Eneken Tikk, Kadri Kaska, Kristel Rünnimeri, Mari Kert, Anna-Maria Talihärm, Liis Vihul, is not only quoting me extensively, but has also reproduced the entire research within the Annexes.

Looks great!

Recommended reading:
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
The Russia vs Georgia Cyber Attack
Pro-Israeli (Pseudo) Cyber Warriors Want your Bandwidth
People's Information Warfare Concept
Combating Unrestricted Warfare
The Cyber Storm II Cyber Exercise
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attacks Against CNN.com
China's Cyber Espionage Ambitions
North Korea's Cyber Warfare Unit 121
Chinese Hackers Attacking U.S Department of Defense Networks

Electronic Jihad v3.0 - What Cyber Jihad Isn't

Electronic Jihad's Targets List

A Cyber Jihadist DoS Tool

Teaching Cyber Jihadists How to Hack

Empowering the Script Kiddies

OSINT Through Botnets

Corporate Espionage Through Botnets

Malware Infected Hosts as Stepping Stones

Hacktivism Tensions - Israel vs Palestine Cyberwars

The Current, Emerging, and Future State of Hacktivism

Internet PSYOPS - Psychological Operations

Continue reading →

A Diverse Portfolio of Fake Security Software - Part Nineteen

April 16, 2009

You know things are getting out of hand when the scareware ecosystem scales to the point when typosquatted scareware domains offering removal services for the very same scareware distributed under multiple brands.

In response to the potential Conficker-ization of the scareware business, part nineteen of the Diverse Portfolio of Fake Security Software is the most massive update since the series started, and with a reason - to squeeze the cybercrime ecosystem, and ruin their malicious economies of scale revenue generation approaches.

Here are the most recent additions, with their associated registrant emails for clustering, cross-checking, and case building purposes:

vundofixtool .com (174.132.250.194)
remove-winpc-defender .com
remove-virus-melt .com
remove-ultra-antivir-2009 .com
remove-ultra-antivirus-2009 .com
remove-total-security .com
remove-system-guard .com
remove-spyware-protect-2009 .com
remove-spyware-protect .com
remove-spyware-guard .com
remove-personal-defender .com
remove-ms-antispyware .com
remove-malware-defender .com
remove-ie-security .com
remove-av360 .com
remove-antivirus-360 .com
remove-a360 .com
av360removaltool .com
antivirus360remover .com
remove-winpc-defender .com
remove-virus-melt .com
remove-virus-alarm .com
remove-ultra-antivirus-2009 .com
remove-ultra-antivir-2009 .com
remove-total-security .com

gotipscan .com (66.197.154.199) Robert Sampson Email: bausness@gmail.com
scanline6 .com
scanstep6 .com
scanbest6 .com
goscandata .com
goscanhigh .com
true6scan .com
any6scan .com
golitescan .com
gofanscan .com
gotipscan .com
gostarscan .com
goluxscan .com
goonlyscan .com
scan6step .com
goscanstep .com
scan6fast .com
scanline6 .info
scanlog6 .info
linescan6 .info
mainscan6 .info
log6scan .info
main6scan .info

addedantiviruslive .com (94.247.2.215) Administrative Email: werracruz99008@gmail.com
searchrizotto .com
easyaddedantivirus .com
yourcountedantivirus .com
av-plus-support .com
yourguardonline .cn
easydefenseonline .cn
bestprotectiononline .cn
yourguardstore .cn
examinepoisonstore .cn
freecoverstore .cn
myexaminevirusstore .cn
bestexaminedisease .cn
yourfriskdisease .cn
friskdiseaselive .cn
bestdefenselive .cn
bigprotectionlive .cn
bigcoverlive .cn
easyserviceprotection .cn
easypersonalprotection .cn
myascertainpoison .cn
yourguardpro .cn
refugepro .cn
mycheckdiseasepro .cn
yourcheckpoisonpro .cn
bigdefense2u .cn
newguard4u .cn
mydefense4u .cn
bestcover4u .cn

fullsecurityshield .com (209.44.126.14) Gregory Bershk Email: bershkapull@gmail.com
greatsecurityshield .com
trustsecurityshield .com
anytoplikedsite .com
topsecurityapp .com
inetsecuritycenter .com
securitytopagent .com
thebestsecurityspot .com
topsecurity4you .com
fullandtotalsecurity .com

extrantivirus.com (94.75.209.11)
rapid-antivir-2009.com
rapid-antivir2009.com
rapidantivirus2009.com
rapidantivirus09.com
rapidantivirus.com
ultraantivirus2009.com
soft-traffic.com
seresult.com is a traffic management domain for the campaign (e.g seresult .com/go.php?id=3466)

greatstabilitytraceonline .com (94.247.3.4) Jacquelyn Jain Email: jacquelynjjain@gmail.com
beststabilityscan .com
beststabilityscans .com
esnetscanonline .com
greatstabilitytraceonline .com
greatvirusscan .com
networkstabilitytrace .com
onlinestabilityscanada .com
protectionexamine .com
quickstabilityscan .com
safetyexamine .com
stabilityinetscan .com
stabilitysolutionslook .com
swiftsafetyexamine .com
webprotectionscan .com
webwidesecurity .com

scanmix4 .com (63.146.2.92) Clifford Barton Email: learnico@gmail.com

bestscan7 .com
goscandata .com
scan7live .com
new7scan .com
godatascan .com
gosidescan .com
goluxscan .com
goonlyscan .com
goscanstep .com
scantool4 .info
newscan4 .info
scannew4 .info
tool4scan .info

exstra-av-scanner .net (78.26.179.237) Joan Oglesby Email: extra.antivirus@gmail.com
msantivir-storage .com
ms-antivirus-storage .com
goodproantispyware .com
ms-antivir-scan .com
anispy-storage-ms .com
ms-av-storage-best .com
antivir-scanner-ms-av .com

msscan-files-antivir .com (195.88.81.93)
hot-girl-sex-tube .com
msscan-files-antivir .com
msscanner-top-av .com
msscanner-files-av .com
antivir-4pc-ms-av .com

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

A Diverse Portfolio of Fake Security Software - Part Twenty

SMS Ransomware Source Code Now Offered for Sale

Dating Spam Campaign Promotes Bogus Dating Agency

Spamvertised Swine Flu Domains - Part Two

Dissecting a Swine Flu Black SEO Campaign

Summarizing Zero Day's Posts for April

419 Scam Artists Using NYTimes.com 'Email this' Feature

Massive SQL Injections Through Search Engine's Reconnaissance - Part Two

Spamvertised Swine Flu Domains

Massive Blackhat SEO Campaign Serving Scareware

A CCDCOE Report on the Cyber Attacks Against Georgia

A Diverse Portfolio of Fake Security Software - Part Nineteen

RSS Feed

About Me

Blog Archive

Tags

Popular Posts