Wednesday, May 27, 2009

3rd SMS Ransomware Variant Offered for Sale

The concept of ransomware is clearly making a comeback. During the past two months, scareware met the ransomware business model in the face of File Fix Professional 2009 and FakeAlert-CO or System Security, followed by two separate SMS-based ransomware variants Trj/SMSlock.A and a modified version of it.

The very latest one is once again offered for sale, with a social engineering theme attempting to trick the infected user that as of 1st of May Microsoft is launching a new anti-pirates initiative, and that unless a $1 SMS is sent in order to receive the deactivation code back, their copy of Windows will remain locked.

Key features:
Support for Windows 98/Vista
- Blocks the entire desktop
- Locks system key combinations attempting to remove it
- Copied to the system folder (the file is almost impossible to find)
- Can be put in the startup
- Launches the blocking system before the desktop appears upon reboot 
- Blocks all windows including the Task Manager
- Upon entering the secret code, the ransomware is removed from the system folder and autorun

The price for a custom-made version with the customer's own SMS data is $10, with $5 per new (undetected) copy, as well as the complete source code available for $50 again from the same vendor.

From a "visual social engineering" perspective, the one that make scareware what it is as product -- a product which would have scaled so fast if it wasn't the distribution channel in the form of web site compromises and blackhat SEO at the first place -- the latest SMS ransomware variant lacks any significant key visual features which can compete with for instance, the DIY fake Windows XP activation trojan and its 2.0 version.

With the emerging localization on demand services offering translations for phishing, spam and malware campaigns into popular international languages, it wouldn't take long before the SMS ransomware starts targeting English-speaking users next to the hardcoded Russian speaking ones for the time being.

Tuesday, May 26, 2009

Inside a Money Laundering Group's Spamming Operations

UPDATE: The command and control domain has been taken care of courtesy of the brisk response of OC3 Networks Abuse Team.

Next to the efficiency and cost-effectiveness centered cybercriminals having anticipated the outsourcing (Cybercrime-as-a-Service) model a long time ago, there are those self-serving groups of cybercriminals which engage in literally each and every aspect of cybercrime - money mule recruiters in this very specific case.


What do the known money laundering aliases such as Value Trans Financial Group, Inc. (valuetrans.biz); Advance Finance Group LLC (af-g.net); ABP Capital (abpcapital.com); Premium Financial Services (advance-financial-products.org); eTop Group Inc. (etop-groupli.cc); Liberty Group Inc. (libertygroup.cc); Eagle Group Inc. (eaglegroupmain.cn); Star Group Inc. (eagle-group.net); DBS Group Inc. (dbs-group.cn); FB&B Group Inc. (fbb-groupli.cc); Advance Finance Group LLC (af-g.net); DC Group Inc. (dc-group.cn); IBS Group Inc. (ibsgroup.cc; ibsgroupli.cn) and FCB Group Inc. (fcb-group.cc) have in common?

It's a 31,000 infected hosts botnet which they use exclusively for spamming.

The money laundering organization describes itself as:
"The company was set up in 1990 in New York, the USA by three enthusiasts who have financial education. The head of the company was Karl Schick. At the very beginning of its business activity the company provided fairly narrow range of services at the investment market. Within 15 years of hard work the company has acquired international standing and managed to develop into a global financial holding with the staff of 3,000 people and headquarters in more than 100 countries of the world."

Interestingly, on the majority of occasions cybercriminals tend to undermine the level of operational security that they could have achieved at the first place, and this is one of those cases where their misconfigured botnet command and control allows other cybercriminals to hijack their botnet, and security researchers to shut it down effectively.

The people behind this money laundering organization are either lazy, or ignorant to the point where the botnet's command and control interface would be using the very same web server that they use for recruitment purposes.

Here are some screenshots of their command and control interface used exclusively for spam campaigns:







The domain is registered to supp3ortnewest@safe-mail.net and the DNS services are courtesy of one.goldwonderful9.info; ns.partnergreatest8.net; back.partnergreatest8.net; two.goldwonderful9.info which are the de-facto DNS servers for a huge number of related and separate money laundering brand portfolios (the quality of the historical CYBERINT on behalf of Bobbear is the main reason why commissioned DDoS attacks were hitting the site last year).

Taking down the group's command and control domain is in progress.

Tuesday, May 19, 2009

GazTranzitStroyInfo - a Fake Russian Gas Company Facilitating Cybercrime

"In gaz we trust"? I'd rather change GazTranzitStroyInfo's vision to HangUp Team's infamous - "in fraud we trust". It is somehow weird to what lengths would certain cybercriminals go to create a feeling of legitimacy of their enterprise.

AS29371 - gaztranzitstroyinfo LLC - 91.212.41.0/24 based in Russia, Sankt Peterburg, Kropotkina 1, office 299, is one of them. Let's "drill" for some malicious activity at GazTranzitStroyInfo, and demonstrate how cybercriminals are converging different hosting providers to increase the lifecycle of their campaigns.

The recent peak of fake codecs (for instance video-info .info and sex-tapes-celebs .com serving softwarefortubeview.40018.exe) puts the spotlight on GazTranzitStroyInfo and its connections with another rogue hosting provider in the face of AS48841, EUROHOST-AS Eurohost LLC, which was providing hosting infrastructure to the scareware domains part of Conficker's Scareware Monetization strategy, and continues to do so for a great deal of exploits/malware serving domains, next to AS10929 NETELLIGENT Hosting Services Inc. where the infrastructure of the three hosting providers has converged.

Let's detail some malicious activity found at GazTranzitStroyInfo. The following are redirectors to live exploits/zeus config files/scareware found within AS29371 and pushed through blackhat SEO and web site compromises:

peopleopera .cn - 91.212.41.96
forexsec .cn
vitamingood .cn
bookadorable .cn
drawingstyle .cn
housedomainname .cn
workfuse .cn
schoolh .cn
rainfinish .cn
housevisual .cn
worksean .cn
liteauction .cn
newtransfer .cn
oceandealer .cn
musicdomainer .cn
websiteflower .cn
designroots .cn
islandtravet .cn
litefront .cn
clubmillionswow .cn


softwaresupport-group .com - 91.212.41.91
bestfindahome .cn
dastrealworld .ru
elantrasantrope .ru
borishoffbibi .ru
sandiiegoexpo .ru
nightplayauto .ru
startdontstop .ru


nicdaheb .cn - 91.212.41.119
sehmadac .cn
vavgurac .cn
tixleloc .cn
xidsasuc .cn
cuzlumif .cn
teyrebuf .cn
hifgejig .cn
tukhemaj .cn
rogkadej .cn
wuhwasum .cn
sipcojeq .cn
tixwagoq .cn
silzefos .cn
popyodiw .cn
cakpapaz .cn


Rogue security software:
addedantivirusonline .com - 91.212.41.114
addedantivirusstore .com
addedantiviruslive.com
addedantiviruspro.com
countedantiviruspro.com
myplusantiviruspro.com
easyaddedantivirus.com
yourcountedantivirus.com
bestcountedantivirus.com
yourplusantivirus.com


For instance, a sampled domain such as housedomainname .cn/in.cgi?6 redirects us to securityonlinedirect .com/scan.php?affid=02083 which is serving scareware with hosting courtesy of AS10929 Netelligent Hosting Services Inc, which in case you remember popped-up in the Diverse Portfolio of Fake Security Software - Part Twenty. At securityonlineworld .com (209.44.126.22) we also have a portfolio of scareware domains:

thestabilityweb .com
securityonlineworld .com
websecuritypolice .com
wwwsafeexamine .com
dynamicstabilityexamine .com
networkstabilityexamine .com
safetyscansite .com
onlinesafetyscansite .com
securityscansite .com
stabilityonlineskim .com
socialsecurityscan .com
securityexamination .com
internetsecuritymetrics .com
onlinebrandsecuritys .com
securityonlinedirect .com
scanstabilityinternet .com
stabilityaudit .com
websecuritybureau .com
safewebsecurity .com
webbrowsersecurity .com
futureinternetsecurity .com
superiorinternetsecurity .com


The fake codec at video-info .info (AS29371 - gaztranzitstroyinfo LLC) is in fact downloaded from kir-fileplanet .com - 91.212.65.54 (AS48841; EUROHOST-NET) where more malicious activity is easily detected at:

downloadmax .org - 91.212.65.19
hd-codec .com
shotgol .com
kauitour .com
coecount .com
countbiz .com
videoaaa .net
7stepsmedia .net
ispartof .net
amoretour .net
browardcount .net


trucount3000 .com - 91.212.65.10; 91.212.65.29
trucount3001 .com
trucount3002 .com
antivirus-xppro-2009.com
onlinescanxppp .com
onlinescanxpp .com
onlinescanxp .com
free-webscaners .com


In cybercriminals I don't trust.

Related posts:
Fake Codec Serving Domains from Digg.com's Comment Spam Attack
Lazy Summer Days at UkrTeleGroup Ltd
Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software
Massive Blackhat SEO Campaign Serving Scareware
EstDomains and Intercage VS Cybercrime
The Template-ization of Malware Serving Sites
The Template-ization of Malware Serving Sites - Part Two
Malware campaign at YouTube uses social engineering tricks
Poisoned Search Queries at Google Video Serving Malware
Syndicating Google Trends Keywords for Blackhat SEO

Related Russian Business Network coverage:
The New Media Malware Gang - Part Four
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
Rogue RBN Software Pushed Through Blackhat SEO
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network

Thursday, May 14, 2009

A Diverse Portfolio of Fake Security Software - Part Twenty

Has the cloudy economic climate hit the scareware business model, the single most efficient and high-liquidity monetization practice that's driving the majority of blackhat SEO and malware attacks?  The affiliate networks are either experiencing a slow Q2, or are basically experimenting with profit optimization strategies.

Following the "aggressive" piece of scareware with elements of ransomware discovered in March, a new version of the rogue security software is once again holding an infected system's assets hostage until a license is purchased.

This tactic is however a great example of the dynamics of underground ecosystem (The Dynamics of the Malware Industry - Proprietary Malware Tools; The Underground Economy's Supply of Goods; 76Service - Cybercrime as a Service Going Mainstream; Zeus Crimeware as a Service Going Mainstream; Will Code Malware for Financial Incentives; The Cost of Anonymizing a Cybercriminal's Internet Activities - Part Two; Using Market Forces to Disrupt Botnets; E-crime and Socioeconomic Factors; Price Discrimination in the Market for Stolen Credit Cards; Are Stolen Credit Card Details Getting Cheaper?).

Despite the fact that it's the network of cybercriminals that pays and motivates other cybercriminals to SQL inject legitimate sites, send spam, embedd malicious code through compromised accounts and launch blackhat SEO campaigns, it cannot exist without the traffic that they provide, and is therefore competing with other affiliate networks for it.

For your blacklisting, case-building and cross-checking pleasure, currently active blackhat SEO and Koobface campaigns monetize the traffic through the following rogue domains:

yourpcshield .com (209.44.126.14) - AS10929 NETELLIGENT Hosting Services Inc. Email: bershkapull@gmail.com
virustopshield .com
totalvirushield .com
pcguardscan .com
topwinsystemscan .com
basevirusscan .com
systemvirusscan .com
bastvirusscan .com
myfirstsecurityscan .com
fastviruscleaner .com
allvirusscannow .com


freeforscanpc .com (209.44.126.241) - AS10929 NETELLIGENT Hosting Services Inc.
truevirusshield .com
totalvirusshield .com
hypersecurityshield .com
scanyourpconline .com
allowedwebsurfing .com
xvirusdescan .com
securitytrustscan .com
fullsecurityaction .com
fullvirusprotection .com
fullsecuritydefender .com
hupersecuritydot .com
trustedwebsecurity .com
greatscansecurity .com
updateyoursecurity .com
 

antimalware-scannerv2 .com (78.46.88.202) - AS16265 LeaseWeb AS Amsterdam, Netherlands Email: basni@lewispr.com
onlinevirusbusterv2 .com
xpvirusprotection2009 .com
total-malwareprotection .com
total-virusprotection .com
xpvirusprotection .com
bestbillingpro .com
truconv .com


safeinternettoolv1 .com (212.117.165.126; 38.99.170.9; 69.4.230.204; 78.47.91.153) - AS36351 SOFTLAYER Technologies Inc; AS24940 HETZNER-AS Hetzner Online AG RZ-Nuernberg; AS44042 ROOT-AS root eSolutions; AS174 COGENT /PSI Email: info@dmf.com.tr
antivirusquickscanv1 .com
computerscanv1 .com
antivirusbestscannerv1 .com
antiviruslivescanv3 .com
proantivirusscanv3 .com
fullantispywarescan .com
webscannertools .com
approved-payments .com


ms-scan .org (84.19.184.160) - AS31103 KEYWEB-AS Keyweb AG, Email: strider.glider@gmail.com
system-protector .org
system-protector .net
av-lookup .com
ms-scan .info
srv-scan .us
ms-scan .net
ms-scan .biz
srv-scan .biz


bitcoreguard .net (72.232.187.197) AS22576 LAYEREDTECH Layered Technologies, Email: cbristed1996@gmail.com
bitcoreguard .com

coreguard2009 .com (78.46.151.181) - AS24940 HETZNER-AS Hetzner Online AG RZ-Nuernberg Email: iversbradly72@gmail.com
coreguard2009 .biz
coreguard2009 .net


coreguardlab2009 .biz (95.211.14.161) - AS16265 LeaseWeb AS Amsterdam, Netherlands, Email: stivpanama@gmail.com
coreguardlab2009 .net
coreguardlab2009 .com


guardlab .com (72.232.187.198) - AS22576 LAYEREDTECH Layered Technologies Email: alexvasiliev1987@cocainmail.com
guardav .com

guardlab2009 .biz (76.76.103.164) - AS21548 MTO Telecom Inc. Email: stivpanama@gmail.com
guardlab2009 .net
guardlab2009 .com


Related posts:
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
A Diverse Portfolio of Fake Security Software - Part Nineteen
A Diverse Portfolio of Fake Security Software - Part Eighteen
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

Tuesday, May 12, 2009

SMS Ransomware Source Code Now Offered for Sale

Remember the ransomware variant that was locking down user's PCs and demanding a premium SMS in order for them to receive the unlocking code?

In an attempt to further monetize the "innovative" practice of converging Windows-based malware and premium SMS numbers operated by the cybercriminals, a do-it-yourself version of the ransomware is currently offered for sale for a mere $15.

Here are some of its features:
- When executed presents the uset with a Blue Screen of Death style error message
- A simple auto-loading feature ensuring it will load every time the host is rebooted, completely disables the startup shell in order to become the first application to appear upon reboot
- Disables Windows Task Manager, Registry Editor, default shortcuts for terminating a program

The vendor would also like to remind its customers that "the application is for educational purposes only", next to a comment on how all of their current customers are fully satisfied with the money they're making by locking infected user's PCs. This piece of ransomware has been spreading across the Russian web space since April, and with its source code now offered for sale, it's only a matter of time before the error messages get localized to multiple languages courtesy of localization on demand cybercrime-friendly services breaking any language barrier for a spam/malware campaign.

However, from an operational security (OPSEC) perspective which I often emphasize on in order to demonstrate how efficient cybercrime facilitating tactics increase the probability of successfully tracking down the people behind a particular attack, this premium SMS based ransomware tactic is exposing the people behind the campaign much easily due to its reliance on a mobile operator, compared to GPCode's virtual money exchange approach (Who's behind the GPcode ransomware?) which given they put enought efforts, the process can be virtually untraceable.

Despite the fact that vendors have already released unlock code generators for the SMS ransomware, taking into consideration the potential for widespread ransomware campaigns through the now ubiqitous revenue generator in the form of scareware (Scareware meets ransomware: "Buy our fake product and we'll decrypt the files"), the concept is not going away anytime soon.

Related posts:
Mobile Malware Scam iSexPlayer Wants Your Money
New mobile malware silently transfers account credit
New Symbian-based mobile worm circulating in the wild

Wednesday, May 06, 2009

Dating Spam Campaign Promotes Bogus Dating Agency

From Sweet Sugar Anastasia, Svetlana, Angela, Marino4ka, Irina, Hot Julia, Ane4ka, Nastya, and Yulia, to the Lonely Polina and the malware and exploits serving girls, Russian/Ukrainian dating scams are still pretty active these days.

A recently spammed dating campaign exposes the fraudulent practices of a well known such agency (Confidential Connections) that has been changing its name, typosquatting new domains in order to remain beneath the radar, a bit of an awkward practice given their noisy spamming approach of attracting visitors.

The spam's message:
"Good day, my gentleman!

All love is probationary, a fact which frightens women and exhilarates men. I believe that unarmed truth and unconditional love will have the final word in reality. I was born in a friendly, cultured family and would like to have the same family in my own life. I love nature, flowers, music, dancing. I like to receive guests at home and spend time with friends. I always try to use opportunity to travel and see new places in the world. I have a good, quite and merry character, don't like argues and rows. I hope to meet a white man, Christian, clever. Besides I would like to meet a good person with a good sense of humor, who wants to create a good strong family. If you would be loved, love and be lovable. I am waiting for you http://iam-waiting4love .com/infinity/

Waiting for your mail
Sveetlana B.
"

The user is then asked to register at hifor-you .com/register.php followed by an email confirmation explaining how the agency/scam at ualadys .com (76.74.250.239 Email: Tyom13@aol.com) works:

"We view ourselves as more of MATCHMAKERS than a mere Introduction Company. We DO NOT BUY OR SELL addresses of Ladies from other agents. Rather, we take the time and effort to meet each Lady referred to us in person, interview her at length, checkout her credentials to make sure her intentions are proper, before she gets hosted as our client. It is this knowledge of the Ladies that allows us to select the right persons to introduce to each man.

 

Compatibility is the KEY. Our formula is simple, yet highly productive:
1. You fill out our profile, same as the Ladies
2. Select the Ladies you would like to meet
3. Until you have a predetermined amount of Ladies reply with a yes
4. During your trip meetings are scheduled on a private, one-on-one setting, with an interpreter to assist you (if you require one) We know that your time is limited when you go on trip. This is a very efficient selections process that saves your time and, in fact, allows you the extra time to really get to know the Ladies. 


All meetings are one-on-one. We do not organize socials that do not work. Our service is usually based upon a male clients access to time and his available budget. The normal procedure is for a client to look through our gallery of Ladies, select the Ladies for pre-qualification, and correspond with them by e-mail or phone, than arrange a one-on-one visit. Still others, after viewing the Ladies, decide that the best overall approach would be to simply go there and meet as many women as we can arrange for them to meet, and spend time with them before making a decision.
 

Also experiencing first-hand their environment and culture gives the man a future understanding of his future bride. OUR PERSONAL INTRODUCTION TRIP HAS BEEN YEILDING A 95% SUCCESS RATE! Again, the reason for this is the growing frustration among the Ladies about the lack of follow through the men, Consequently, many Ladies do not respond to letters, knowing that few ever follow through. They simply wait to meet the men who go there. THUS, THE SITUATION HAS BECOME A DREAM FOR THE MAN WHO ARE SERIOUS.

During our Special Photoshoot Trips (e-mail for dates); you will get an opportunity to watch and meet new Ladies. Many times, clients pick these new Ladies because they are fresh and no one has ever met them before. We have quite a few Ladies who have never made it to the gallery because they got engaged immediately to the men who went no trips.
"

The agency is also reserving the right to forward the responsibility for any fraudulent activities to the girls, the majority of which do not exist at the first place in the following way:

All scam patterns have similarities that are very easy to spot if you know what to watch out for:
  • Usually the contact originates from a personals site where anyone can place his/her ad for free. Most often it was not you who initiated the acquaintance; you received a letter from a lovely Russian female who was interested in you. *Her* description of the partner is always very broad that will fit anybody - "kind intelligent man, age and race don't matter".
  • Sometimes *she* places a real nice discription and lovely, INNOCENT pictures, with honest eyes and kind smile. You will initiate the acquaintance.
  • It is always email correspondence; and letters are sent regularly, often every day; a new picture is sent with almost every letter.
This is very entertaining since the agency is driving traffic to its domains through spamming. The full list of spammed domains part of the campaign :
love-f-emale .com - 62.90.136.207
i-amsingle .com
for-you-from-me .com
destinycombine .com
with-hope-for-love .com
iam-waiting4love .com
allisloveandlove .com
amourwedding .com
adorelovewon .com
andiloveyoutoo .com
attractive-ladies .com
luckyheatrs .com
sunwants .com
myloving-heart .com
touchmy-heart .com
dreams-about-lady .com
fillinglove .net
createyourlove .net
buildyour-happylove .net
tender-woman .net
make-family .net


There's something "ingenious" about this type of dating scams, since the bogus dating agency can forward the scam responsibility to the non-existent girls at the first place. Moreover, despite the countless number of email credits, flowers and photos that you've purchased by using the agency's commercial services, the non-existent girl can always reserve the right not to meet or interact with you in any way. And even if there are actual girls working for the ad agency on a revenue-sharing basis, the agency silently makes money by reserving its right to ruin your return on investment no matter how much and what you spend on their site.

Now, that's a business model scamming the gullible and the lonely, which from a legal perspective -- excluding the spamming -- can in fact be legal in the country of operation due to the eventual mis-matching of characters.

UPDATE:
The people from "Confidential Connections" have a long history of spamming/scamming activities. Here are more related resources:

A first-person account:
"..ualadies... I work as a guide and translator for guys seeking a wife in Ukraine, and a client just came to me who was due to meet a girl from this agency. Im so wound up by the actions of this agency that i am going to post this thread in every scam forum i know about. Here is a short list of what they did:

1) Put him in a taxi to pick up the girl and take her to the restaurant, then charged him $80 for what should have been a $10 journey
2) Charged him $60 for a one hour translation, saying that they take a minimum charge of 4 hours ($15 an hour)..this they told him only after the meeting
3) After my client had payed (a very steep $50) to meet the girl, he got her address and decided to send her some flowers (at the local rate of 2 dollars for 1 rose, as apposed to 10 dollars a rose at the agency). The agency, upon finding out about this, called him up and shouted at him for daring to send her roses not through them (!)
 

4) It turned out that the girl hadn't written most of the letters the client had shared with her over a period of a year, and in fact that the agency themselves had written them, earning good money in the proccess!
5) The agency lied about the upper age limit for a guy the girl was willing to meet - they put down 60 when she had indicated 40.
6) There is more!...but i think ive written enough for you to get the idea.

Be aware of this agency! In all my time as a guide/translator i have never seen an agency that works so shambolicaly. Agencies like this ruin the reputation of the business, in which there are number of hard working honest agencies that suffer as a result.
"

More comments from the same person, presumably working there:
"Beware of ualadys. I live in Ukraine and know someone who works in one of the branches. Word has it that they churn out letters factory-style and often write themselves. They do not allow their girls to turn down a man who has requested to communicate with them, even if they dont want to. They did not allow me to go to their office to check them out and ask them questions. They scare the girls so that they dont get in personal contact with a guy or go to another agency. Beware!"

Exclusive photo gallery from what appears to be a scammed customer -- wedding rings are in place. The guy was initially spammed:

"On June 23rd of 2008 (that was 5 months after I gave up my relationship with my ex girlfriend),  I received one email from UAladys which stated it was translated for a lady in Ukraine. Her name is Anastasia R. (ID 5008) Her introduction letter went as follows"

Thankfully, he's preserved the achive of the correspondence, exposing their practices.

Dissecting a Swine Flu Black SEO Campaign

Remember the Ukrainian group of cyber criminals that was responsible for last week's massive blackhat SEO campaign that was serving scareware, followed by the timely hijacking of Mickeyy worm keywords a week earlier to once again serve rogue security software?

They are back with new blackhat SEO farms which they continue monetizing through rogue security software. Time to dissect their latest campaign and expose their malicious practices.

Once having most of their previous domains blacklisted/shut down, the group naturally introduced new ones, and changed the search engine optimization theme to swine flu, in between a variation of their previous one relying on catchy titles such as USA News; BBC News; CNN News as well as Hottest info!; HOT NEWS; Official Website and Official Site.

Upon visiting the site, an obfuscated iFrame statically hosted on all of the participating domains in the form of 2qnews.07x .net/images/menu.js redirects the user to sexerotika2009 .ru/admin/red/en.php (74.54.176.50; Email: rebsdtis@land.ru). Are you noticing the directory structure similarities? Appreciate my rhetoric, it's last month's blackhat SEO gang with a new portfolio of domains.

What follows is the usual referrer check : "var ref,i,is_se=0; var se = new Array("google.","msn.","yahoo.","comcast.","aol.");" from where the user is redirected to liveavantbrowser2 .cn/go.php?id=2022&key=4c69e59ac&p=1 (83.133.123.140) acting as central redirection point to the typosquatted portfolio of rogue security software domains.

The original scareware domain vrusstatuscheck .com/1/?id=2022&smersh=a9fd94859&back=%3DjQ51TT1MUQMMI%3DN - (69.4.230.204; 38.99.170.209; 78.47.172.66; 78.47.91.153; 94.76.212.239; 94.102.48.28) is exposing the rest of the scareware (detection rate) portfolio with the following domains parked at these IPs:

antivirusbestscannerv1 .com
antivirus-powerful-scanv2 .com
antivirus-powerful-scannerv2 .com
virusinfocheck .com
vrusstatuscheck .com
adware-removal-tool .com
1quickpcscanner .com
1spywareonlinescanner .com
1computeronlinescanner .com
1bestprotectionscanner .com
securityhelpcenter .com
antivirus-online-pro-scan .com
securedonlinecomputerscan .com
antispywarepcscanner .com
securedvirusscanner .com
virusinfocheck .com
antivirusbestscannerv1 .com
antispywareupdateservice .com
platinumsecurityupdate .com
antispywareupdatesystem .com
onlineupdatessystem .com
softwareupdatessystem .com
securedpaymentsystem .com
infosecuritycenter .com
antispywareproupdates .com
securedsoftwareupdate .cn
securedupdateslive .cn
thankyouforinstall .cn
securityupdatessystem .cn
securedsystemresources .cn
securedosupdates .cn
windowssecurityupdates .cn


Once executed it downloads Microsoft's original thank you note (update.microsoft.com/windowsupdate/v6/thanks.aspx), and confirms the installation so that the blackhat SEO campaigners will receive a piece of the pie at securedliveuploads .com/?act=fb&1=0&2=0&3=kfddnffaffihlcoemdkedcaefcfaffedhfmdmboc&4=eebajfjafekaifnbddghoclg&5=22&6=1&7=63&8=31&9=0&10=1

Related phone-back locations:
liveavantbrowser2 .cn - (83.133.123.140)
securedliveuploads .com
liveavantbrowser2 .cn
awardspacelooksbig .us
crytheriver .biz
softwareupdatessystem .com
securedsoftwareupdate .cn
securedupdateslive .cn
securedosupdates .cn


Blackhat SEO subdomains at the free web site hosting services:
2qnews.07x .net
2rnews.07x .net
1news.07x .net
1knews.07x .net
1xnews.07x .net
gerandong.07x .net
kort.07x .net
30newsx.07x .net
4dnews.07x .net
4dnews.07x .net
laptop.07x .net
30newsf.07x .net


Blackhat SEO domains participating in the second multi-theme campaign:
01may2009 .us
m1m18test .us
m1m17test .us
m1m21test .us
m1m11test .us
m1m16test .us
m1m20test .us
m1m15test .us
m1m14test .us
m1m13test .us
m1m11test .us
m1m15test .us
m1m19test .us
f9o852test .us
f9o851test .us
f9o87test .us
f9o86test .us
f9o5test .us
f9o8test .us
ff7test5 .us
g2g1test .us


Blackhat SEO domains participating in the third campaign:
greg-page-boxing.6may2009 .com -
212.95.58.156
dualsaw.06may2009 .com
craigslist-killer.5may2009 .com
 

Upon clicking, the user is redirected to berusimcom .com/t.php?s=18&pk=, then to the SEO keyword logger at berusimcom .com/in.cgi?18&seoref=&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=nfl-draft.5may2009 .com&ppckey=, and then exposed to another portfolio of rogue security software (detection rate) at hot-porn-tubes.com/promo3/?aid=1361&vname=antivirus - 78.129.166.166; 91.212.132.12, with the following domains parked at the same IPs:

xxxtube-for-xxxtube .com
youporn-for-free .com
xtube-xmovie .com
free-xxx-central .com
xtube-downloads .com
porn-tube-movies .com
my-fuck-movies .com
niche-tube-videos-here .net
free-tube-video-central .net
tubezzz-boobezzz .net
hot-tube-tuberzzz .net


Persistence must be met with persistence.