From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms

0
June 17, 2009
UPDATE: In less than half an hour upon notification, Twitter and LinkedIn have already removed the bogus accounts.

UPDATE2: Forty five minutes later Scribd removes the bogus accounts.

As usual, persistence must be met with persistence. A single blackhat SEO group -- if well analyzed and monitored -- has the potential to provide an insight into some of the current monetization tactics which cybecriminals use, as well as directly demonstrate the (automatic) impact they have across different Web 2.0 services.

What is my "fan club" up to anyway? Covering up their weekend's Twitter campaign that was serving scareware by using a new template, and once again diversifying - this time by managing a bogus LinkedIn accounts campaign, another one on Scribd, followed by another another currently active one on Twitter, in between increasing the size of their blackhat SEO farm at is-the-boss.com.

Moreover, for the first time ever, the group is starting to serve live exploits based on a bit.ly URL shortening service referrer, like the ones used in the latest Twitter campaign. The use of Arbitrary file download via the Microsoft Data Access Components (MDAC) exploits is done to ultimately drop a new Koobface variant, making this the second time the group is pushing Koobface variants beyond Facebook.

Let's summarize their activities during the past six days starting with the weekend's campaign across Twitter.

Upon clicking on the TinyURL, the user is redirected through their well known 66.199.229 .253/etds (66.199.229 .253/etds/go.php?sid=41; 66.199.229 .253/etds/got.php?sid=41; 66.199.229 .253/etds/go.php?sid=43; 66.199.229 .253/etds/got.php?sid=43) traffic management location, to end up at the scareware av4best .net (64.86.17.47) with a new template is served (FakeAlert-EA).

Parked on the same IP are also well known scareware domains known from their previous campaigns, namely fast-antivirus .com and viruscatcher .net. The scareware message used in the new template takes you back to the good old school MS-DOS days :

"A problem has been detected and windows has been shut down to prevent damage to your computer.

Initialization_failed C:\WINDOWS\system32\himem.sys

If this is the first time you've seen this Stop error screen, restart the computer. If this screen appears again, read information below: The reason why this might happen is the newest malicious software which blocks access to the system libraries. Check to make sure any new antivirus software is properly installed. We suggest you to download and install antivirus, new up-to-date software which specializes on detection and removal of malicious and suspicious software."

The messaged used in the weekend's Twitter campaign, as well as a graph on the peaks and downds for a particular keyword:

"Competitions video; What do you think about video; I know why Percent Of Accounts; Between food and gay; movie Trailler!; Sun eclipce free; Air France extreem; Tetris long and sweet; Take sex under control; alcohol long and sweet; Between food and SATs; What do you think about Autotune; Gotcha!, Palm Pre!; Goodnight high in the sky; What do you think about Hangover; Death of Autotune crack addict; Amazing. movie from MSFT; Amazing. Air France from MSFT; Sims 3, It's Cool!; video, It's Cool!; Manage Air France; Amazing. porn from MSFT; alcohol unbroken; Them girls Honduras; Between food and phish; Between food and Detroit; Tetris high in the sky; I know why iPhone; Futurama unbroken; Balls to the Woman Who Missed Air; alcohol high in the sky; follow the video"

Sample (now suspended) automatically registered accounts used in the weekend's campaign:
twitter .com/wenning351
twitter .com/ula475
twitter .com/escher338
twitter .com/ochs40
twitter .com/karlen131
twitter .com/cordes904
twitter .com/hecker905
twitter .com/bohl566
twitter .com/sattler649
twitter .com/hildegard115
twitter .com/andreas281
twitter .com/wassermann38
twitter .com/rummel980
twitter .com/guilaine896
twitter .com/orlowski781
twitter .com/rupette972
twitter .com/holzner473
twitter .com/dumke576
twitter .com/hilgers465
twitter .com/heese157
twitter .com/meier679
twitter .com/habel896
twitter .com/holzinger567
twitter .com/wilhelm578
twitter .com/dearg450
twitter .com/habicht717
twitter .com/ferde373
twitter.com/hass323
twitter .com/heckmann918
twitter .com/bruna555
twitter .com/wilbert25
twitter .com/eckart412
twitter .com/sperlich374
twitter .com/jahn562
twitter .com/ludvig30
twitter .com/bing274
twitter .com/fett628
twitter .com/brock93
twitter .com/mally981
twitter .com/merle752
twitter .com/axmann101
twitter .com/pelz478
twitter .com/renaud687
twitter .com/wienke879
twitter .com/hartinger619
twitter .com/chriselda988
twitter .com/kloos267
twitter .com/dreyer15
twitter .com/herta740
twitter .com/brauer427
twitter .com/nadina732
twitter .com/wenda245
twitter .com/rieken434
twitter.com/reinhard192
twitter .com/plath132
twitter .com/bick497
twitter .com/johannsen747
twitter .com/tacke432

Besides the TinyURL links used, they've also returned to temporarily using their original .us domains such as twitter .8w8.us - 82.146.51.126 - Email: ambersurman@gmail.com; 5us .us - 82.146.51.25 - Email: elchip0707@mail.ru, and girlstubes .cn  82.146.52.158 - Email: alexvasiliev1987@cocainmail.com with Alex Vasiliev's emails first noticed in the Diverse Portfolio of Fake Security Software - Part Nine and again in Part Twenty.

Now it's time to assess their currently active campaigns across Twitter, LinkedIn and Scribd, and connect the dots in the face of the single URL acting as a counter across all the campaigns - counteringate .com (194.165.4.77) which has already been profiled in their original massive blackhat SEO campaign, and still remains active.

The automatically registered and currently active Twitter accounts participating in the campaign are as follows, it's also worth pointing out that compared to their previous campaigns, in this way they've included relevant backgrounds and avatars to the Twitter accounts:
twitter .com/AshleyTisdal1
twitter .com/AnnaNicoleSmit
twitter .com/ParisHiltonjpg1
twitter .com/ParisHiltonmov1
twitter .com/ParisHiltonNake
twitter .com/ParisHiltonSex1
twitter .com/ParisHiltonNud2
twitter .com/ParisSexTape2
twitter .com/Britneynipslip1
twitter .com/Britneywomani
twitter .com/Britneystrip1
twitter .com/BritneySex
twitter .com/Britneycomix
twitter .com/Britneywomaniz
twitter .com/BritneyNaked2
twitter .com/britneysextape
twitter .com/BritneyxSpears1
twitter .com/Britneydesnuda1

twitter .com/LopezAss
twitter .com/jennifermorriso
twitter .com/JenniferTilly2
twitter .com/AnistonSexscen
twitter .com/AnistonBangs
twitter .com/JenniferTilly1
twitter .com/Jennifernude
twitter .com/JenniferConnel
twitter .com/JenniferGarner1
twitter .com/LopezNaked
twitter .com/AnistonSexiest
twitter .com/JenniferAnisto4
twitter .com/JenniferToastee

twitter .com/JenniferAnisto2
twitter .com/LoveHewitt1
twitter .com/JenniferLoveH1
twitter .com/JenniferGreyn
twitter .com/1JenniferAnisto
twitter .com/2JenniferAnisto
twitter .com/1JenniferLopez
twitter .com/Lopedesnuda1
twitter .com/ElishaCuthbert3

twitter .com/ElishaCuthbert1
twitter .com/AlysonHannigan2
twitter .com/AliciaMachado
twitter .com/AliLarterNaked
/twitter .com/AliLarterNude
twitter .com/MelissaJoanha
twitter .com/AishwaryaRaiN1

Upon clicking on bit .ly/Je2Sd, the user is redirected to oymomahon .com/mirolim-video/3.html - 216.32.86.106 Email: StaceyGuerreroSF@gmail.com, redirecting to myhealtharea .cn/in.cgi?13 and then to oymoma-tube .freehostia.com/x-tube.htm where the fake codec/scareware is served, downloaded from totalsitesarchive .com/error.php?id=62 - Trojan.Win32.FakeAV.nz which once executed phones back to bestyourtrust .com/in.php?url=5&affid=00262 (209.44.126.241) parked at the same IP are also the following scareware domains:

uniqtrustedweb .com
hortshieldpc .com
securetopshield .com
gisecurityshield .com
ourbestsecurityshield .com
intellectsecfind .com
thesecuritytree .com
godsecurityarchive .com
besecurityguardian .com
thefirstupper .com
securityshieldcenter .com
bitsecuritycenter .com
joinsecuritytools .com
hupersecuritydot .com
bestyourtrust .com
thetrueshiledsecurity .com
souptotalsecurity .com
scantrustsecurity .com
 
The second bit .ly/1a5ZsY link used in the Twitter campaign, is redirecting to showmealltube .com/paqi-video/7.html - 64.92.170.135 Email: zbestgotterflythe@gmail.com.

From there, the redirector myhealtharea .cn/in.cgi?12 - 216.32.83.110 - zbest2008@mail.ru again loads oymoma-tube.freehostia .com/tube.htm and most importantly the counter counteringate .com/count.php?id=186 which is using an IP known from their previous campaign (194.165.4.77).

Time to move on to the LinkedIn campaign, and establish a direct connection with the Twitter one, both maintained by the same group of cybercriminals.

Currently active and participating LinkedIn accounts:
linkedin .com/in/rihannanude
linkedin .com/in/rihannanude2
linkedin .com/in/nudecelebs
linkedin .com/in/britneyspearsnudee
linkedin .com/in/pamelaandersonnudee
linkedin .com/in/nudepreteen2
linkedin .com/in/tilatequilanudee
linkedin .com/pub/beyonce-nude/14/b/952
linkedin .com/pub/child-nude/13/b4b/a16
linkedin .com/in/nudemodels

linkedin .com/in/preteennude
linkedin .com/in/mariahcareynude3
linkedin .com/in/nudeboys
linkedin .com/in/evamendesnude2
linkedin .com/in/nudebeaches
linkedin .com/in/nudebabes

linkedin .com/in/nudewomen2
linkedin .com/pub/ashley-tisdale-nude/13/b4b/762
linkedin .com/pub/mila-kunis-nude/13/b4a/b99
linkedin .com/pub/nude-kids/13/b4b/aa
linkedin .com/pub/young-nude-girls/13/b4a/6a
 
The LinkedIn campaign is linking to the delshikandco .com, from where the user is redirected to the same domains used in the Twitter campaign, sharing the same celebrity theme - delshikandco .com/mirolim-video/3.html/delshikandco .com/paqi-video/1.html - 216.32.83.104 leads to myhealtharea .cn/in.cgi?12 to finally serve the codec at ymoma-tube.freehostia.com/xxxtube.htm or at tubes-portal.com/xplaymovie.php?id=40012 - 216.240.143.7, another IP that has already been profiled part of their previous campaigns.


Yet another nude themed campaign is operated by the same group at Scribd, linking to the already profiled delshikandco .com, used in both, Twitter's and LinkedIn's campaigns.

Currently active and participating Scribd accounts:
scribd .com/Stacy%20Keibler-nude
scribd .com/Vanessa_Hudgens%20nude
scribd .com/Jessica%20%20Simpson%20%20nude
scribd .com/MileyCyrus%20nude
scribd .com/KimKardashian%20%E2%80%98nude%E2%80%99
scribd .com/Carmen%20%20Electra%20nude
scribd .com/Jennifer%20Anistonnude
scribd .com/Paris-Hilton-nude3
scribd .com/Vida%20%20Guerra%20%20nude
scribd .com/nude2
scribd .com/Kim%20%20Kardashian%20nude
scribd .com/ZacEfron%20nude
scribd .com/BritneySpears%20nude
scribd .com/Hilary-Duff-nude%202
scribd .com/Angelina-Jolie-nude11
scribd .com/Vanessa-Hudgens-nude2
scribd .com/Natalie-Portman-nude2
scribd .com/JessicaAlba%20nude
scribd .com/Jennifer-Love-Hewitt-nude11

scribd .com/Kim-Kardashian-nude2
scribd .com/Jessica-Alba-nude11s
scribd .com/JENNIFER%20LOPEZ%20NUDE3
scribd .com/Elisha%20%20Cuthbert%20%20nude
scribd .com/Paris-Hilton-nude1
scribd .com/HilaryDuff%20nude
scribd .com/Megan-Fox-nude2
scribd .com/Britney-Spears-nude1
scribd .com/Candice%20%20Michelle%20nude
scribd .com/Lindsay-Lohan-nude3
scribd .com/Mila-Kunis-nude2
scribd .com/Miley%20Cyrus%20nude
scribd .com/Vanessa%20%20Anne%20%20Hudgens%20nude
scribd .com/rihanna-nude2
scribd .com/Jenny%20Mccarthy%20nude
scribd .com/Kim%20%20Kardashian%20%20nude
scribd .com/Olsen-Twins-nude2
scribd .com/Brooke-Hogan-nude2

scribd .com/DeniseRichardsnude2
scribd .com/Scarlett%20Johansson%20nude
scribd .com/miley-cyrus-nude
scribd .com/Celebrity%20%20nude
scribd .com/Lindsay-Lohan-nude2
scribd .com/Tila%20Tequila%20nude
scribd .com/Ashley%20Tisdale%20nude
scribd.com/Angelina-Jolie-nude2
scribd .com/Denise-Richards-nude-2
scribd .com/Britney%20Spears%20nude
scribd .com/Hayden%20Panettiere%20nude
scribd .com/Carmen-Electra-nude1
scribd .com/Brooke-Burke-nude2
scribd .com/Megan%20Fox%20nude
scribd .com/JessicaSimpson%20nude
scribd .com/Kendra-Wilkinson-nude2
scribd .com/DeniseRichardsnude
scribd.com/AngelinaJolie%20nude
scribd.com/Kate%20Mara%20nude
scribd .com/Eva%20Green%20nude
scribd .com/Mariah%20Carey%20nude

scribd .com/Britney-Spears-nude2
scribd .com/Paris%20Hilton%20nude
scribd .com/CHristina%20Applegate%20nude
scribd .com/Billie%20Piper%20nude
scribd .com/Rosario%20Dawson%20nude
scribd .com/Anna%20Kournikova%20nude
scribd .com/Jennifer-Love-Hewitt-nude2
scribd .com/Kate%20Winslet%20nude
scribd .com/Carmen%20Electra%20nude
scribd .com/Jennifer%20Love%20Hewitt%20nude
scribd .com/Vida%20Guerra%20nude
scribd .com/AnneHathaway%20nude
scribd .com/JenniferLopez_nude
scribd .com/Trish%20Stratus%20nude
scribd .com/Lindsay_Lohannude
scribd .com/Pamela%20Anderson%20nude3
scribd .com/Jessica-Simpson-nude3

scribd .com/JENNIFER%20LOPEZ%20NUDE
scribd .com/CHristina%20Aguilera%20nude
scribd .com/hilary%20duff%20nude
scribd .com/MariahCarey%20nude
scribd .com/JohnCena%20nude
scribd .com/Halle%20Berry%20nude
scribd .com/Amanda%20%20Beard%20%20nude
scribd .com/Patricia%20%20Heaton%20%20nude
scribd .com/Madonna%20nude
scribd .com/JenniferLopez%20nude
scribd .com/DeniseRichards%20nude

scribd .com/PatriciaHeaton%20nude
scribd .com/Celebrity%20nude
scribd .com/TilaTequila_nude
scribd .com/Hayden-Panettiere-nude2
scribd .com/Brenda-Song-nude2
scribd .com/Demi%20Moore%20nude
scribd .com/celebrity%20nude%201
scribd .com/JenniferLove%20Hewitt%20nude
scribd .com/Ashley_Harkleroad%20nude
scribd .com/AudrinaPatridge%20nude
scribd .com/PamelaAnderson%20nude
scribd .com/Anna%20Nicole%20Smithnude
scribd .com/Meg%20Ryan%20nude
scribd .com/Kate%20Hudsonnude

Now that all the campaigns are exposed in the naked fashion of their themes, it's worth emphasizing on the live exploits serving Koobface samples based on a bit.ly referrer - in this case the process takes place through myhealtharea .cn/in.cgi?13, which instead of redirecting to scareware domain as analyzed above, is redirecting to fast-fluxed set of IPs serving identical Koobface binary - myhealtharea .cn/in.cgi?13 loads r-cg100609 .com/go/?pid=30455&type=videxp (92.38.0.69) which redirectss to the live exploits/Koobface.

Parked on 92.38.0.69 are also the following domains:
er20090515 .com
upr0306 .com
cgpay0406 .com
r-cgpay-15062009 .com
r-cg100609 .com
trisem .com
uprtrishest .com
upr15may .com
rd040609-cgpay .net

Dynamic redirectors from r-cg100609 .com/go/?pid=30455&type=videxp on per session basis:
92.255.131 .217/pid=30455/type=videxp/?ch=&ea=
92.255.131 .217/pid=30455/type=videxp/setup.exe
76.229.152 .148/pid=30455/type=videxp/?ch=&ea=
76.229.152 .148/pid=30455/type=videxp/?ch=&ea=/setup.exe
189.97.106 .121/pid=30455/type=videxp/?ch=&ea=
189.97.106 .121/pid=30455/type=videxp/setup.exe
117.198.91 .99/pid=30455/type=videxp/?ch=&ea=
117.198.91 .99/pid=30455/type=videxp/setup.exe
79.18.18 .29/pid=30455/type=videxp/?ch=&ea=
79.18.18 .29/pid=30455/type=videxp/setup.exe
85.253.62 .53/pid=30455/type=videxp/?ch=&ea=
85.253.62 .53/pid=30455/type=videxp/setup.exe
79.164.220 .170/pid=30455/type=videxp/?ch=&ea=
79.164.220 .170/pid=30455/type=videxp/setup.exe
59.98.104 .129/pid=30455/type=videxp/?ch=&ea=
59.98.104 .129/pid=30455/type=videxp/setup.exe
78.43.24 .211/pid=30455/type=videxp/?ch=&ea=
78.43.24 .211/pid=30455/type=videxp/setup.exe
62.98.63 .254/pid=30455/type=videxp/?ch=&ea=
62.98.63 .254/pid=30455/type=videxp/setup.exe
84.176.74 .231/pid=30455/type=videxp/?ch=&ea=
84.176.74 .231/pid=30455/type=videxp/setup.exe
panmap .in/html/3003/25ee551429fcbfd75fe7bcfeba4a9cb8/ - 114.80.67.32 - charicard@googlemail.com

Parked on 114.80.67.32 are also:
managesystem32.com
napipsec.in
trialoc.in
pbcofig.in
pclxl.in
ifxcardm.in
ifmon.in
panmap.in
moricons.in
oeimport.in
ncprov.in

The served setup.exe (Win32/Koobface.BC; Worm:Win32/Koobface.gen!D;) samples phone back to a single location:- upr15may .com/achcheck.php; upr15may .com/ld/gen.php - 92.38.0.69; 61.235.117 .71/files/pdrv.exe

To further demonstrate the group's involvement in these campaigns, two active campaigns at is-the-boss.com indicate that they're also using the newly introduced counteringate.com, however, parked on the same IP as a previously analyzed redirector maintained bot the group.

A sample campaign is using the engseo .net/sutra/in.cgi?4&parameter=bravoerotica - 84.16.230.38 - Email: popkadyp@gmail.com as well as the warwork .info/cgi-bin/counter?id=945706&k=independent&ref= - 91.207.61.48 redirectors to load free-porn-video-free-porn .com/1/index.php?q=bravoerotica - 84.16.230.38 - Email: popkadyp@gmail.com serving a fake codec, and is also using the universal counter serving maintained by group counteringate .com/count.php?id=308.

A second sampled campaign at is-the-boss.com points to a new domain that is once again parked at a well known IP mainted by the gang - goldeninternetsites .com/go.php?id=2022&key=4c69e59ac&p=1 - 83.133.123.140 - known from previous campaigns.

The redirectors lead to anti-virussecurity3 .com - 69.4.230.204; 69.10.59.34; 83.133.115.9; 91.212.65.125 with more typosquatted "Personal Antivirus" scareware parked at these multiple IPs aimed to increase the life cycle of the campaign:
bestantiviruscheck2 .com
securitypcscanner2 .com
fastpcscan3 .com
goodantivirusprotection3 .com
antimalware-online-scanv3 .com
anti-malware-internet-scanv3 .com
antimalwareinternetproscanv3 .com
antimalwareonlinescannerv3 .com
anti-virussecurity3 .com
bestantispywarescanner4 .com
fastsecurityupdateserver .com

Personal Antivirus then phones back to startupupdates .com - 83.133.123.140 where more scareware is parked, with the domains known from previous campaigns:
bestwebsitesin2009 .com
live-payment-system .com
bestbuysoftwaresystem .com
antiviruspaymentsystem .com
bestbuysystem .com
homeandofficefun .com
advanedmalwarescanner .com
allinternetfreebies .com
goldeninternetsites .com
primetimeworldnews .com
liveavantbrowser2 .cn
momentstohaveyou .cn
worldofwarcry .cn
awardspacelooksbig .us

The affected services have been notified, blacklisting and take down of the participating domains is in progress.

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Iranian Opposition DDoS-es pro-Ahmadinejad Sites

0
June 16, 2009
By utilizing the people's information warfare concept, Iranian opposition has managed to successfully organize a cyber attack against Tehran's regime (complete analysis) by using Twitter, web forums, and localization (translation) of the recruitment messages in order to seek assistance from foreigners.

So far, their rather simplistic denial of service tools has managed to disrupt access to key government web sites, and the intensity of the attacks is prone to increase since the opposition appears to be in a "learning mode".

What does "learning mode" stand for here? It's their current stage of experimentation clearly indicating their inexperience with such campaigns and DDoS attacks in general. The opposition's de-centralized chain of command isn't even speculating on the use of botnets, since the primitive multi-threaded Iranian connections hitting Iranian sites seems to achieve their effect.

From a strategic perspective, this internal unrest resulting in the disruption of key government web sites, the de-facto propaganda vehicles of the current government, is directly denying their ability to influence the population and the media, which on its way to find information is inevitably going to visit the working opposition web sites.

Moreover, the majority of people's information warfare driven cyber attacks we've seen during the past two years, have all been orbiting around the scenario where a foreign adversary is attacking your infrastructure from all over the world. But in the current situation, it's Iran's internal network that's self-eating itself, where the trade off for denying all the traffic would be the traffic which could be potentially influenced through PSYOPs (psychological operations).

What has changed since yesterday's real-time OSINT analysis?  The web based "Page Rebooter" tool heavily advertised by the opposition has decided to stop offering the service due to the massive abuse:

"Unfortunately I have had to take the site down temporarily. The site was being used to attack other websites, until I can determine the source of these attacks, I have decided to keep it offline. My apologies to everyone who uses this site for it's intended purpose, hopefully we'll be back soon. I have now received several emails regarding this. Unfortunately, last night's spike in traffic cost me a lot of money in server costs, I therefore cannot afford to keep it online - even if the use is just. I have therefore decided to release the code for this site, so that you may create your own copies."

Meanwhile, the opposition has come up with a segmented targets list including hardline news portals, official Ahmadinejad sites, Iranian law enforcement sites, banks, judiciary and transportation sites, aiming to recruit international supporters:

"ALL PEOPLE AROUND THE WORLD:

Please help us in a full-scale cyberwar againts the dictatorial brutal government of Ahmadinjead! Help Iranians to earn back their votes per instructions below:
 
Simply click on few of the following links (better too choose your selections from different categories); it opens the site in a new tab. It will not stop you from browsing but by sending a refresh signal to the target site will saturate it. By doing so, we can block Ahmadinjead's governments flow of information in many of its key components as shown below. Please help us and yourself from this lunatic who will push the world to world war III."

Following the updated list of targets, a new LOIC.exe DoS tool is being advertised. The tool is however, anything but sophisticated (it's been around since 6 Jul 2008) compared to even the average Russian DDoS bot. Combined, the simplistic nature of the opposition's attack tools indicates the lack of any in-depth understanding of information warfare principles, in times when other countries are already going beyond cyber warfare and aiming for the unrestricted warfare stage.


The Conspiracy Theory and the Facts
How is the Iranian government/regime responding to these attacks, is it striking back to the fullest extend speculated in a countless number of cyber warfare research papers? Moreover, can it actually attack the "adversaries" which in this case reside within the country's own network? Can we easily compare this unpleasant situation from an information warfare perspective to the ongoing discussions whether or not the Should the US Go Offensive In Cyberwarfare?, and "go offensive" against who at the first place? The hundreds of thousands of U.S based malware infected hosts operated by a foreign entity as the adversary while using the targeted country's infrastructure as a human shield?

That's a dilemma that Iran's government is currently facing, but let's connect the dots and prove that the Fars News Agency which is pro-Ahmadinejad, and maintains ties to the Iranian judiciary, has in fact participated in this "cyber warfare attack with sticks and stones".

The Fars News Agency has been under attack since the beginning of the campaign, approximately 48 hours ago, prompting the site -- just like many others -- to switch to "lite" versions taking into consideration the ongoing attacks wasting the sites' bandwidth.

In a desperate attempt to influence the outcome of the DDoS attack, Fars News included iFrames pointing to opposition and anti-Ahmadinejad news sites (balatarin.com; ghalamnews.com and mirhussein.com) in order to redirect some of the attack traffic to them. The campaigners noticed the change, but upon confirming that the opposition's web sites remain online even with the iFrames in place, decided to continue the attack.

The bottom line - when your very own infrastructure hates you, you become nothing else but an observer to the declining propaganda exposure projections that you've once set, failing to anticipate the fully realistic scenario when the adversary that you've been fortifying to protect from, or have build sophisticated offensive capabilities to deal with, is in fact residing within your own infrastructure. Attempting to attack him or shut him down will only multiply the effect of his original campaign.

The net is vast and infinite.

Recommended reading:
A CCDCOE Report on the Cyber Attacks Against Georgia
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
The Russia vs Georgia Cyber Attack
Pro-Israeli (Pseudo) Cyber Warriors Want your Bandwidth
People's Information Warfare Concept
Combating Unrestricted Warfare
The Cyber Storm II Cyber Exercise
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attacks Against CNN.com
China's Cyber Espionage Ambitions
North Korea's Cyber Warfare Unit 121
Chinese Hackers Attacking U.S Department of Defense Networks
Electronic Jihad v3.0 - What Cyber Jihad Isn't
Continue reading →

From Ukrainian Blackhat SEO Gang With Love - Part Two

0
June 09, 2009
It seems that the portfolio of redirectors using my name part of an ongoing Ukrainian blackhat SEO is expanding, with seximalinki .ru/images/ddanchev-sock-my-dick.php, as the latest addition. This brings up the number of redirectors to three, at least for the time being:
  • seximalinki.ru/images/ddanchev-sock-my-dick.php - active - 74.54.176.50; Email: Hippacmc@land.ru
  • seo.hostia .ru/ddanchev-sock-my-dick.php - active - 213.155.2.37
  • HiDancho.mine .nu/login.js - active - 64.21.86.16
Let's dissect the latest campaigns, including several related ones not necessarily serving scareware, moreover, let's also establish a connection between this gang and the ongoing hijacking of Twitter trending topics for malware serving purposes, shall we?

The redirector takes the user to antimalwareonlinescannerv3 .com - 83.133.115.9; 91.212.65.125; 69.4.230.204 - Email: immigration.beijing@footer.cn where the scareware is served.

The campaign is also relying on three more scareware domains antimalware-live-scanv3 .com; antimalwareliveproscanv3 .com ;fastsecurityupdateserver .com, with ns1.futureselfdeeds .com ensuring that the rest of the portfolio remains in tact :

premiumlivescanv1 .com
advanedmalwarescanner .com
advanedpromalwarescanner .com
antiviruspcscannerv1 .com
antiviruspremiumscanv2 .com
malware-live-pro-scanv1 .com
malwareliveproscanv1 .com
malwareliveproscannerv1 .com
malwareinternetscannerv1 .com
anti-spyware-scan-v1 .com
antimalwarescanner-v2 .com
freeantispywarescan2 .com
antivirus-scanner-v1 .com
internetotherwise .com
macrosoftwarego .com
world-payment-system .com
paymentonlinesystem .com
livewwwupdates .com
liveinternetupdates .com
livesecurityupdate .com
securitysoftwarepayments .com
antiviruspaymentsystem .com
systemsecurityupdates .com
networksecurityadvice .com
systeminternetupdates .com
protectionsystemupdates .com
updateinternetserver2 .com
protectionupdates2 .com
proantivirusscannerv2 .com
proantivirusscanv2 .com
powerantivirusscanv2 .com

These blackhat SEO-ers have been actively multitasking during the past couple of months. For instance, another campaign maintained by them at Lycos Tripod's is-the-boss.com is using the redirector ntlligent .info/tds/in.cgi?11&seoref=&parameter=$keyword&se=$se&ur=1&HTTP_REFERER= (72.232.163.171), hosted by Layered Technologies, Inc., in order to serve a a Koobface sample located at 91.212.65.35/view/1/1416/0, which upon execution phones back to upr15may .com/achcheck.php; upr15may .com/ld/gen.php (119.110.107.137) as well as to i-site .ph/1/6244.exe; i-site .ph/1/nfr.exe with the second binary phoning back to 85.13.236 .154/v50/?v=71&s=I&uid=1824245000&p=14160&ip=&q=.

Another campaign maintained by them at is-the-boss.com is using three redirectors kurinah.freehostia .com/in.cgi?8&seoref=&parameter=$keyword&se=&ur=1&HTTP_REFERER=; promodomain .info/in.cgi?8&seoref=&parameter=$keyword&se=&ur=1&HTTP_REFERER= - 66.40.52.63 - Email: support@ruler-domains.com and thetrafficcontrol .net/in.cgi?8&seoref=&parameter=$keyword&se=&ur=1&HTTP_REFERER=, until the user is finally redirected to a fake PornTube portal big-tube-list .com/teens/xmovie.php?id=45048 - 216.240.143.7 - isaacdonn@gmail.com where malware is served from my-exe-profile .com/streamviewer.45048.exe - 66.197.171.6 - Email: michalevd@gmail.com.

Upon execution, streamviewer phones back to reportsystem32 .com/senm.php?data= - 216.240.146.119 -, terradataweb .com/senm.php?data=v22 - 66.199.229.229 -, and dvdisorapid .com/senm.php?data=v22 - 64.27.5.202.

Several related fake codec serving domains parked at 216.240.143.7 are also currently active:
get-mega-tube .com - Email: raymgnw95@gmail.com
best-crystal-tube .com - Email: raymgnw95@gmail.com
the-lost-tube .com - Email: hilachow@gmail.com
sunny-tube-house .com - Email: hilachow@gmail.com
proper-tube-site .com - Email: hilachow@gmail.com
tube-xxx-work .com - Email: hilachow@gmail.com
big-tube-list .com - Email: isaacdonn@gmail.com

A third campaign is using a single redirector to tangoing .info/cgi-bin/analytics?id=917304&k= - 91.207.61.48 - Email: dophshli@gmail.com to dynamically redirect visitors to pretty much all the scareware domains listed in part twenty one of the diverse portfolio of fake security software series. Moreover, the very same email used to register the redirecting domain was also used to register a payment processing gateway for scareware transactions in January, 2009.

Yet another blackhat SEO operation maintained by the same group since February, 2009 is fi97 .net/jsr.php?uid=dir&group=ggl&keyword=&okw=&query="+query+" referer="+escape(document.referrer)+"&href="+escape(location.href)+"&r="+rzz+"'><"+"/scr"+"ipt>", which according to publicly obtainable statistics received approximately 138, 000 unique visitors in April, with 30.23% coming from Google.

The traffic hijacking of for the purpose of serving malware, using over a hundred different .us domains was in fact so successful that several webmasters reported loosing their organic search traffic due to the content within the sites. The campaign then switched to a pharmaceutical theme using a Google search engine theme, with several static links to pharma scams, once again using the already established traffic redirections tactics.

The redirectors in question petrenko .biz - 88.214.200.150 - Email: olegoff@yandex.ru and myseobiz .net - 67.225.158.16 - Email: 3bd864dddbe4421ab1112a6ebc6df4fb.protect@whoisguard.com remain in operation. The bogus Google front page is advertising the following pharma domains:

theusdrugs .com - 78.140.132.11, parked at the same IP are also more pharma domains:
medscompany .org
canadian-rxpill .com
bestyourpills .com
rx-drugs-support .com
payment-rx .com
genericdrugs .in
mendrugsshop .com
healthrefill .com

It gets even more inter-connected and malicious since this very same gang is also the one responsible for the ongoing malware campaign spreading scareware by using Twitter's trending topics. Let's establish a direct connection between the Ukrainian gang and the campaign.

The TinyURL links used redirect to an identical domain - 00freewebhost .cn - 211.95.79.115 - Email: louisgreenfield@gmail.com, where an iFrame is loading happy-tube-video .com/xplays.php?id=40030 - 216.240.143.7 - Email: isaacdonn@gmail.com where Mal/FakeAV-AY (streamviewer.40030.exe) is served, this time from exe-soft-files .com/streamviewer.40030.exe - 66.197.171.6 - Email: michalevd@gmail.com.

This very same domain (happy-tube-video .com registered to isaacdonn@gmail.com) is part of the second PornTube fake codec campaign which I assessed above, this time pushed through the gang's blackhat SEO campaigns.

Moreover, in a typical cybercrime-friendly style, the main malicious domain operated by the gang and used in the Twitter campaign - 00freewebhost .cn - continues to load the malware serving domain despite that it's main index is serving a fake account suspended notice - "This Account Has Been Suspended, This includes, but is not limited to overusing server resources, publishing adult content, or unauthorized posting of copyrighted material. Please contact our Support Team for more information." Which is pretty amusing, since despite the fact that they're using an iFrame to point to a different location, they've left an animated GIF image of a fake codec hosted there - 00freewebhost .cn/shmo/pl.gif.

A second connection between the Ukraininan black SEO gang, Twitter's ongoing campaign and the fake web hosting provider which I profiled yesterday can also be made.

For instance, the URL shortening service used in last week's campaign at Twitter a.gd/2524d9/ redirects to 66.199.229 .253/etds/go.php?sid=43 and then to av-guard .net/?uid=27&pid=3 as well as to fast-antivirus .com which are the scareware domains exposed in the recent "Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot" post. The scareware obtained from it, as well as the scareware from the above-exposed PornTube campaign streamviewer.40030.exe also share the same phone back locations.

Coming across yet another operation managed by them, namely, the ongoing Twitter trending topics hijacking attack, clearly demonstrates the impact this single group of individuals can have while multitasking at different fronts. And despite the numerous traffic acquisition tactics used, the monetization approach remains virtually the same - scareware. Continue reading →

GazTransitStroy/GazTranZitStroy Rubbing Shoulders with Petersburg Internet Network LLC

0
June 08, 2009

Following the GazTransitStroy/GazTranZitStroy (gaztranzitstroyinfo.ru; 67.15.253.241) coverage, the gang behind the bogus gas company drilling for insecure PCs across the Web has returned to its roots - St. Petersburg, Russia, with routing services courtesy of PIN-AS Petersburg Internet Network LLC (AS44050) (internet-spb.ru) :

"descr: Petersburg Internet Network LLC
address: Sedova 80
address: St.-Petersburg, Russia
e-mail:         support@internet-spb.ru
phone:          +7 812 4483863
fax-no:         +7 812 4483863
person:         Metluk Nikolay Valeryevich
address:        korp. 1a 40 Slavy ave.,
address:        St.-Petersburg, Russia
e-mail:         nm@internet-spb.ru
phone:          +7 812 4483863
fax-no:         +7 812 2683113
PIN LLC
Sedova 80
+7 812 4483863
support@internet-spb.ru
 
Metluk Nikolay Valeryevich
korp. 1a 40 Slavy ave.,
St.-Petersburg, Russia
+7 812 4483863
nm@internet-spb.ru

Ladoha Anton Vladimirovich
korp. 1a 40 Slavy ave.,
St. Petersburg, Russia
+7 812 4483863
admin@internet-spb.ru

Strukov Evgeny Olegovich
korp. 1a 40 Slavy ave.,
St.-Petersburg, Russia
+7 812 4483863
admin2@internet-spb.ru
e.strukov@pinspb.ru

Prefixes 91.212.41.0/24; 95.215.0.0/22; 194.11.16.0/24; 194.11.20.0/23; 195.2.240.0/23"

What's also worth pointing out that is a huge number of of domains operated by GazTransitStroy's customers, and, of course, GazTranzitStroy themselves not only traceroute back to Petersburg Internet Network LLC's network, but also, there's an evident migration to the legitimate NETDIRECT-NET - 89.149.206.0 - 89.149.207.255 - AS2875, as well as to CHINANET-SH CHINANET shanghai province network - 222.64.0.0 - 222.73.255.255.

Combined with the fact that EUROHOST-NET/Eurohost LLC (eurohost.biz.ua) 91.212.65.0 - 91.212.65.255 - AS48841 remain an inseparable part of GazTransitStroy's info, clearly indicates the presence of a well known cybercrime powerhouse - the RBN itself.

The following domains (crimeware, live exploits, scareware, you name it they engage in it) maintained by GazTranzitStroy have migrated as follows. From 91.212.41.96 to CHINANET-SH CHINANET shanghai province network - 222.64.0.0 - 222.73.255.255:

loshadinet .com
roselambda .cn
use-sena .cn
peopleopera .cn
forexsec .cn
symphonygold .cn
dreamlitediamond .cn
vilihood .cn
bookadorable .cn
drawingstyle .cn
housedomainname .cn
roomsme .cn
vilasse .cn
workfuse .cn
stakeshouse .cn
financeimprove .cn
lifenaming .cn
travetbeach .cn
schoolh .cn
rainfinish .cn
housevisual .cn
kvk.housevisual .cn
xfln.housevisual .cn
worksean .cn
blogtransaction .cn
liteauction .cn
seamodern .cn
smilecasino .cn
newtransfer .cn
oceandealer .cn
pub.oceandealer .cn
musicdomainer .cn
wowregister .cn
websiteflower .cn
travets .cn
designroots .cn
teamwows .cn
startgetaways .cn
moulitehat .cn
caxf.moulitehat .cn
islandtravet .cn
weekendtravet .cn
resorttravet .cn
litefront .cn
palaceyou .cn
youbonusnew .cn
clubmillionswow .cn
rainjukebox .cn
xuyxuyxuy .cn

From 91.212.41.114 to NETDIRECT-NET - 89.149.206.0 - 89.149.207.255 - AS28753, interestingly, the DNS servers for the following domains ns1.pubilcnameserver7.com/ns1.pubilcnameserver7.com are diversifying at 89.149.207.56 and 91.212.41.114:

freeantivirusplus09 .com
realantivirusplus09 .com
getantivirusplus09 .com
smartantivirusplus09 .com
addedantivirusonline .com
addedantivirusstore .com
addedantiviruslive .com
addedantiviruspro .com
countedantiviruspro .com
plusantiviruspro .com
myplusantiviruspro .com
addedantivirus .com
youraddedantivirus .com
bestaddedantivirus .com
easyaddedantivirus .com
yourcountedantivirus .com
bestcountedantivirus .com
yourplusantivirus .com
easyplusantivirus .com
yourguardonline .cn
easydefenseonline .cn
bestprotectiononline .cn
freecoveronline .cn
atioqe .cn
yourguardstore .cn
mycheckdiseasestore .cn
examinepoisonstore .cn
freecoverstore .cn
myexaminevirusstore .cn
bestexaminedisease .cn
yourfriskdisease .cn
easyfriskdisease .cn
friskdiseaselive .cn
bestdefenselive .cn
bigprotectionlive .cn
bigcoverlive .cn
examineillnesslive .cn
exodih .cn
suxpymi .cn
aciazi .cn
yourfriskinfection .cn
easyserviceprotection .cn
easyincomeprotection .cn
easypersonalprotection .cn
easybestprotection .cn
myascertainpoison .cn
yourguardpro .cn
refugepro .cn
mycheckdiseasepro .cn
ascertaindiseasepro .cn
yourcheckpoisonpro .cn
easycheckpoisonpro .cn
yourfriskviruspro .cn
myascertainviruspro .cn
fegbywo .cn
feptuaq .cn
myexamineillness .cn
exousyt .cn
newguard2u .cn
freedefense2u .cn
bigdefense2u .cn
bestcover2u .cn
newguard4u .cn
mydefense4u .cn
bestcover4u .cn
newguard4you .cn
mydefense4you .cn
bestcover4you .cn
yourguardforyou .cn
newguardforyou .cn
myguardforyou .cn
freedefenseforyou .cn
mydefenseforyou .cn
bestcoverforyou .cn

The ongoing affiliation with EUROHOST-NET/Eurohost LLC (eurohost.biz.ua) 91.212.65.0 - 91.212.65.255 - AS48841, and the migration of domains (scareware, live exploits, crimeware etc.) as follows. From 91.212.41.119 to 91.212.65.7 EUROHOST-NET/Eurohost LLC:

nicdaheb .cn
sehmadac .cn
ralcofic .cn
bikpakoc .cn
xidsasuc .cn
koqsuyod .cn
tozxiqud .cn
bowselaf .cn
cuzlumif .cn
porgacig .cn
hifgejig .cn
rogkadej .cn
sipcojeq .cn
silzefos .cn
popyodiw .cn
hayboxiw .cn
peskufex .cn
ridmoyey .cn
cakpapaz .cn

What kind of an ISP be maintaining a permanent Under Construction page and engage in Zeus and live exploit serving activities on the same IP as its web server? EUROHOST-NET/Eurohost LLC is one of them:

"person: Mikhail Ignatyev
address: off. 1, 81 Frunze str.,
phone: +38 093 079 00 32
address: Evpatoria, Crimea, Ukraine
e-mail: ipadmin@eurohost.biz.ua"

At eurohost.biz.ua (91.212.65.5) we also have parked 123-service.ru, serving a deja-vu account suspended message - "This account has been suspended. Either the domain has been overused, or the reseller ran out of resources." as well as ramshanabc.ru, with another account suspended message despite its previous involvement in Zeus crimeware campaigns in January, 2009 (ramshanabc .ru/ferrari/main.bin; ramshanabc .ru/ferrari/main.bin).

Besides these domains, several others, again registered to kirilboltovnet@yandex.ru are known to have been maintaining running Zeus crimeware campaigns as well:

grafjasqq .ru/kiew/kiew.cfg
heliskamm .ru/kiew5.cfg
mamaloki .ru/dir2.cfg489
mamaloki .ru/kiew3.cfg
nionalku .ru/dir5.cfg
nionalku .ru/kiew6.cfg

Still not convinced in how malicious their intentions really are? The phone number (+7 928 7867612) used in the registrations of these domains was most recently used in a spammed Zeus crimeware campaign impersonating Western Union. Continue reading →

Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

0
June 08, 2009
Just like GazTranzitStroyInfo's case, what we've got here is failure to understand that the efforts put into building legitimacy of front-ends to cybercrime, is prone to get undermined upon closer examination of the particular web hosting provider.

Who, and what is Life4you .info - Free Hosting for Live (dirsite .com; 65.98.15.80; Dennis Linkor Email: admin@dirsite.com)?

"We are pleased to announce the launch of dirsite.com, the best ASP.NET host on the web. We currently offer one plan. This plan is entirely free! Free ASP.NET 2.0 hosting*! Unfortunately we have hit our quota for ad free accounts. Every new signup is now required to display a 460x60 banner ad on their content pages. We will be running another ad free promotion soon, so be sure to check back! We are currently experiencing some technical issues that are out of our control. We are suffering some server problems and as a result, slight delays in processing signups. We are working on it, and will have everything resolved as soon as possible. Thank you for your patience."

What's so special about them? Well, for starters, they've got no customers but the cybercriminals themselves maintaining a portfolio of over 7,000 adult related keywords which they have been using for blackhat SEO campaigns across thousands of automatically registered -- CAPTCHA recognition outsourced -- Blogspot accounts since February, 2009.

With the Blogspot campaign still ongoing, let's assess it and expose all the participating scareware domains. Upon automatic generation of the Blogspot accounts, links like the following are included next to the bogus content, all using dirsite.com's pseudo-legitimate hosting services:

goto.dirsite .com/go.php?sid=2&tds-key=erotic+bikini+babes
goto.dirsite .com/go.php?sid=2&tds-key=sexe+amateur+on+my+space
goto.dirsite .com/go.php?sid=2&tds-key=aunt+judy+older+women
goto.dirsite .com/go.php?sid=2&tds-key=view+private+profiles+on+myspace
goto.dirsite .com/go.php?sid=2&tds-key=fullmetal+alchemist+porn
goto.dirsite .com/go.php?sid=2&tds-key=Asian+style+bed+throws
goto.dirsite .com/go.php?sid=2&tds-key=cheerleader+candid+pictures
goto.dirsite .com/go.php?sid=2&tds-key=desisexstories
goto.dirsite .com/go.php?sid=2&tds-key=Hey+Arnold+porno
goto.dirsite .com/go.php?sid=2&tds-key=warcraft+henrai

Upon clicking the users are redirected to tdncgo2009 .com/?uid=68&pid=3 (trdatasft .com; fra22 .net; Email: ) 64.86.17.47, Email: hmlragnsky@whoisservices.cn, where the scareware domains are randomly loaded:

virusdoctor-onlinedefender .com - 64.213.140.69 Email: sebarinvert.ivus@gmail.com
onlinescan-ultraantivirus2009 .com - 206.53.61.76
virussweeper-scan .net - 206.53.61.76
virusalarm-scanvirus .net - 206.53.61.76
viruscatcher .net - 64.213.140.71 Email: jeannemcpeters@gmail.com
fast-antivirus .com - 64.213.140.68

The scareware attempts to phone back to update1.virusshieldpro .com/ReleaseXP.exe - 206.53.61.75 - Email: unitedisystems@gmail.com and to updvmfnow .cn - 64.86.17.9 Email: oijfsd.sd@gmail.com. ReleaseXP.exe then phones back to the following locations, naturally earning profit for the cybecriminal -

pay-virusshield .cn - 64.213.140.70; Email: unitedisystems@gmail.com; Returning the following message: "Sorry, the operation is currently unavailable, please email our support team from product's site (Error Code #150)"
updvmfnow .cn - 64.86.17.9
updvmfnow .cn/reports/install-report.php (64.86.17.9)
updvmfnow .cn/reports/soft-report.php
updvmfnow .cn/reports/minstalls.php

The phone back location is also hosting more active scarewaredomains:
ultraantivirus2009 .com - 64.86.17.9
virusalarmpro .com
vmfastscanner .com
mysuperviser .com
pay-virusdoctor .com
virusmelt .com
payvirusmelt .com

Not only is life4info .info or dirsite .com a bogus free hosting provider, but the campaigns hosted by them are interacting with our "dear friends" at AS30407; VELCOM .com which Spamhaus describes as "N. American base of Ukrainian cybercrime spammers" - and with a reason. Continue reading →

A Diverse Portfolio of Fake Security Software - Part Twenty One

0
June 05, 2009
The ongoing abuse of AS10929; NETELLIGENT Hosting Services Inc. for scareware distribution purposes is peaking once again, which combined with the well-proven traffic acquisition tactics the campaigners take advantage of, prompts me to proactively undermine the effectiveness of the campaigns by ruining the monetization factor.

Next to listing the scareware domains currently in circulation, in part twenty one of the Diverse Portfolio of Fake Security Software series, it's time we put the spotlight on the so called payment processors mainted by phony in-house operations.

The following scareware domains are parked exclusively within AS10929; NETELLIGENT Hosting Services Inc's network, 209.44.126.102  in particular :

fanscan4 .com 209.44.126.102 Email: brmargul@gmail.com
rayscan4 .com Email: brmargul@gmail.com
scantop4 .com Email: ansouthe@gmail.com
scanlist6 .com Email: metamant@gmail.com
goscanfine .com Email: chirelqas@gmail.com
goscanone .com Email: canrcnad@gmail.com
scan4note .com Email: ansouthe@gmail.com
in4ck .com Email: taboussybr@gmail.com
goscanwork .com Email: govemati@gmail.com
in4tk .com Email: skeltonrw@gmail.com
goscanatom .com Email: gleyersth@gmail.com
top4scan .com  Email: ansouthe@gmail.com
slot6scan .com  Email: metamant@gmail.com
gometascan .com  Email: ricboin@gmail.com
gopagescan .com Email: tanehen@gmail.com
gofinescan .com Email: alcnafuch@gmail.com
goelitescan .com Email: funully@gmail.com
gorankscan .com Email: canrcnad@gmail.com
goworkscan .com Email: govemati@gmail.com
gogoalscan .com Email: chinrfi@gmail.com
gogenscan .com  Email: tanehen@gmail.com
goautoscan .com Email: tanehen@gmail.com
goflexscan .com Email: alcnafuch@gmail.com
goscanauto .com Email: canrcnad@gmail.com
scan6slot .com  Emaik: telerdomb@gmail.com
in4st .com Email: skeltonrw@gmail.com
scan6list .com Email: telerdomb@gmail.com
goscanflex .com Email: chirelqas@gmail.com

goscankey .com Email: ricboin@gmail.com
scanmeta4 .info Email: sitintu@gmail.com
scannote4 .info Email: sitintu@gmail.com
metascan4 .info Email: finewnrk@gmail.com
zonescan4 .info Email: mexnacc@gmail.com
notescan4 .info Email: finewnrk@gmail.com
miniscan4 .info Email: finewnrk@gmail.com
rankscan4 .info Email: mexnacc@gmail.com
atomscan4 .info Email: finewnrk@gmail.com
fanscan4 .info Email: finewnrk@gmail.com
genscan4 .info Email: finewnrk@gmail.com
autoscan4 .info Email: sitintu@gmail.com
topscan4 .info Email: finewnrk@gmail.com
starscan4 .info Email: finewnrk@gmail.com
fixscan4 .info Email: sitintu@gmail.com
mixscan4 .info Email: finewnrk@gmail.com
luxscan4 .info Email: finewnrk@gmail.com
rayscan4 .info Email: finewnrk@gmail.com
keyscan4 .info Email: sitintu@gmail.com
scangen4 .info Email: sitintu@gmail.com
scanauto4 .info Email: mexnacc@gmail.com

scantop4 .info Email: finewnrk@gmail.com
scanflex4 .info Email: mexnacc@gmail.com
scan4meta .info Email: finewnrk@gmail.com
scan6meta .info Email: donboset@gmail.com
scan4fine .info Email: mexnacc@gmail.com
meta4scan .info Email: finewnrk@gmail.com
note4scan .info Email: finewnrk@gmail.com
gen4scan .info Email: finewnrk@gmail.com
flex4scan .info Email: mexnacc@gmail.com
fix4scan .info Email: sitintu@gmail.com
key4scan .info Email: mexnacc@gmail.com
meta6scan .info Email: donboset@gmail.com
note6scan .info Email: donboset@gmail.com
scan4gen .info Email: finewnrk@gmail.com
scan6gen .info Email: donboset@gmail.com
scan4auto .info Email: sitintu@gmail.com
scan4top .info Email: finewnrk@gmail.com
scan4fix .info Email: sitintu@gmail.com
scan4key .info Email: sitintu@gmail.com
fine4scan .info Email: beelriel@gmail.com
scanmega4 .info Email: bnntnkmn@gmail.com
zonescan4 .info Email: mexnacc@gmail.com
rankscan4 .info Email: mexnacc@gmail.com
scanauto4 .info Email: mexnacc@gmail.com
scan4fine .info Email: mexnacc@gmail.com
way4scan .info Email: bnntnkmn@gmail.com
key4scan .info Email: mexnacc@gmail.com
scan4fan .info Email: myscarbe@gmail.com

Exceptions out of  AS10929; NETELLIGENT Hosting Services Inc.:

ia-pro .com - 194.165.4.41; 200.63.45.224; 209.44.126.104; 200.63.45.224 Email: abuse@domaincp.net.cn
generalantivirus .com Email: compalso@gmail.com
genpayment .com Email: seeingrud@gmail.com
livestopbadware .com Email: producergrom@gmail.com
av-payment .com Email: abuse@domaincp.net.cn
antimalware-live-scanv3 .com - 38.99.170.9; 78.47.91.153; 83.133.115.9; 89.47.237.52;91.212.65.125; Email: immigration.beijing@footer.cn
antivirus-scanner-v1 .com Email: tareen@yahoo.com
proantivirusscannerv2 .com Email: ecindia@hotmail.com

Who's processing the payments made by the scammed customers? These are the major payment processors of scareware software that have been changing aliases for a while now, with Pandora Software being the most persistent one:

easybillhere .com - 200.63.45.221; Email: myerysin@gmail.com
secure.softwaresecuredbilling .com - 209.8.45.122; Viktor Temchenko Email: TemchenkoViktor@googlemail.com
secure.propayments .org - 78.46.152.8; Oleg Bajenov Email: oleg.bajenov@gmail.com
secure.soft-transaction .com - 77.91.228.155; Riabokon, Igor; rw6rr69n7z2@networksolutionsprivateregistration.com
secure-plus-payments .com - 209.8.25.204; John Sparck; Email: sparck000@mail.com
secure.pnm-software .com - 209.8.45.124; Live Internet Marketing Limited; pnm-software.com@liveinternetmarketingltd.com
secure.thepaymentonline .com Email: Sergey Ryabov director@climbing-games.com

What is Pandoware Software, and who's behind Pandora Software (pandora-software .com; pandora-software .info; pandoraxxl .com - 209.8.45.121; Live Internet Marketing Limited; Email: pandoraxxl.com@liveinternetmarketingltd.com)?

The payment processor describes itself as :

"PandoraXXL is a company which provides the best adult entertainment online and is the managing company of the adult websites of the group. The concept itself is the carefull creation of websites which are different from the average vanilla adult production. We create them, we run them and we provide customer care to our customers!If You are a customer and would like to know more about our websites please click on Our Websites above. PandoraXXL.com and all sites which listed on PandoraXXL.com owned by Oleg Dvoretskiy Varzinerstr. 127, 44369 Dortmund, Germany"

Upon "doing business" with them they include their very latest domain within the the credit card statement:

"Your credit card statement may show any of the following names: WWW.PANDORAXXL.COM If so , than You have made a purchase on one of our websites! This form on the right will help You to locate these transactions! Absolutely sure You have never ever purchased anything with us? Contact us immediately then! Due to our knowledge we are one of a VERY few adult paysites companies out there providing INHOUSE live support along with telephone support. Please call only when You are sure that this site was not ab to help You with Your transactions. You may call with technical questions as well but You must read all our site's FAQs first."

Going through the terms of service for several scareware domains, there's a contact support image saying "Copyright 2008 Oleg Dvorezky, Dortmund, Germany". Why an image and not a text? Cybercriminals sometimes ensure that sensitive info potentially undermining their OPSEC doesn't get crawled by public search engines. It's gets even more interesting as Oleg Dvorezky, whose activities as payment processor for scareware go beyond the support desk has also included his address - Varzinerstr. 127. 44369 Dortmund, Germany and another phone, again as an image +1(636)549-8103, followed by two more numbers +18669997851 (USA) +33179972633 (France) listed as contact details.

Moreover, despite the fact that they've active affiliates distribution scareware and earning money in the process, next to managing the processing of payments, one should not exclude the possibility that they may also be engaging in customer relationship management for other scareware affiliate partners. For instance, the following support emails are all managed by them :

support@supportdeska.com
support@msantispyware2009.com
support@pandora-software.com
support@pandoraxl.com
support@data-saver.org
support@generalantivirus.com

Fo the time being, scareware remains the single most efficient, managed and high liquidity asset used for monetization cybercrime campaigns. Continue reading →

From Ukrainian Blackhat SEO Gang With Love

0
June 04, 2009
UPDATE: My name is now an integral part of the scareware business model.

Yet another redirector used in the ongoing blackhat SEO campaign is using it, this time saying just "hi" - hidancho.mine .nu/login.js redirects to privateaolemail .cn/go.php?id=2010-10&key=b8c7c33ca&p=1 and then to antimalwareliveproscanv3 .com where the scareware is served -- catch up with the Diverse Portfolio of Fake Security Software series.

What's next? The release of Advanced Pro-Danchev Premium Live Mega Professional Anti-Spyware Online Cleaning Scanner 2010?

You know you have a fan club, as well as positive ROI out of your research, when one of the most active blackhat SEO groups for the time being starts cursing you in its multiple redirectors, in this particular case that's seo.hostia .ru/ddanchev-sock-my-dick.php.

Back in 2007, it used to be the polite form of get lost or "ai siktir vee" courtesy of the New Media Malware Gang, a customer of the Russian Business Network.

Upon hijacking legitimate traffic and verifying that the visitor is coming from var se = new Array("google.","msn.","yahoo.","comcast.","aol", the redirector then takes us to macrosoftwarego .com; live-payment-system .com - 83.133.123.140 Email: fabian@ingenovate.com, and to antimalware-live-scanv3 .com - 38.99.170.9; 78.47.91.153; 83.133.115.9; 89.47.237.52; 91.212.65.125 Email: immigration.beijing@footer.cn where the scareware is served.

Scareware domains (delegated) part of their campaigns which as of recently diversity to Lycos owned is-the-boss.com:
anti-spyware-scan-v1 .com - ns1.futureselfdeeds .com (78.47.88.217)
malware-live-pro-scanv1 .com
premiumlivescanv1 .com
malwareliveproscanv1 .com
antiviruspcscannerv1 .com
malwareliveproscannerv1 .com
freeantispywarescan2 .com
antiviruspremiumscanv2 .com
proantivirusscanv2 .com
antiviruspaymentsystem .com
macrosoftwarego .com
advanedmalwarescanner .com
advanedpromalwarescanner .com
futureselfdeeds .com
allinternetfreebies .com
liveinternetupdates .com
momentstohaveyou .cn

Rephrasing the Cardigans Love Fool song - Common sense tells me I shouldn't bother, and I ought to stick to another blackhat SEO campaign, a blackhat SEO campaign that surely deserves me, but I think you folks do.

Thanks to Sean-Paul Correll from PandaLabs for the tip. Continue reading →
Subscribe to: Comments (Atom)