According to a
blog post at PandaLabs, a massive and very persistent blackhat SEO campaign exclusively hijacking "
hot BBC and CNN news" related keywords has once again popped-up on their radars.
The campaign itself has been active since April, when I last analyzed it.
What has changed?
Instead of relying on purely malicious domains, the
Ukrainian fan club, the one with the Koobface connection, remains the most active blackhat SEO group on the Web, and due to the quality of the historical OSINT making it possible to detect their activity --
practice which prompts them to
insult back -- they're also starting to put efforts into making it look like it's another group.
However, knowing the tools and tactics that they use, next to evident efficiency-centered mentality, they continue leaving minor leads that make it possible to establish a direct relationship between the group, the Koobface worm and the majority of blackhat SEO campaigns launched during the last couple of months across the entire Web.
The "News Items" themed blackhat SEO campaign is also serving scareware from the domains already participating in the U.S Federal Forms themed blackhat SEO campaign, what's new is the typical dynamic change of the redirectors in place.
Let's dissect a sample campaign currently parked at
coolinc.info. Once the http referrer checks are met,
bernie-madoff.coolinc .info/fox-25-news.html executes the campaign through a static images/ads.js located on all of the subdomains participating in campaign (
bernie-madoff.coolinc .info/images/ads.js;
eenadu-epaper.hmsite .net/images/ads.js) with generic detection triggered only by Sophos as Mal/ObfJS-CI.
Through a series of redirectors -
usanews2009 .com/index.php - 78.46.129.170 - Email: derrick2@mail.ru;
newscnn2009 .com/index.php - 193.9.28.62 - Email: derrick2@mail.ru;
cnnnews2009 .com/index.php - 91.203.146.38 - EMail: derrick2@mail.ru; the user is redirected to the scareware domain through
justintimberlakestream .com/?pid=95&sid=4e6ffe - 193.169.12.70; Email: info@zebrainvents.com.
The
scareware itself (phones back to
worldrolemodeling .com/?b=1s1 - 193.169.12.71) is
dynamically served through 78.46.201.89; 193.169.12.70 and 92.241.177.207 with an diverse portfolio of fake security software domains parked there.
Parked at 92.241.177.207 are:
best-scanpc .com
bestscanpc .org
downloadavr2 .com
downloadavr3 .com
trucount3005 .com
antivirus-scan-2009 .com
antivirusxppro-2009 .com
advanced-virus-remover-2009 .com
advanced-virusremover-2009 .com
advanced-virus-remover2009 .com
advanced-virusremover2009 .com
best-scanpc .com
bestscanpc .com
xxx-white-tube .com
rude-xxx-tube .com
blue-xxx-tube .com
trucountme .com
10-open-davinci .com
vs-codec-pro .com
vscodec-pro .com
1-vscodec-pro .com
download-vscodec-pro .com
v-s-codecpro .com
antivirus-2009-ppro .com
onlinescanxppro .com
downloadavr .com
bestscanpc .info
bestscanpc .net
ns1.megahostname .biz
ns2.megahostname .biz
Parked at 78.46.201.89 (IP used in the
U.S Federal Forms themed blackhat SEO campaign) are also:
virscan-online1 .com
virscan-live1 .com
antivirus-promo-scan1 .com
valueantivirusshop1 .com
megaspywarescan2 .com
worldbestonlinescanner2 .com
hqvirusscanner2 .com
warningmalwarealert2 .com
totalspywarescan3 .com
antivirus-promo-scanner3 .com
bewareofvirusattacks3 .com
totalspywarescan4 .com
worldbestonlinescan5 .com
megaspywarescan5 .com
totalspywarescan5 .com
hqvirusscanner5 .com
warningmalwarealert5 .com
hqvirusscanner8 .com
antivirus-promo-scan9 .com
worldbestonlinescan9 .com
antivir-scan-my-pc .com
antivir-scan-online .comremove-all-pc-adware .com
antivir-my-pc-scan .com
leading-malware-scan .com
leading-antispyware-scan .com
antivirus-promo-scan .com
tryantivir-scan .com
leading-antivirus-scan .com
megaspywarescan .com
totalspywarescan .com
worldsbestantivirscan .com
awardantivirusscan .com
winningantivirusscan .com
tryantivirusscan .com
worldsbestscan .com
tryantivir-scanner .com
worldbestonlinescanner .com
tryantivirscanner .com
tryantivirusscanner .com
hqvirusscanner .com
worldsbestscanner .com
antivirscanmycomputer .com
warningvirusspreads .com
bewareofvirusattacks .com
secure.web-software-payments .com
warningmalwarealert .com
warningspywarealert .com
warningvirusalert .com
Parked at 193.169.12.70 are also more scareware domains/payment gateways/malware redirectors used in the campaign:
colonizemoon2010 .com
blastertroops2011 .com
virscan-online1 .com
virscan-live1 .com
antivirus-promo-scan1 .com
valueantivirusshop1 .com
megaspywarescan2 .com
worldbestonlinescanner2 .com
hqvirusscanner2 .com
warningmalwarealert2 .com
antivirus-promo-scanner3 .com
bewareofvirusattacks3 .com
totalspywarescan4 .com
worldbestonlinescan5 .com
megaspywarescan5 .com
totalspywarescan5 .com
hqvirusscanner5 .com
warningmalwarealert5 .com
hqvirusscanner8 .com
antivirus-promo-scan9 .com
worldbestonlinescan9 .com
antivir-scan-my-pc .com
becomemybestfriend .com
bravemousepride .com
antivir-scan-online .com
emphasis-online .com
justseethisonline .com
futureshortsonline .comremove-all-pc-adware .com
waitforsunrise .com
funpictureslive .com
justintimberlakestream .com
antivir-my-pc-scan .com
leading-malware-scan .com
leading-antispyware-scan .com
antivirus-promo-scan .com
tryantivir-scan .com
leading-antivirus-scan .com
totalspywarescan .com
worldsbestantivirscan .com
awardantivirusscan .com
winningantivirusscan .com
tryantivirusscan .com
worldsbestscan .com
tryantivir-scanner .com
worldbestonlinescanner .com
tryantivirscanner .com
tryantivirusscanner .com
hqvirusscanner .com
worldsbestscanner .com
antivirscanmycomputer .com
obbeytheriver .com
obamanewterror .com
warningvirusspreads .com
watch2010movies .com
primeareanetworks .com
investmenttooltips .com
executive-officers .com
newsoverworldhot .com
management-overview .com
justthingsyouneedtoknow .com
criticalmentality .comIn between the central redirectors, counters from known domains affiliated with the Ukrainian fan club are also embedded as iFrames -
sexualporno .ru/admin/red/counter2.html (74.54.176.50; Email: skypixre@nm.ru) leading to
sexualporno .ru/admin/red/mwcounter.html. Parked on
74.54.176.50 are related domains that were once using the
ddanchev-suck-my-dick.php redirection, such as
sexerotika2009 .ru;
celki2009 .ru;
seximalinki .ru and
videoxporno .ru, as well as the de-facto counter used by the gang - c.hit.ua/hit?i=6001.
Does this admin/red directory structure ring a bell? But, of course. In fact the
ddanchev-suck-my-dick redirectors originally introduced by the Ukrainian fan club are still in circulation - for instance not only is
videoxporno .ru/admin/red/ddanchev-suck-my-dick.php (parked at the very same 74.54.176.50) still active, but the gang has pushed an update to all of their campaigns, once again establishing a direct connection between previous ones and the ongoing "News Items" themed one.
The
ddanchev-suck-my-dick.php file has a similar Mac, Firefox and Chrome check just like the U.S federal forms themed campaign, and the original "Hot News" themed campaigns -
if (navigator.appVersion.indexOf("Mac")!=-1) window.location="http://www.zml.com/?did=5663";[. The script also includes a central iFrame from the now known malicious
coolinf .info -
dash-store.coolinc .info/images/levittpedofil.html which redirects to
1008.myhome .tv/888.php,
popoz.wo .tc/p/go.php?sid=4 and
1009.wo .tc/8/ss.php to finally load the now known
justintimberlakestream .com/?pid=42&sid=8f68b5.
The bottom line - the Ukrainian "fan club" is a very decent example of a multitasking cybecrime enterprise that is not only systematically abusing all the major Web 2.0 services, but is also directly involved with
the Koobface botnet.
Monitoring of their campaigns, and take down actions would continue.
Related posts:Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO CampaignU.S Federal Forms Blackhat SEO Themed Scareware Campaign ExpandingBlackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware A Peek Inside the Managed Blackhat SEO Ecosystem Historical OSINT of the group's blackhat SEO campaigns pushing Koobface samples, and the connections between the campaigns:Movement on the Koobface Front - Part Two -- detailed account of the domain suspension and direct ISP take down actions against the gang during the last month
Movement on the Koobface FrontKoobface - Come Out, Come Out, Wherever You AreDissecting a Swine Flu Black SEO CampaignMassive Blackhat SEO Campaign Serving ScarewareFrom Ukrainian Blackhat SEO Gang With LoveFrom Ukrainian Blackhat SEO Gang With Love - Part TwoFrom Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms From Ukraine with Bogus Twitter, LinkedIn and Scribd AccountsFake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at BlogspotThis post has been reproduced from Dancho Danchev's blog.
If my Ukrainian "fan club" can exploit weaknesses in the online ad publishing model for scareware serving purposes, anyone else could. 
Who's behind this malvertising campaign? Let the data speak for itself.
The NYTimes.com malvertisement assessment also highlights tradenton .com - 212.117.166.69 - Email: shawn@tradenton.com as the domain used in the ad rotation. Interestingly, related malvertisement domains managed by the same gang, have already been reported in related malvertising attacks, are also parked on the same IP:
