Poisoned Search Queries at Google Video Serving Malware

UPDATE: A recently published article at the Register by John Leyden incorrectly states that "researchers at Trend Micro discovered that around 400,000 queries returning malicious results that lead to a single redirection point" wherease the researchers in question went public with the attack data on the 27th of January, and then again on the 28th of January.

This isn't the first time the Register shows an oudated siatuational awareness, following the two month-old coverage of a proprietary email and personal information harvesting tool, which I extensively covered in between receiving comments from one of the affected sites.

A blackhat SEO-ers group that's been generating bogus link farms ultimately serving malware to their visitors during the past couple of months, has recently started poisoning Google Video search queries and redirecting the traffic to a fake flash player using the PornTube template. (The Template-ization of Malware Serving Sites). Approximately 400,000+ bogus video titles have already been crawled by Google Video.

Instead of sticking to a proven traffic acquisition tactic in the face of adult videos, the campaigns are in fact syndicating the titles of legitimate YouTube videos in order to populate the search results. What's also worth pointing out that is that once they start duplicating the content -- like they're doing with specific titles -- based on their 21 bogus publisher domains, they can easily hijack each and every of the first 21 results for a particular video. The fake flash player redirection is served only when the visitor is coming from Google Video, if he or a researcher isn't based on a simple http referer check, a legitimate YouTube video is served.

Upon clicking on the video from any of their publisher domains, the user is taken to porncowboys .net/continue.php (94.247.2.34) then forwarded do xfucked .org/video.php?genre=babes&id=7375 (94.247.2.34) to have the binary served at trackgame .net/download/FlashPlayer.v3.181.exe and qazextra .com/download/FlashPlayer.v3.181.exe. Detection rate for the flash player.

The malware publisher domains crawled by Google Video redirecting to the bogus flash player :
nudistxxx .net - 22,000 bogus video titles
realsexygirls .net - 21,000 bogus video titles
trulysexy .net - 27,100 bogus video titles
madsexygirls .net - 18,900 bogus video titles
mypornoplace .net - 25,700 bogus video titles
hotcasinoxxx .net - 28,900 bogus video titles
hotgirlstube .net - 37,900 bogus video titles
xgirlplayground .com - 50,600 bogus video titles
puresextube .net - 20,700 bogus video titles
xxxtube4u .com - 11,400 bogus video titles
sexygirlstube .net - 63,100 bogus video titles
xporntube .org - 12,800 bogus video titles
xxxgirls .name - 33,500 bogus video titles
girlyvideos .net - 37,500 bogus video titles
mytubecentral .net - 38,900 bogus video titles
puresextube .net - 20,700 bogus video titles
teencamtube .com - 18,400 bogus video titles
celebtube .org - 41,100 bogus video titles
truexx .com - 16,900 bogus video titles
hottesttube .net - 28,100 bogus video titles
hotgirlsvids .net - 27,200 bogus video titles
watch-music-videos .net - 14,900 bogus video titles
marketvids .net - 29,900 bogus video titles
gamingvids .net - 7,930 bogus video titles
hentaixxx .info - 25,500 bogus video titles

The campaign is currently in a cover-up phrase since discussing it yesterday and notifying Google with all the details. But the potential for abuse remains there. Timeliness vs comphrenesiveness of a malware campaign?

Following this example of comprehensivess, take into consideration the timeliness in the face of October 2008's campaign when hot Google Trends keywords were automatically syndicated in order to hijack search traffic which was then redirected to several hundred automatically registered Windows Live blogs whose high pagerank made it possible for the blogs to appear within the first 5 results. Continue reading →

Embassy of India in Spain Serving Malware

The very latest addition to the "embassies serving malware" series is the Indian Embassy in Spain/Embajada de la India en España (embajadaindia.com) which is currently iFrame-ED -- original infection seems to have taken place two weeks ago -- with three well known malicious domains.

Interestingly, the malicious attackers centralized the campaign by parking the three iFrames at the same IP, and since no efforts are put into diversifying the hosting locations, two of them have already been suspended. Let's dissect the third, and the only currently active one. iFrames embedded at the embassy's site:
msn-analytics .net/count.php?o=2
pinoc .org/count.php?o=2
wsxhost .net/count.php?o=2

wsxhost .net/count.php?o=2 (202.73.57.6) redirects to 202.73.57.6 /mito/?t=2 and then to 202.73.57.6 /mito/?h=2e where the binary is served, a compete analysis of which has already been published. The rest of the malicious domains -- registered to palfreycrossvw@gmail.com -- parked at mito's IP appear to have been participating in iFrame campaigns since August, 2008 :

google-analyze .cn
yahoo-analytics .net
google-analyze .org
qwehost .com
zxchost .com
odile-marco .com
edcomparison .com
fuadrenal .com
rx-white .com

As always, the embassy is iFramed "in between" the rest of the remotely injectable sites part of their campaigns. 

Related assessments of embassies serving malware:
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware Continue reading →

Exposing a Fraudulent Google AdWords Scheme

UPDATE: Conduit's Director of Strategic Marketing Hai Habot contacted me in regard to the campaign. Comment published at the bottom of the post.

Despite my personal reservations towards the use of Google sponsored ads as an emerging traffic acquisition tactic on behalf of scammers and cybercriminals -- blackhat SEO is getting more sophisticated -- Google sponsored ads are whatsoever still taken into consideration.

The fraudulent AdWords scheme that I'll discuss in this post, is an example of a Dominican scammer (ayuda@shareware.pro; Sms Telecom LLC, Roseau, St. George (00152) Dominica Tel: +117674400530) who's hijacking search queries for popular software applications, taking advantage of geolocation and http referer checks, in order to deliver a customized toolbar while earning revenue part of the Conduit Rewards Program.

Naturally, the traffic acquisition tactic and the brandjacking of legitimate software are against the rules of both Google's, and Conduit's terms of use. Interestingly, out of all the adware-ish toolbars and affiliate based networks out there, he's chosen to participate in an affiliate network without a flat rate on per toolbar installation basis. Despite the efforts put into the typosquatting, the descriptive binaries on a country basis, and the localization of the sites in several different languages, he's failing to monetize the scam in the way he could possibly do compared to "fellow colleagues" of his.

Brandjacked software domains part of the AdWords campaign :
adobe-reader-co .com
adware-co .com
flash-player-co .com
paint-shop-pro .com
winrar-co .com
ccleaner-co .com
firefox-co .com
avi-codec-co .com
guitar-pro-co .com
codec-co .com
opera-co .com
messenger-comp .com
servicepack-co .com
azureus-co .com
emulegratis .es
messenger-plus-co .com
zone-alarm-co .com
directx-co .com
bittorrent-co .com
media-player-co .com
emulefree .com
divx-co .com
office-co .com
virtualdj-co .com
zattoo-co .com
clonecd-co .com
tuneup-co.com
lphant-co.com
explorer-co.com
amule-co .com
messenger75-co .com
limewire-comp .com
lite-codec-co .com
power-dvd-co .com
messenger-plus-live-co .com
reamweaver-co .com
aresgratis .net
vuze-co .com
emuleespaña .es
regcleaner-co .com
paint-net-co .com
download-acelerator .com
windownloadweb .com
xp-codecpack-co .com

The AdWords campaigns are spread across different local Google sites, and are targeting a particular local demographic only. Moreover, if the end user isn't coming from a sponsored ad, the download link on each and every of the participating sites is linking to the official site of the brandjacked software, and if he's coming from where he's supposed to be coming the software bundle including the revenue-generating toolbar is served in the following way :

firefox-co .com/downloads/installer-5-firefox-uk.exe
winamp-co .com/downloads/installer-37-winamp-uk.exe
winamp-co .com/downloads/installer-37-winamp-nl.exe
zone-alarm-co .com/downloads/installer-18-zonealarm-nl.exe
servicepack-co .com/downloads/installer-14-service-pack-3-uk.exe
divx-co .com/downloads/installer-25-divx-uk.exe

Upon installation the toolbar generates revenue for the campaigner, and given the fact that a single DIY toolbar can be associated with a single rewards account, the campaigner is also maintaining a modest portfolio of toolbars. For instance :

peer2peerne.media-toolbar.com - UserID=UN20090120111936062
peer2peeren.media-toolbar.com - UserID =598F9353-BD10-47B9-8B40-29B33AD7A3E4

The bottom line is that despite the fact that the campaigner is acquiring lots of traffic through the brandjacking, and is definitely breaking even based on the number of toolbars installed, he's failing to monetize the fraud scheme, at least for the time being.

UPDATE: Hai Habot's comments - "The information you have provided will help us track the publisher and I will personally see that our compliance team looks into it ASAP.
 
As you may know, Conduit does not have full control over the promotional activity of the publisher (i.e. his fraudulent use of Google AdWords or any other usage of third party ads or links) however, the activity described in your post is clearly in violation of our terms of use (section V of the Conduit Publisher Agreement) and our compliance team can take different measures against this publisher including the removal of the toolbar from our platform.

The Conduit Rewards program is not a standard affiliate network. It offers incentives to publishers based on their toolbar’s long term performance. I didn’t look into the stats of this specific publisher yet but I can assure you that such spam traffic would generate very little (if any) rewards. In any case – we will make sure that the rewards account of this publisher will be disabled until this compliance issue is resolved." Continue reading →

A Diverse Portfolio of Fake Security Software - Part Fourteen

The following currently active fake security software domains have been included within ongoing blackhat SEO campaigns, among the many other tactics that they use in order to attract traffic to them. Needless to say that the Diverse Portfolio of Fake Security Software domains series is prone to expand throughout the year.

rapidspywarescanner .com (78.47.172.67)
live-antiviruspc-scan .com
professional-virus-scan .com
proantiviruscomputerscan .com
bestantivirusfastscan .com
premium-advanced-scanner .com

Domain owner:
Name: Aennova M Decisionware
Organization: NA
Address: Rua Maestro Cardim 1101   cj. 112
City: Sgo Paulo
Province/state: NA
Country: BR
Postal Code: 01323
Phone: +5.5113245388
Fax: +5.5113245388
Email: victor@aennovas.com

rapidantiviruspcscan .com (78.46.216.237)
securedserverdownload .com
securedonlinewebspace .com
securedupdateupdatesoftware .com
bestantivirusdefense .com
live-pc-antivirus-scan .com
best-antivirus-protection .com
proantivirusprotection .com
best-anti-virus-scanner .com
best-antivirus-scanner .com
bestantivirusproscanner .com
bestantivirusfastscanner .com
protectedsystemupdates .com
liveantispywarescan .com
live-antispyware-scan .com
internet-antispyware-scan .com

Domain owner:
Vadim Selin anzo45@freebbmail.com
+74952783432 fax: +74952783432
ul. Vorobieva 98-34
Moskva Moskovskay oblast 127129
ru

antivirus-scan-your-pc .com (75.126.175.232; 209.160.21.126)
bestantivirusdefence .com
best-antivirus-defense .com
premiumadvancedscan .com
bestantivirusproscan .com
best-antivirus-pro-scanner .com
internetprotectedpayments .com

Domain owner:
Name: Nikolai V Chernikov
Address: yl. Kravchenko 4 korp. 2 kv.17
City: Moskva
Province/state: NA
Country: RU
Postal Code: 119334
Email: promasteryouth@gmail.com

It's interesting to point out that so far, none of the hundreds of typosquatted domains is taking advantage of a legitimate online payment processor. Instead, they not only self-service themselves, but offer to process payments for other participants in the affiliate network. In respect to these bogus domains, we have the following payment processors working for them :

secure.softwaresecuredbilling .com (209.8.45.122) registered to Viktor Temchenko (TemchenkoViktor@googlemail.com)
secure.goeasybill .com (209.8.25.202) registered to Chen Qing (dophshli@gmail.com)
secure-plus-payments .com (209.8.25.204) registered to John Sparck (sparck000@mail.com)

Related posts:
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software  Continue reading →

Embedding Malicious IFRAMEs Through Stolen FTP Accounts - Part Two

The practice of using stolen or data mined -- from a botnet's infected population -- FTP accounts is nothing new. In March, 2008, a tool originally published in February, 2007, got some publicity once details of stolen FTP accounts belonging to Fortune 500 companies were found in the wild. Interestingly, none of the companies were serving malicious iFrames on their compromised hosts back then.

Despite the fact that 2008 was clearly the year of the massive SQL injection attacks hitting everyone, everywhere, massive iFrame injection tools through stolen FTP accounts are still in development. Take for instance this very latest console/web interface based proprietary one currently offered for sale at $30.

Its main differentiation factors according to the author are the pre-verification of the accounting data in order to achieve better speed, advanced logs management and update feature allowing the malicious campaigner to easily introduce new iFrame at already iFrame-ED hosts through the compromised FTP accounts, and, of course, the what's turning into a commodity feature in the face of long-term customer support. In this case, that would be a hundred FTP accounting details to get the customers accustomed to the tool's features.

Interestingly, at least according to the massive SQL injections taking place during the entire 2008, iFrame-ing has reached its decline stage, at least as the traffic acqusition/abuse method of choice. And with SQL injections growing, this very same FTP account data is serving the needs of the blackhat search engine optimizers bargaining on the basis of a pagerank. Continue reading →

Pro-Israeli (Pseudo) Cyber Warriors Want your Bandwidth

This summary is not available. Please click here to view the post. Continue reading →

Domains Serving Internet Explorer Zero Day in December

December, 2008 was marked by yet another widespread Koobface campaign, next to a massive SQL injection attack targeting Asian countries and serving the ex-Internet Explorer XML parsing zero day. Monitoring the attack closely and issuing abuse notices, it's worth pointing out that only two domains were SQL to target international sites, with the rest injected at Asian sites only.

This tactic once again demonstrates the dynamics of the international underground communities whose understanding of valuable stolen goods greatly differ based on the local market's demand for a particular item. For instance, stolen accounting data for a MMORPG is more than access to a stolen banking account on the Chinese underground marketplace, and exactly the opposite on the Russian underground marketplace. Interestingly, if the IE zero day was first discovered and abused in a targeted nature by Russian parties the very last thing they'd be serving is a password stealer for a MMORPG given the far more valuable from their perspective crimeware. Here are all of the SQL injected domains participating in the attack, with two Chinese groups responsible for them :

SQL injected domains currently active:
- c.nuclear3 .com/css/c.js (121.10.108.161; 121.10.107.233;70.38.99.97) also SQL injected as c.%6Euclear3 .com/css/c.js in a cheap attempt to avoid detection
- zs.gcp.edu .cn/z.js redirects to alimcma .3322.org/a0076159/a07.htm (121.12.173.218) and then to tongjitj.3322 .org/tj/a07.htm
- w.94saomm .com/js.js (58.53.128.177) redirects to clc2007.nenu.edu .cn/tt/swf.htm (218.62.16.47)
- idea21.org/h.js (66.249.130.142) redirects to idea21 .org/index1.htm
- yrwap .cn/h.js (59.63.157.71) redirects to kodim .net/CONTENT/faq.htm

Currently down, for historical preservation purposes and case building as these were exclusively serving the ex-IE zero day in December, 2008:
17gamo .com/1.js
s4d. in/h.js
dbios .org/h.js
armsart .com/h.js
acglgoa .com/h.js
9i5t .cn/a.js
qq117cc .cn/k.js
s800qn .cn/csrss/w.js
twwen .com/1.js
s.shunxing .com.cn/s.js
ko118 .cn/a.js
s.shunxing .com.cn/s.js
17aq .com/17aq/a.js
s.kaisimi .net/s.js
sshanghai .com/s.js
s.ardoshanghai .com/s.js
s.cawjb .com/s.js
mysy8 .com/1/1.js
mvoyo .com/1.js
nmidahena .com/1.js
tjwh202.162 .ns98.cn/1.js

Thankfully, the IE zero day attack in December is an example of a "wasted" zero day, with the potential for abuse not taken advantage of.

Related posts:
Massive SQL Injection Attacks - the Chinese Way
Yet Another Massive SQL Injection Spotted in the Wild
Obfuscating Fast-fluxed SQL Injected Domains
Smells Like a Copycat SQL Injection In the Wild
SQL Injecting Malicious Doorways to Serve Malware
SQL Injection Through Search Engines Reconnaissance
Stealing Sensitive Databases Online - the SQL Style
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists Continue reading →

Dissecting the Bogus LinkedIn Profiles Malware Campaign

Nice catch, in the sense that LinkedIn was among the very few social networking sites left untouched by cybercriminals in 2008. With LinkedIn's staff actively removing the close to a hundred bogus profiles, let's dissect the campaign by exposing all the participating malware domains, the redirectors, the droppers' detection rates and the rest of the domains in their portfolio.

Domains used on the bogus profiles :
sextapegirls .net (88.214.200.5)
celebsvids .net (216.195.57.47)
katynude .com (216.195.57.47)
delshikandco .com (82.103.132.114)

All the internal pages at sextapegirls .net (sextapegirls .net/1.html; sextapegirls .net/2.html; sextapegirls .net/3.html; sextapegirls .net/4.html; sextapegirls .net/5.html) redirect to hotvidz .info/5.html (88.214.200.5) as well as all the internal pages at celebsvids .net where TubePlayer.ver.6.20885.exe is served as a fake video player.

Among the rest of the domains used, katynude .com/1.html (216.195.57.47) redirects to quickly-porn-tube .net/get.php?id=20885&p=74 (69.59.21.247) which then redirects to tube-4you-best .com/xxplay.php?id=20885 (69.59.21.247) where 2009download-best-soft .com/TubePlayer.ver.6.20885.exe (94.247.3.228) is again served.

The fourth domain used on the bogus LinkedIn profiles, delshikandco .com/movies/linkedin.html (82.103.132.114) once deobfuscated leads to delshiktds .com/in.cgi?6 (64.27.28.225), a traffic management kit's redirection point which redirects to delshiktds .com/in.cgi?11, celebs-online2009 .com/video.php (64.27.28.225) and megaporntubesonline .com/xplays.php?id=88 where codecdownload.filesstorage4you .com/exclusivemovie.88.exe is served next to codecdownload.viewersoftwarearchive .com/exclusivemovie.0.exe (94.247.3.232) which a copy of Win32/Renos.

The downloader then phones back to :
dasgdasg .net (91.205.96.12)
new-york-images .com (89.149.207.114)
future-pictures .com (94.247.2.117)
download-everything.com (69.46.16.99)
archiveviewsoftware.com

193.142.244.17

Naturally, the people behind this malware campaign have centralized the rest of the malicious domains by parking them at the very same IPs used in the redirectors. The domains are pretty descriptive themselves, and it's also worth pointing out that they intend to start introducing newly registered fake security software ones:

94.247.3.228
files-upload-21 .com
downloabsecurehere1 .com
downloabsecurehere2 .com
downloabsecurehere3 .com
downloabsecurehere4 .com
fast-download-base-free .com
download-all4free .com
download-softarch .com
dwnld-files .com
get-frsh-files .com
download-fls.com
downloadall-soft-now .com
downloadallsoft-now. com
download-allsoftnow .com
downloadallsoftnow .com
soft-4-you-download .net
get-files-4free .net
download-top-software .net
files-download-arch .net
download-files-bak .net
download-files-plus .net
pure-download-new .net

69.59.21.247
uni-tube-911 .com
bestmytubeonilne1 .com
bestmytubeonilne2 .com
bestmytubeonilne3 .com
mybest-pov-tube .com
my-bestpov-tube .com
u-tube-verse .com
tubeger .com
tube-4-free-center .com
tube-4you-best .com
tube-hu .com
tube-more-sex .com
quickly-porn-tube .net
fast-xxx-tube .net
tube-chick .net
tube-free-4-adult .net

antivir-av-toolz .net
scanner-pc-toolz .net
av-scan-soft .net
av-scan-here .net
anti-vir-toolz .com
freenonline-scannerw .com
freenonline-scanner .com
av-mc-antivir-checker .com
freenonline-scannera .com
bestmyscanneronilne3 .com
bestmytubeonilne3 .com
bestmyscanneronilne2 .com
bestmytubeonilne2 .com

94.247.3.232
viewerdownload2009 .com
freedownload2009 .com
filesstorage2009 .com
exefileshere2009 .com
bestfilesarchive2009 .com
softwareviewers2009 .com
filesinnet4you2009 .com
downloadfilesservice .com
jetexestorage .com
clickandgetfile .com
secretfilesstoragehere .com
x-filesstorehere .com
filesportalhere .com
exefileshere .com
extrafilesonlyhere .com
pornexearchive .com
viewerarchive .com
crystalfilesarchive .com
download2009exe .com
3d-softwareportal .com
downloadfilesportal .com
exesoftportal .com
softwareportalexefiles .com
becollectionoffiles .com
extracoolfiles .com
freepornclips2u .com
filesstorage4you.com
downloadexenow .com

The same people, the same tactics, different domains and netblocks used. Continue reading →

Summarizing Zero Day's Posts for December

The following is a brief summary of all of my posts at Zero Day for December, 2008. You can also go through previous summaries for November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles for December include ICANN terminates EstDomains, Directi takes over 280k domains (interview with Stacy Burnette from the ICANN); With 256-bit encryption, Acrobat 9 passwords still easy to crack (interview with Dmitry Sklyarov and Vladimir Katalov from Elcomsoft) and Gmail, Yahoo and Hotmail systematically abused by spammers.

01. AlertPay hit by a large scale DDoS attack
02. IT expert executed in Iran
03. Vendor claims Acrobat 9 passwords easier to crack than ever
04. Microsoft’s Live Search (finally) adds malware warnings
05. ICANN terminates EstDomains, Directi takes over 280k domains
06. Password stealing malware masquerades as Firefox add-on
07. With 256-bit encryption, Acrobat 9 passwords still easy to crack
08. Trusteer launches search engine for malware configuration files
09. With or without McColo, spam volume increasing again
10. Vint Cerf’s Twitter account hacked, suspended for spam
11. Gmail, Yahoo and Hotmail systematically abused by spammers
12. IE7 XML parsing zero day exploited in the wild
13. Four XSS flaws hit Facebook
14. Thousands of legitimate sites SQL injected to serve IE exploit Continue reading →

Squeezing the Cybercrime Ecosystem in 2009

How do you trigger a change that would ultimately affect the entire cybercrime ecosystem? Going full disclosure may be the most logical option, but past experience reveals that using it has a modest temporary effect. For instance, exposing a stolen credit cards shop isn't going to separate the owner from the stolen database, neither would his customers base disappear, so stating that it's shut down in reality means that it's currently active at another location which the owner quickly communicates to the customers base. I keep seeing it happen once a sample service gets media attention, and I'll keep seeing it happen.

The myth that geolocating their malicious activities would always end up in an Eastern European network where developed law enforcement agencies would have little to no jurisdiction at all, proved to be a common stereotype given that the well known cybercrime-friendly ISPs that were shut down in 2008 were and have always been U.S based operations. Therefore, the excuse of not being able to take action due to the lack of international law enforcement cooperation isn't appicable in this case.

So how should the cybercrime ecosystem be squeezed? Personalize it and communicate the levels of efficiency cybercriminals achieve by using the very same disturbing photos that they use to demonstrate the effectiveness of their web based stolen credit card shops in order to achieve the necessary public outbreak.

Even though I pretend that the research and profiles of the underground tools and services that I've been detailing throughout 2008 is cutting-edge research, this research is basically scratching the surface, but how come? Just like there's a perfect and bad timing for a particular product or service to hit the market, in this very same fashion the general public is still not ready to embrace some of the highly disturbing point'n'click identity theft services that have been operating for years. Sadly, some even question the usability and authenticity of these underground services, and therefore a change has to be triggered by starting to publish the cybercriminals' ROI out of using them in the form of the photos of users swimming in cash that they've cashed-out of the stolen credit cards. Disturbing? It's supposed to be, since it will not only prompt public outbreak, but also, have a well proven self-regulation effect on behalf of the service owner's, at least from my personal experience while profiling related services.

This is perhaps the perfect moment to emphasize on how important threat intell sharing with law enforcement, whether directly based on personal contacts or through one-to-many communication model through private mailing lists, a cyber threats analysts case-building capabilities would not only prove valuable in the long term, but would also make it easier for someone to do their prosecuting job faster. And while important, threat intell sharing with law enforcement is not the panacea of squeezing the cybecrime ecosystem, since cybercrime should not be treated as the systematic abuse of common IT insecurities for fraudulent purposes, instead, it should be treated as a form of economic terrorism. Only then, would cybercrime receive the necessary attention instead of such comments regarding McColo or Atrivo - "Resource-wise, we can't be in the business of prevention. We have to be in the business of prosecution." Exactly. I guess that just like you cannot be a prophet in your own country, you cannot also be a prophet in your own agency, thankfully, the wisdom of the cybercrime fighting crowd is always there to take care and get zero credit at the end of the day.

Personally, 2009 is going to be the year when personalizing cybercriminals would be taking place on a more regular basis, so stay tuned for an upcoming report summarizing "behind the curtains" cybercrime activities in 2008, underground responses to some of major busts of year including the DarkMarket operation, the fraudulent schemes allowing them to cash-out digital assets into hard cash, the basics of their social networking model, who's who in the hierarchy of a sampled business model of vendors of ATM skimming devices, the post-DarkMarket OPSEC practices introduced in order for cybecrime communities to verify the authenticity of their customers, the process of advertising and operating underground services as well as the communication methods used, in short - all the juicy details, screenshots and photos courtesy of the owners and customers of the services that haven't been communicated to the industry and the world throughout 2008.

Find attached a photo teaser acting as a confirmation for the usefulness of "yet another stolen credit card details service" in the wild, and have a productive year exposing low lifes and spilling coffee over their business models.

Related posts:
76Service - Cybercrime as a Service Going Mainstream
Using Market Forces to Disrupt Botnets
Localizing Cybercrime - Cultural Diversity on Demand
Localizing Cybercrime - Cultural Diversity on Demand Part Two
EstDomains and Intercage VS Cybercrime
E-crime and Socioeconomic Factors
Money Mules Syndicate Actively Recruiting Since 2002
Price Discrimination in the Market for Stolen Credit Cards
Are Stolen Credit Card Details Getting Cheaper?
The Underground Economy's Supply of Goods Continue reading →

Squeezing the Cybecrime Ecosystem in 2009

How do you trigger a change that would ultimately affect the entire cybercrime ecosystem? Going full disclosure may be the most logical option, but past experience reveals that using it has a modest temporary effect. For instance, exposing a stolen credit cards shop isn't going to separate the owner from the stolen database, neither would his customers base disappear, so stating that it's shut down in reality means that it's currently active at another location which the owner quickly communicates to the customers base. I keep seeing it happen once a sample service gets media attention, and I'll keep seeing it happen.

The myth that geolocating their malicious activities would always end up in an Eastern European network where developed law enforcement agencies would have little to no jurisdiction at all, proved to be a common stereotype given that the well known cybercrime-friendly ISPs that were shut down in 2008 were and have always been U.S based operations. Therefore, the excuse of not being able to take action due to the lack of international law enforcement cooperation isn't appicable in this case.

So how should the cybercrime ecosystem be squeezed? Personalize it and communicate the levels of efficiency cybercriminals achieve by using the very same disturbing photos that they use to demonstrate the effectiveness of their web based stolen credit card shops in order to achieve the necessary public outbreak.

Even though I pretend that the research and profiles of the underground tools and services that I've been detailing throughout 2008 is cutting-edge research, this research is basically scratching the surface, but how come? Just like there's a perfect and bad timing for a particular product or service to hit the market, in this very same fashion the general public is still not ready to embrace some of the highly disturbing point'n'click identity theft services that have been operating for years. Sadly, some even question the usability and authenticity of these underground services, and therefore a change has to be triggered by starting to publish the cybercriminals' ROI out of using them in the form of the photos of users swimming in cash that they've cashed-out of the stolen credit cards. Disturbing? It's supposed to be, since it will not only prompt public outbreak, but also, have a well proven self-regulation effect on behalf of the service owner's, at least from my personal experience while profiling related services.

This is perhaps the perfect moment to emphasize on how important threat intell sharing with law enforcement, whether directly based on personal contacts or through one-to-many communication model through private mailing lists, a cyber threats analysts case-building capabilities would not only prove valuable in the long term, but would also make it easier for someone to do their prosecuting job faster. And while important, threat intell sharing with law enforcement is not the panacea of squeezing the cybecrime ecosystem, since cybercrime should not be treated as the systematic abuse of common IT insecurities for fraudulent purposes, instead, it should be treated as a form of economic terrorism. Only then, would cybercrime receive the necessary attention instead of such comments regarding McColo or Atrivo - "Resource-wise, we can't be in the business of prevention. We have to be in the business of prosecution." Exactly. I guess that just like you cannot be a prophet in your own country, you cannot also be a prophet in your own agency, thankfully, the wisdom of the cybercrime fighting crowd is always there to take care and get zero credit at the end of the day.

Personally, 2009 is going to be the year when personalizing cybercriminals would be taking place on a more regular basis, so stay tuned for an upcoming report summarizing "behind the curtains" cybercrime activities in 2008, underground responses to some of major busts of year including the DarkMarket operation, the fraudulent schemes allowing them to cash-out digital assets into hard cash, the basics of their social networking model, who's who in the hierarchy of a sampled business model of vendors of ATM skimming devices, the post-DarkMarket OPSEC practices introduced in order for cybecrime communities to verify the authenticity of their customers, the process of advertising and operating underground services as well as the communication methods used, in short - all the juicy details, screenshots and photos courtesy of the owners and customers of the services that haven't been communicated to the industry and the world throughout 2008.

Find attached a photo teaser acting as a confirmation for the usefulness of "yet another stolen credit card details service" in the wild, and have a productive year exposing low lifes and spilling coffee over their business models.

Related posts:
76Service - Cybercrime as a Service Going Mainstream
Using Market Forces to Disrupt Botnets
Localizing Cybercrime - Cultural Diversity on Demand
Localizing Cybercrime - Cultural Diversity on Demand Part Two
EstDomains and Intercage VS Cybercrime
E-crime and Socioeconomic Factors
Money Mules Syndicate Actively Recruiting Since 2002
Price Discrimination in the Market for Stolen Credit Cards
Are Stolen Credit Card Details Getting Cheaper?
The Underground Economy's Supply of Goods Continue reading →

Cyber Jihadists part of the GIMF Busted

In one of those "better late than never" type of situations, last month members of the Global Islamic Media Front were busted in Germany. The group is largely known due to their releases and propaganda of the Technical Mujahid E-zine (Part Two) and the Mujahideen Secrets encryption tool (Second Version). GIMF was distributing its multimedia through popular Web 2.0 video sharing sites, perfectly fitting into the profile of the majority of cyber jihadist groups.

GIMF used to be one of my favorite sources of raw OSINT regarding various cyber jihadist activities due to its centralized nature and lack of any operational security in place, in particular the ways it was unknowingly exposing their social networks online.

Related posts:
GIMF Switching Blogs
GIMF Now Permanently Shut Down
GIMF - "We Will Remain"
Inshallahshaheed - Come Out, Come Out Wherever You Are
A List of Terrorists' Blogs
Cyber Jihadist Blogs Switching Locations Again
Wisdom of the Anti Cyber Jihadist Crowd
Analyses of Cyber Jihadist Forums and Blogs
Terror on the Internet - Conflict of Interest Continue reading →

Skype Phishing Pages Serving Exploits and Malware - Part Two

Dear malware spreader, here we meet again. It's been a while since I last wrote to you, half an year ago to be precise. Since I first met you, keeping (automated) track of your phishing campaigns serving old school VBS scripts has become an inseparable part of my daily routine.

I really enjoyed the fact that since then you've changed your email address from ikbaman@gmail.com to ikbasoft@gmail.com and due to its descriptive nature speaking for a software company set up, I can only envy your profitability. However, due to the tough economic times, your latest round of blended with malware phishing emails has to go down. I'm sure you'd understand, as it only took "5 minutes out of my online experience" to notice you, and so I'm no longer interested in processing the /service-peyment/ that you require on the majority of brandjacked subdomains that you keep creating at the very same ns8-wistee.fr.

secureskype.uuuq .com redirects to monybokers.ns8-wistee .fr/skype/cgi-bin/us/security/update-skype/service-peyment/update/login.aspx/index.htmls where the VBS is pushed, with its detection rate prone to improve. Continue reading →

Localized Social Engineering on Demand

If I were to come across this service last year, I'd be very surprised. But coming across it in 2008 isn't surprising at all, and that's the disturbing part.

Following the ongoing trend of localizing cybercrime (Localizing Cybercrime - Cultural Diversity on Demand; Localizing Cybercrime - Cultural Diversity on Demand Part Two) a new service takes the concept further by introducing a multilingual on demand social engineering service especially targeting scammers and fraudsters that are unable to "properly scam an international financial institution" due to the language limitations. What is the service all about? Currently offering to "talk cybercrime on behalf of you", the service is charging $9 for a call with increased use of it leading to the usual price discounts falling to $6 per call. The languages covered and the male/female voices available are as follows :

- English (3 male voices and 2 female ones)
- German (2 male voices and 1 female one)
- Spanish (1 male voice and 2 female ones)
- Italian (1 male voice and 1 female one)
- French (1 male voice and 1 female one)

If the service was only advertising male or female English voices, I'd suspect it of being run by a single individual using a commercial voice changer application, however, due to the fact that it's currently offering male and female voices in 5 languages, there's a great chance that these are in fact separate people they're working with. The ugly part is that the whole business model is very well thought of in the sense that given that fact that certain banks or online services can automatically freeze the assets to which the cybercriminal has access to, the service, through its multilingual capabilities can indeed convince the institution in the authenticity of the Spanish caller that's indeed Spanish based on the stolen personal information provided by the cybercriminal in the first place.

Where's the trade-off for cybercriminals? They would have to very specific in order for the service to work, meaning, they would have to use it as a intermediary by sharing data regarding compromised banking accounts, expected courier deliveries obtained through fraudulent means (stolen credit card details), and the service reserves the right not to work with them. Consequently, the people working with the service easily act as the weakest link in the process of exposing ongoing cybercrime or real-life crime activities, and compared to plain simple localization in the sense of translation services, the real nature of the type of conversations and impersonation happening through this one should be pretty obvious to the people offering their natural cultural diversity and voices for sale.

Despite that monetizing social engineering is not new, monetizing (accomplice) voices, and running a social engineering ring definitely is. Continue reading →

Localized Social Engineering on Demand

If I were to come aross this service last year, I'd be very surprised. But coming across it in 2008 isn't surprising at all, and that's the disturbing part.

Following the ongoing trend of localizing cybercrime (Localizing Cybercrime - Cultural Diversity on Demand; Localizing Cybercrime - Cultural Diversity on Demand Part Two) a new service takes the concept further by introducing a multilingual on demand social engineering service especially targeting scammers and fraudsters that are unable to "properly scam an international financial institution" due to the language limitations. What is the service all about? Currently offering to "talk cybercrime on behalf of you", the service is charging $9 for a call with increased use of it leading to the usual price discounts falling to $6 per call. The languages covered and the male/female voices available are as follows :

- English (3 male voices and 2 female ones)
- German (2 male voices and 1 female one)
- Spanish (1 male voice and 2 female ones)
- Italian (1 male voice and 1 female one)
- French (1 male voice and 1 female one)

If the service was only advertising male or female English voices, I'd suspect it of being run by a single individual using a commercial voice changer application, however, due to the fact that it's currently offering male and female voices in 5 languages, there's a great chance that these are in fact separate people they're working with. The ugly part is that the whole business model is very well thought of in the sense that given that fact that certain banks or online services can automatically freeze the assets to which the cybercriminal has access to, the service, through its multilingual capabilities can indeed convince the institution in the authenticity of the Spanish caller that's indeed Spanish based on the stolen personal information provided by the cybercriminal in the first place.

Where's the trade-off for cybercriminals? They would have to very specific in order for the service to work, meaning, they would have to use it as a intermediary by sharing data regarding compromised banking accounts, expected courier deliveries obtained through fraudulent means (stolen credit card details), and the service reserves the right not to work with them. Consequently, the people working with the service easily act as the weakest link in the process of exposing ongoing cybercrime or real-life crime activities, and compared to plain simple localization in the sense of translation services, the real nature of the type of conversations and impersonation happening through this one should be pretty obvious to the people offering their natural cultural diversity and voices for sale.

Despite that monetizing social engineering is not new, monetizing (accomplice) voices, and running a social engineering ring definitely is. Continue reading →

Summarizing Zero Day's Posts for November

The following is a brief summary of all of my posts at Zero Day for November. You can also go through previous summaries for October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed. Thanks for being with us.

Some notable articles for November include Black market for zero day vulnerabilities still thriving; Anti fraud site hit by a DDoS attack and Cybercriminals release Christmas themed web malware exploitation kit.

01. Black market for zero day vulnerabilities still thriving
02. Google and T-Mobile push patch for Android security flaw
03. Fake WordPress site distributing backdoored release
04. Koobface Facebook worm still spreading
05. Cyber terrorists to face death penalty in Pakistan
06. AVG and Rising signatures update detects Windows files as malware
07. BBC hit by a DDoS attack
08. Google fixes critical XSS vulnerability
09. $10k hacking contest announced
10. Anti fraud site hit by a DDoS attack
11. Commercial vendor of spyware under legal fire
12. Fake Windows XP activation trojan goes 2.0
13. Cybercriminals release Christmas themed web malware exploitation kit Continue reading →

The Koobface Gang Mixing Social Engineering Vectors

It's the Facebook message that came from one of your infected friends pointing you to an on purposely created bogus Bloglines blog serving fake YouTube video window, that I have in mind. The Koobface gang has been mixing social engineering vectors by taking the potential victim on a walk through legitimate services in order to have them infected without using any client-side vulnerabilities.

For instance, this bogus Bloglines account (bloglines .com/blog/Youtubeforbiddenvideo) has attracted over 150 unique visitors already, part of Koobface's Hi5 spreading campaign (catshof .com/go/hi5.php). The domain is parked at the very same IP that the rest of the central redirection ones in all of Koobface's campaigns are - 58.241.255.37.

Interestingly, since underground multitasking is becoming a rather common practice, the bogus blog has also been advertised within a blackhat SEO farm using the following blogs, currently linking to several hundred bogus Google Groups accounts :

bloglines .com/blog/gillehuxeda
bloglines .com/blog/chaneyok
bloglines .com/blog/ramosimeco
bloglines .com/blog/antwanuvfa
bloglines .com/blog/tamaraaqo
bloglines .com/blog/josephyhti
bloglines .com/blog/whiteqivaju
bloglines .com/blog/hayleyem
bloglines .com/blog/tateigyamor
bloglines .com/blog/burnsseuhaqe
bloglines .com/blog/jennaup

bloglines .com/blog/jermainedus
bloglines .com/blog/floydwopew55
bloglines .com/blog/arielehy
bloglines .com/blog/onealqypsu
bloglines .com/blog/mackirma
bloglines.com/blog/breonnazox
bloglines .com/blog/sabrinaxycit
bloglines .com/blog/gloverqy
bloglines .com/blog/lisaurja
bloglines .com/blog/greenefayg18
bloglines .com/blog/craigxiw36
bloglines .com/blog/parsonsdos
bloglines .com/blog/martinsutuz
bloglines .com/blog/deandreefe
bloglines .com/blog/briannetu
bloglines .com/blog/kierailpe
bloglines .com/blog/fordyfo27
bloglines .com/blog/litzyracnuj
bloglines.com/blog/darwinupi57
bloglines .com/blog/bonillavaok
bloglines .com/blog/jennyuxe85
bloglines .com/blog/wilkersonin
bloglines .com/blog/nicolasqydby
bloglines .com/blog/darbyeve
bloglines .com/blog/izaiahro83
bloglines .com/blog/parsonsdos
bloglines .com/blog/fullerjeb81

Abusing legitimate services may indeed get more attention in the upcoming year, following their interest in the practice from the last quarter.
Continue reading →

Dissecting the Koobface Worm's December Campaign

The Koobface Facebook worm -- go through an assessment of a previous campaign -- is once again making its rounds across social networking sites, Facebook in particular. Therefore, shall we spill a big cup of coffee over the malware campaigners efforts for yet another time? But of course.

Only OPSEC-ignorant malware campaigners would leave so much traceable points, in between centralizing the campaign's redirection domains on a single IP. For instance, taking advantage of free web counter whose publicly obtainable statistics -- the account has since been deleted -- allow us to not only measure the clickability of Koobface's campaign, but also, prove that they're actively multitasking by combining blackhat SEO and active spreading across several other social networking sites. Here are some of the key summary points for this campaign :

Key summary points :
- the hosting infrastructure for the bogus YouTube site and the actual binary is provided by several thousand dynamically changing malware infected IPs
- all of the malware infected hosts are serving the bogus YouTube site through port 7777
- the very same bogus domains acting as central redirection points from the November's campaign remain active, however, they've switched hosting locations
- if the visitor isn't coming from where she's supposed to be coming, in this case the predefined list of referrers, a single line of "scan ref" is returned with no malicious content displayed
- the campaign can be easily taken care of at least in the short term, but shutting down the centralized redirection points


What follows are the surprises, namely, despite the fact that Koobface is pitched as a Facebook worm, according to their statistics -- go through a previously misconfigured malware campaign stats -- the majority of unique visitors from the December's campaign appear to have been coming from Friendster. As for the exact number of visitors hitting their web counter, counting as of  7 November 2008, 12:58, with 91,109 unique visitors on on 07 Nov, Fri and another 53,260 on 08 Nov, Sat before the counter was deleted, the cached version of their web counter provides a relatively good sample.

On each of the bogus Geocities redirectors, the very same lostart .info/js/gs.js (58.241.255.37) used in the previous campaign, attempts to redirect to find-allnot .com/go/fb.php (58.241.255.37) or to playtable .info/go/fb.php (58.241.255.37), with fb.php doing the referrer checking and redirecting to the botnet hosts magic. Several other well known malware command and control locations are also parked at 58.241.255.37 :

jobusiness .org
a221008 .com
y171108 .com
searchfindand .com
ofsitesearch .com
fashionlineshow .com
anddance .info
firstdance .biz
prixisa .com
danceanddisc .com
finditand .com
findsamthing .com
freemarksearch .com
find-allnot .com
find-here-and-now .com
findnameby .com
anddance .info

These domains, with several exeptions, are actively participating in the campaign, with the easiest way to differentiate whether it's a Facebook or Bebo redirection, remaining the descriptive filenames. For instance, fb.php corresponds to Facebook redirections and be.php corresponding to Bebo redirections (ofsitesearch .com/go/be.php). However, the meat resides within the statistics from their campaign :

Malware serving URLs part of Koobface worm's December's campaign, based on the identical counter used across all the malicious domains :
youtube-x-files .com
youtube-go .com
youtube-spy.5x .pl
youtube-files.bo .pl
youtube-media.none .pl
youtube-files.xh .pl
youtube-spy.dz .pl
youtube-files.esite .pl
youtube-spy.bo .pl
youtube-spy.nd .pl
youtube-spy.edj .pl
spy-video.oq .pl
shortclips.bubb .pl
youtubego.cacko .pl

asda345.blogspot .com
uholyejedip556.blogspot .com
ufyaegobeni7878.blogspot .com
uiyneteku20176.blogspot .com
ujoiculehe19984.blogspot .com
uinekojapab29989.blogspot .com
uhocuyhipam13345.blogspot .com

Geocities redirectors participating :
geocities .com/madelineeaton10/index.htm
geocities .com/charlievelazquez10/index.htm
geocities .com/raulsheppard18/index.htm

Sample malware infected hosts used by the redirectors :
92.241.134 .41:7777/?ch=&ea=
89.138.171 .49:7777/?ch=&ea=
92.40.34 .217:7777/?ch=&ea=
79.173.242 .224:7777/?ch=&ea=
122.163.103 .91:7777/?ch=&ea=
217.129.155 .36:7777/?ch=&ea=
84.109.169 .124:7777/?ch=&ea=
91.187.67 .216:7777/?ch=&ea=
84.254.51 .227:7777/?ch=&ea=
190.142.5 .32:7777/?ch=&ea=
190.158.102 .246:7777/?ch=&ea=
201.245.95 .86:7777/?ch=&ea=
78.90.85 .7:7777/?ch=&ea=
82.81.25 .144:7777/?ch=&ea=
78.183.143 .188:7777/?ch=&ea=
89.139.86 .88:7777/?ch=&ea=
85.107.190 .105:7777/?ch=&ea=
84.62.84 .132:7777/?ch=&ea=
78.3.42 .99:7777/?ch=&ea=
92.241.137 .158:7777/?ch=&ea=
77.239.21 .34:7777/?ch=&ea=
41.214.183 .130:7777/?ch=&ea=

90.157.250 .133:7777/dt/?ch=&ea=
89.143.27 .39:7777/?ch=&ea=
91.148.112 .179:7777/?ch=&ea=
94.73.0 .211:7777/?ch=&ea=
124.105 .187.176:7777/?ch=&ea=
77.70.108  .163:7777/?ch=&ea=
190.198.162 .240:7777/?ch=&ea=
89.138.23 .121:7777/?ch=&ea=
190.46.50 .103:7777/?ch=&ea=
80.242.120 .135:7777/?ch=&ea=
94.191.140 .143:7777/?ch=&ea=
210.4.126 .100:7777/?ch=&ea=
87.203.145 .61:7777/?ch=&ea=
94.189.204 .22:7777/?ch=&ea=
92.36.242 .47:7777/?ch=&ea=
77.78.197 .176:7777/?ch=&ea=
94.189.149 .231:7777/?ch=&ea=
89.138.102 .243:7777/?ch=&ea=
94.73.0 .211:7777/?ch=&ea=
79.175.101 .28:7777/?ch=&ea=
78.1.251 .26:7777/?ch=&ea=
201.236.228 .38:7777/?ch=&ea=
85.250.190 .55:7777/?ch=&ea=
211.109.46 .32:7777/?ch=&ea=
91.148.159 .174:7777/?ch=&ea=
87.68.71 .34:7777/?ch=&ea=
85.94.106 .240:7777/?ch=&ea=
195.91.82 .18:7777/?ch=&ea=
85.101.167 .197:7777/?ch=&ea=
193.198.167 .249:7777/?ch=&ea=
94.69.130 .191:7777/?ch=&ea=
79.131.26 .192:7777/?ch=&ea=
190.224.189 .24:7777/?ch=&ea=

119.234.7 .230:7777/?ch=&ea=
199.203.37 .250:7777/?ch=&ea=
89.142.181 .226:7777/?ch=&ea=
84.110.120 .82:7777/?ch=&ea=
119.234.7 .230:7777/?ch=&ea=
84.110.253 .163:7777/?ch=&ea=
82.81.163 .40:7777/?ch=&ea=
79.179.249 .218:7777/?ch=&ea=
190.224.189 .24:7777/?ch=&ea=
79.179.249 .218:7777/?ch=&ea=
87.239.160 .132:7777/?ch=&ea=
79.113.8 .107:7777/?ch=&ea=
81.18.54 .6:7777/?ch=&ea=
118.169 .173.101:7777/?ch=&ea=
85.216.158 .209:7777/?ch=&ea=
219.92.170 .4:7777/?ch=&ea=
79.130.252 .204:7777/?ch=&ea=
93.136.53 .239:7777/?ch=&ea=
62.0.134 .79:7777/?ch=&ea=
79.138.184 .253:7777/?ch=&ea=
173.16.68 .18:7777/?ch=&ea=
190.155.56 .212:7777/?ch=&ea=
190.20.68 .136:7777/?ch=&ea=
119.235.96 .173:7777/?ch=&ea=
77.127.81 .103:7777/?ch=&ea=
190.132.155 .122:7777/?ch=&ea=
89.138.177 .91:7777/?ch=&ea=

79.178.111 .25:7777/?ch=&ea=
84.109.1 .15:7777/?ch=&ea=
89.0.157. 1:7777/?ch=&ea=
122.53.176 .43:7777/?ch=&ea=
200.77.63 .190:7777/?ch=&ea=
67.225.102 .105:7777/?ch=&ea=
119.94.171 .114:7777/?ch=&ea=
125.212.94 .80:7777/?ch=&ea=

Detection rate for the binary, identical across all infected hosts participating :
flash_update.exe (Win32/Koobface!generic; Win32.Worm.Koobface.W)
Detection rate : 28/38 (73.69%)
File size: 27136 bytes
MD5...: 3071f71fc14ba590ca73801e19e8f66d
SHA1..: 2f80a5b2575c788de1d94ed1e8005003f1ca004d

Koobface's social networks spreading model isn't going away, but it's domains definitely are.

Related posts:
Dissecting the Latest Koobface Facebook Campaign
Fake YouTube Site Serving Flash Exploits
Facebook Malware Campaigns Rotating Tactics
Phishing Campaign Spreading Across Facebook
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles
Continue reading →