Wednesday, November 25, 2009

Koobface Botnet Starts Serving Client-Side Exploits

UPDATED, Wednesday, December 02, 2009: The systematic rotation of new redirectors and scareware domains remains ongoing, with no signs of resuming the use of client-side exploits.

Some of the latest ones include inviteerverwhere .cn - Email: -> scanner-infoa .com - Email:, scareware detection rate; 1economyguide .cn - Email: -> superdefenceaj .com - Email:, scareware detection rate; slip-stream .cn - Email: -> getsafeantivirusa .com - Email:, scareware detection rate.

The complete list of redirectors introduced over the past week is as follows: 1economyguide .cn; 1monocline .cn; 1nonsensical .cn; 1onlinestarter .cn; 1political-news .cn; argentinastyle .cn; australiagold .cn; austriamoney .cn; beatupmean2 .cn; belgiumnation .cn; brazilcountry .cn; firefoxfowner .cn; inviteerverwhere .cn; iraqcontacts .cn; makenodifference2 .cn; manualgreese .cn; overmerit3 .cn; powerhelms2 .cn; secretalltrue2 .cn; separator2009 .cn; slip-stream .cn; solidresistance .cn; wallgreensmart .cn; windowsclone .cn; womenregrets .cn; womenregrets2 .cn

UPDATED, Saturday, November 28, 2009: Following yesterday's experiment with redirectors, relying on a "visual social engineering element" by adding descriptive domains after the original link --, which works with any generated link, the gang is now spamvertising links using Google News redirection to automatically registered Blogspot accounts, whose CAPTCHA challenge has been solved by the already infected with Koobface victims, a feature that is now mainstream, compared to the gang's previous use of commercial CAPTCHA solving services, where the price for a thousand solved CAPTCHAs varies between $1 and $2:


New redirectors introduced include:
overmerit3 .cn - Email:
belgiumnation .cn - Email:
iraqcontacts .cn - Email:
womenregrets .cn - Email:
wallgreensmart .cn - Email:
brazilcountry .cn - Email:
womenregrets2 .cn - Email:

News scareware domains introduced include:
internetdefencesystem .com - Email:
royalsecure-a1 .com - Email:
royaldefencescan1 .com - Email:
royaldefensescan1 .com - Email:
royaldefencescan .com - Email:
royaldefensescan .com - Email:
royalprotectionscan .com - Email:

Sampled copy phones back to a new domain (austin2reed .com/?b=1s1; austin2reed .com/?b=1) using the same IP ( as the previous phone-back domain.

UPDATED, Thursday, November 26, 2009: The gang has currently suspended the use of client-side exploits, let's see if it's only for the time being or indefinitely. Scareware is whatsoever, introduced with periodically registered new domains - argentinastyle .cn - Email: and australiagold .cn - Email:, redirect to bestscan066 .com - Email: and to bestscan044 .com - Email: - detection rate.

The exploit serving domains (el3x .cn; kiano-180809 .com and ttt20091124 .info) remain active.

The Koobface botnet, a case study on propagation relying exclusively on social engineering tactics and systematic abuse of legitimate Web 2.0 services, has introduced a second "game-changer" next to the migration to distributed command and control infrastructure once its centralized operations got shut down.

Next to the embedded and automatically rotating scareware redirects placed on each and every infected host part of the Koobface botnet, the gang behind it has now started officially using client-side exploits (VBS/Psyme.BM; Exploit.Pidief.EX; Exploit.Win32.IMG-WMF etc.) by embedding two iFrames on all the Koobface-infected hosts (Underground Molotov - function molot (m)), which connect to a well known (average) web malware exploitation kit's interface. Not only would a user that clicks on the Koobface URL be exposed to the Koobface binary itself, now pushed through client-side exploits, but also, to the periodically changed scareware domains.

Let's dissect the campaign, expose the entire domains portfolio involved or introduced since the beginning of the week, and once again establish a connection between the Koobface gang and money mule recruitment scams followed by scareware domains (Inst_312s2.exe; Inst_312s2.exe from today, both of them phone back to angle-meter .com/?b=1), all registered using the same emails.

Scareware redirectors seen during the past couple of the days, parked at
solidresistance .cn - Email:
separator2009 .cn - Email:
zapotec2 .cn - Email:
befree2 .cn - Email:
entombing2009 .cn - Email:
economyguide .cn - Email:
smile-life .cn - Email:
everlastmovie .cn - Email:
monocline .cn - Email:
mozzillaclone .cn - Email:
monkey-greese .cn - Email:
surgingnurse .cn - Email:
mailboxinvite .cn - Email:
flatletkick .cn - Email:
nonsensical .cn - Email:
moralisefilm .cn - Email:
firefoxavatar .cn - Email:
onlinestarter .cn - Email:
clowncirus .cn - Email:
political-news .cn - Email:
harry-pott .cn - Email:
repeatability .cn - Email:

New scareware domains portfolio parked at;;
valuewebscana .com - Email:
valuescana .com - Email:
cyber-scan-1 .com - Email:
yourantispy-1 .com - Email:
cyber-scan011 .com - Email:
cyber-scan-2 .com - Email:
antimalware-3 .com - Email:
yourmalwarescan3 .com - Email:
antimalwarescana4 .com - Email:
today-scan4 .com - Email:
antispy-scan5 .com - Email:
yourantivira7 .com - Email:
yourmalwarescan7 .com - Email:
yourantispy-8 .com - Email:
cyber-scan08 .com - Email:
cyber-scan09 .com - Email:
beprotected9 .com - Email:
spyware-scan9 .com - Email:
yourantispy-a .com - Email:
checkforspywarea .com - Email:
checkfilesherea .com - Email:
scanfilesherea .com - Email:
findprotectiona .com - Email:
checkfilesnowa .com - Email:
web-scanm .com - Email:
today-scann .com - Email:
4eay-protection .com - Email:

The client-side exploit redirection takes place through three separate domains, all involved in previous Zeus crimeware campaigns, parked on the same IP in a cybercrime-friendly ASN. For instance, - - Email: redirects to -> -> -> using VBS/Psyme.BM; Exploit.Pidief.EX; Exploit.Win32.IMG-WMF etc. pushing load.exe, which phones back to a well known "leftover" from Koobface botnet's centralized infrastructure - xtsd20090815 .com/adm/index.php.

Now it gets even more interesting, with the Koobface gang clearly rubbing shoulders with authors of actual web malware exploitation kits, who diversify their cybercrime operations by participating in money mule recruitment scams, zeus crimeware serving campaigns, and scareware.

Parked on where the first iFrame is hosted, are also the following domains participating in related campaigns:
amer0test0 .cn - Email: -> money mule recruitment
antivirusfreec0 .cn - Email: -> money mule recruitment 
arendanomer2 .cn - Email:
dom0cn .cn - Email:
dom1cn .cn - Email:
dom2cn .cn - Email:
domx0 .cn - Email:
domx1 .cn - Email:
domx2 .cn - Email:
dox0 .cn - Email:
dox1 .cn - Email:
dox2 .cn - Email:
dox3 .cn - Email:
edit2china .cn - Email:
edit3china .cn - Email:
el1x .cn - Email:
el2x .cn - Email:
el3x .cn - Email:
gym0replace .cn - Email: -> scareware domain registration
herosima1yet .cn - Email:
herosima1yet00g .cn - Email:
otherchina .cn - Email:
parliament .tk - Email:
privet1 .cn - Email:
privet2 .cn - Email:
privet3 .cn - Email:
sport-lab .cn - Email: -> money mule recruitment domain registrations
trafdomins .cn - Email:

The second iFrame domain parked at redirects in the following way - kiano-180809 .com/oko/help.html - - Email: leads to kiano-180809 .com/oko/dyna_soc.html -> kiano-180809 .com/oko/tomato_guy_13.html -> kiano-180809 .com/oko/update.vbe -> kiano-180809 .com/oko/dyna_wm.wmf.

The same exploitation structure is valid for the third iFrame domain - ttt20091124 .info/oko/help.html which is again, parked at and was embedded at Koobface-infected hosts over the past 24 hours.

What prompted this shift on behalf of the Koobface gang? Declining infection rates -- I'm personally not seeing a decline in the click-through rate, with over 500 clicks on a spamvertised Kooobface URL over a period of 24 hours -- or their obsession with traffic optimization? In terms of social engineering, the periodic introduction of new templates proved highly successful for the gang, but the newly introduced outdated client-side exploits can in fact generate more noise than they originally anticipated, if they were to continue relying on social engineering vectors only.

One thing's certain - the Koobface gang is now on the offensive, and it would be interesting to see whether they'd introduce a new exploits set, or continue relying on the one offered by the web exploitation kit.

Related posts:
Secunia: Average insecure program per PC rate remains high
Research: 80% of Web users running unpatched versions of Flash/Acrobat
Fake Security Software Domains Serving Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

This post has been reproduced from Dancho Danchev's blog.

Wednesday, November 18, 2009

Scareware Campaign Using Google Sponsored Links

A scareware campaign is currently using Google sponsored ads, and by hijacking a decent number of well positioned keywords, is attempting to trick visitors into installing scareware featuring several new templates. This is, of course, not the first and definitely not the last time scareware campaigners are using highly targeted legitimate networks in order to reach potential audience by making an investment into the traffic acquisition practice.

However, compared to the "long tail centered" blackhat SEO, the use of legitimate ad networks would never reach a positive ROI, like the one achieved by dynamic syndication of legitimate content and monetizing it through scareware.

Scareware domains seen in circulation: 
adwarealert .com -
adware-pro-2009 .com -
adwareprosite .com - - Email: 
adwarepro-site .com - - Email: 
antimalwarenow .com -
anti-malware-pro .org - - Email:

antimalware-software .com -
antimalware-software .org - - Email:
get-spyware-destroyer .com - - Email:
macrovirus .com -
malwareprofessional .com -

theantimalware .com -
adware-pro-live .com -
antivirus-live-pro .com -
antivirus-live-pro .org
antivirus-live-software .com
antivirus-pro-live .com
antiviruspro-live .com

Sample detection rates: anti-malware-application.exe; malware_professional.exe; macro_virus.exe; antimalware_pro.exe; spyware_destroyer.exe; AdwarePro_Setup.exe; AdwarePro_Setup06.exe; AdwarePro_Setup2305.exe.

Consider going through the The Ultimate Guide to Scareware Protection detailing alternative traffic acquisition approaches used by scareware campaigners, as well as the related posts dissecting recent blackhat SEO campaigns.

Related posts:
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding
Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware
A Peek Inside the Managed Blackhat SEO Ecosystem 
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

This post has been reproduced from Dancho Danchev's blog.

Tuesday, November 17, 2009

"Your mailbox has been deactivated" Spam Campaign Serving Crimeware

An ongoing "Your mailbox has been deactivated" themed spam campaign is pushing crimeware as an attached archive.

Subject: your mailbox has been deactivated
Message: "We are contacting you in regards to an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility. Best regards, technical support."
Different signatures used: "From Webmail Help Desk; From technical support; From technical support; From technical support; From technical support"

Sampled obtained phones back to 193.104.27 .91/limpopo/bb.php?id=636608811&v=200&tm=2&b=4316315581; 193.104.27 .91/limpopo/bb.php?id=554275088&v=200&tm=8&b=4316315581&tid=11&r=1, from where it downloads promed-net .com/css/abs.exe (; Email: ) which phones back to, downloading 91.213.72 .51/ldr7.exe which phones back to 193.104.27 .42/lcc/ip2.gif which is TrojWare.Win32.TrojanSpy.Zbot.Gen

All of these IPs are not surprisingly known Zeus crimeware hosts.

Related phone-back locations parked on the same IP -
koralda .com - Email:
antiona .com - Email:
lambrie .com - Email:
bauhath .com - Email:
agulhal .com - Email:
lantzel .com - Email:
bourgum .com - Email:

101607d91120.koralda .com
141607d91121.koralda .com
121607d91122.koralda .com
161607d91123.koralda .com
141607d91124.koralda .com
181607d91125.koralda .com
011607d91106.koralda .com
171507d91116.koralda .com
161607d91126.koralda .com
231507d91107.koralda .com
201607d91127.koralda .com
031607d91108.koralda .com
191507d91118.koralda .com
011607d91109.koralda .com
171507d91119.koralda .com
221607d91129.koralda .com
201607d9112a.koralda .com
031607d9110b.koralda .com
191507d9111b.koralda .com
081607d9111b.koralda .com
221607d9112c.koralda .com
101607d9111d.koralda .com
081607d9111e.koralda .com
121607d9111f.koralda .com
211507d91131.antiona .com
231507d91133.antiona .com
081207d91134.antiona .com
121607d91115.antiona .com
001307d91106.antiona .com
201307d91108.antiona .com
121107d91128.antiona .com
021107d91129.antiona .com
221307d9110a.antiona .com

231107d9111a.antiona .com
230907d9111b.antiona .com
041107d9112b.antiona .com
011207d9111c.antiona .com
081307d9110d.antiona .com
061107d9112d.antiona .com
191407d9112d.antiona .com
171307d9111f.antiona .com
211407d9112f.antiona .com
042707d90914.agrigid .com
101607d91121.lambrie .com
121607d91122.lambrie .com
141607d91124.lambrie .com
161607d91126.lambrie .com
231507d91107.lambrie .com
181607d91128.lambrie .com
011607d91109.lambrie .com
171507d91119.lambrie .com
201607d9112a.lambrie .com
031607d9110b.lambrie .com
191507d9111b.lambrie .com
221607d9112c.lambrie .com
081607d9111e.lambrie .com
081607d91100.bauhath .com
071607d91130.bauhath .com
121607d91101.bauhath .com
201607d91111.bauhath .com
221307d91102.bauhath .com
051107d91122.bauhath .com
141607d91103.bauhath .com

151207d91113.bauhath .com
221607d91113.bauhath .com
221307d91104.bauhath .com
071107d91124.bauhath .com
171207d91115.bauhath .com
051007d91126.bauhath .com
091107d91126.bauhath .com
101607d91107.bauhath .com
191207d91117.bauhath .com
051207d91127.bauhath .com
071007d91128.bauhath .com
071207d91128.bauhath .com
121607d91109.bauhath .com
211207d91119.bauhath .com
091007d9112a.bauhath .com
131107d9112a.bauhath .com
091207d9112a.bauhath .com
051607d9113a.bauhath .com
231207d9111b.bauhath .com
091607d9113b.bauhath .com
141607d9110c.bauhath .com
111007d9112c.bauhath .com
111207d9112c.bauhath .com
161607d9110d.bauhath .com
071607d9112d.bauhath .com
181607d9110f.bauhath .com
181007d91132.edvehal .com
181007d91135.edvehal .com
181207d91110.agulhal .com
091007d91120.agulhal .com
211007d91130.agulhal .com
041307d91130.agulhal .com

111007d91122.agulhal .com
061307d91132.agulhal .com
131207d91123.agulhal .com
131007d91124.agulhal .com
151207d91125.agulhal .com
230907d91116.agulhal .com
151007d91126.agulhal .com
061207d91127.agulhal .com
011007d91118.agulhal .com
171007d91128.agulhal .com
031007d9111a.agulhal .com
021207d9111b.agulhal .com
121107d9113b.agulhal .com
051007d9111c.agulhal .com
011107d9110d.agulhal .com
041207d9111d.agulhal .com
191007d9112d.agulhal .com
161207d9110e.agulhal .com
071007d9111e.agulhal .com
141607d91100.lantzel .com
081607d91100.lantzel .com
221607d91110.lantzel .com
121607d91101.lantzel .com
171207d91111.lantzel .com
201607d91111.lantzel .com
071107d91121.lantzel .com
051107d91122.lantzel .com
141607d91103.lantzel .com
151207d91113.lantzel .com
191207d91113.lantzel .com
221607d91113.lantzel .com
051007d91123.lantzel .com

091107d91123.lantzel .com
051207d91123.lantzel .com
101607d91104.lantzel .com
071107d91124.lantzel .com
211207d91115.lantzel .com
171207d91115.lantzel .com
071007d91125.lantzel .com
111107d91125.lantzel .com
071207d91125.lantzel .com
121607d91106.lantzel .com
051007d91126.lantzel .com
091107d91126.lantzel .com
051207d91126.lantzel .com
101607d91107.lantzel .com
231207d91117.lantzel .com
191207d91117.lantzel .com
091007d91127.lantzel .com
131107d91127.lantzel .com
091207d91127.lantzel .com
051607d91137.lantzel .com
141607d91108.lantzel .com
071007d91128.lantzel .com
111107d91128.lantzel .com
071207d91128.lantzel .com
091607d91138.lantzel .com
121607d91109.lantzel .com
211207d91119.lantzel .com
111007d91129.lantzel .com
111207d91129.lantzel .com

071607d91139.lantzel .com
161607d9110a.lantzel .com
091007d9112a.lantzel .com
131107d9112a.lantzel .com
091207d9112a.lantzel .com
111607d9113a.lantzel .com
051607d9113a.lantzel .com
141607d9110b.lantzel .com
231207d9111b.lantzel .com
091607d9113b.lantzel .com
181607d9110c.lantzel .com
111007d9112c.lantzel .com
111207d9112c.lantzel .com
161607d9110d.lantzel .com
201607d9110e.lantzel .com
151207d9110f.lantzel .com
181607d9110f.lantzel .com
051107d9111f.lantzel .com
131507d91100.bourgum .com
231507d91130.bourgum .com
221207d91101.bourgum .com

211507d91131.bourgum .com
001307d91103.bourgum .com
231507d91133.bourgum .com
001107d91124.bourgum .com
081207d91134.bourgum .com
201307d91105.bourgum .com
121607d91115.bourgum .com
001307d91106.bourgum .com
021107d91126.bourgum .com
091207d91107.bourgum .com
221307d91107.bourgum .com
231107d91117.bourgum .com
201307d91108.bourgum .com
230907d91118.bourgum .com
121107d91128.bourgum .com
041107d91128.bourgum .com
211007d91138.bourgum .com
011207d91119.bourgum .com
021107d91129.bourgum .com

Naturally, the campaign isn't an isolated incident, with previous "Facebook updated account agreement" themed ones, using the same phone back locations as the currently ongoing one. 

Related posts:
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.

Massive Scareware Serving Blackhat SEO, the Koobface Gang Style

Ali Baba and the 40 thieves LLC are once again multi-tasking, this time compromising hundreds of thousands of web sites, and redirecting Google visitors -- through the standard http referrer check -- to scareware serving domains.

What's so special about the domains mentioned in Cyveillance's post, as well as the ones currently active on this campaign? It's the Koobface connection.

For instance, the ionisationtools .cn or moored2009 .cn redirectors, as well as the scareware serving premium-protection6 .com;; checkalldata .com; foryoumalwarecheck4 .com; antispy-scan1 .com mentioned in post, are the same scareware redirectors and domains analyzed in part two of the Koobface Botnet's Scareware Business Model series. The identical structure on a sampled Koobface infected host and a sampled compromised site can be seen in the attached screenshots.

The redirection "magic" takes place through a what looks like a static css.js (Trojan-Downloader.JS.FraudLoad) uploaded on all of the affected sites. The very latest blackhat SEO once again puts the Koobface gang in the spotlight of the ongoing underground multi-tasking that the majority of cybercriminals engage in these days.

Related posts:
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

This post has been reproduced from Dancho Danchev's blog.

Monday, November 16, 2009

Keeping Money Mule Recruiters on a Short Leash

The money mule recruitment syndicate exposed in a previous post (Standardizing the Money Mule Recruitment Process), continues introducing new domains and re-branding the de-facto recruitment templates for a huge percentage of the currently active money mule recruitment scams.

Ironically, both the syndicate and its competition in the face of boutique money mule recruitment operations aiming to self-service the cybercriminal -- he doesn't want to share stolen revenue with a third-party service provider -- behind them, are using the copywriting and online brand management services courtesy of a single vendor.

It's time to expose the complete domains portfolio of one of their biggest customers, including both domains introduced since the middle of the summer, 2009, as well as the most recent ones, with all of them using/having used the services of AS:38356.

Parked at;;;; as of Monday, November 18 are the following money mule recruitment domains:
affina-groupsvc .cc - Email:
altgroupco .cn - Email:
alt-groupco .net - Email:
annuity-groupnet .cc - Email:
archway-groupinc .cn - Email:
armor-groupco .cc - Email:
ava-group .cc - Email:
ava-group .cn - Email:
ava-groupsvc .cc - Email:
avagroupsvc .cn - Email:
bfs-groupinc .cc - Email:
braingroupmain .cn - Email:
brain-groupsvc .cn - Email:
ccn-groupco .cn - Email:
cdi-groupmain .cn - Email:
cosco-groupmain .cn - Email:
criscom-group .cc - Email:
criscomgroupco .cn - Email:
criscom-groupinc .cc - Email:
cronos-group .net - Email:
cronos-groupinc .cn - Email:
cronos-groupinc .com - Email:
cronosgroupsvc .cn - Email:
dove-groupli .cn - Email:
entrustgroup .cn - Email:
extreme-groupinc .cn - Email:
fairline-group .cn - Email:
flatgroupfly .cc - Email:
full-controll .cc - Email:

geniouspartner .cn - Email:
holding-group .cn - Email:
igt-groupco .cn - Email:
igtgroupinc .cn - Email:
igt-groupinc .com - Email:
index-groupinc .cn - Email:
index-groupinc .com - Email:
indexgroupinc .net - Email:
index-groupmain .cn - Email:
ing-groupsvc .cn - Email:
integrity-groupinc .cc - Email:
invalda-groupli .cn - Email:
invalda-groupmain .cn - Email:
invalda-groupmain .com - Email:
landgroupinc .cn - Email:
landgroupinc .net - Email:
land-groupsvc .cn - Email:
land-groupsvc .com - Email:
libertygroup .cc - Email:
lime-groupnet .cn - Email:
lime-groupsvc .cn - Email:
margin-groupco .cn - Email:
margingroupinc .cn - Email:
massivegroupsvc .cn - Email:
mastergroupinc .cn - Email:
master-groupinc .com - Email:
master-groupsvc .cn - Email:
mellis-group .cn - Email:
mellis-groupmain .cn - Email:

mena-groupsvc .cn - Email:
nvidia-groupnet .cn - Email:
nvidia-groupsvc .cn - Email:
opm-groupli .com - Email:
phoenix-groupco .net - Email:
phoenix-groupmain .cn - Email:
premier-groupinc .cn - Email:
premier-groupinc .com - Email:
premier-groupnet .cc - Email:
prime-groupco .cn - Email:
prime-groupinc .cn - Email:
puritan-groupco .cc - Email:
puritan-groupco .cn - Email:
puritan-groupinc .cn - Email:
puritan-groupinc .com - Email:
realtek-groupnet .cn - Email:
realtekgroupsvc .cn - Email:
reddbutton .cn - Email:
redeye-groupco .cn - Email:
redeye-groupinc .cn - Email:
regency-groupco .com - Email:
regency-groupnet .cc - Email:

regency-groupnet .cn - Email:
safegroupsvc .cn - Email:
saturn-groupsvc .cn - Email:
scope-group .cn - Email:
scope-groupmain .cc - Email:
scope-groupmain .cn - Email:
stargroupinc .cn - Email:
star-groupinc .net - Email:
star-groupsvc .cn - Email:
star-groupsvc .com - Email:
summit-groupinc .cn - Email:
theblackend .cn - Email:
totallysmiled .cn - Email:
vector-groupfine .cn - Email:
vision-groupinc .cc - Email:
vision-groupsvc .com - Email:
windcontrol .cc - Email:

Nothing's isolated, everything's connected, and sadly orchestrated by a very distinct set of cybercrime enterprises, the market share leaders.

Related posts:
Standardizing the Money Mule Recruitment Process
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002
Inside a Money Laundering Group's Spamming Operations

This post has been reproduced from Dancho Danchev's blog.

Wednesday, November 11, 2009

Koobface Botnet's Scareware Business Model - Part Two

UPDATED - Wednesday, November 18, 2009: A new update is pushed to the hundreds of thousands infected hosts, which is now performing the redirection using dynamically generated .swf files, with every page using the same title "Wonderful Video". The redirection is also a relatively static process.

For instance, if the original koobface redirector is, followed by the .swf redirection it will output

New redirectors and scareware domains pushed within the past few hours include - everlastmovie .cn - Email:; smile-life .cn - Email: ; harry-pott .cn - Email:, beprotected9 .com - Email: and antivir3 .com - Email:

UPDATED - Tuesday, November 17, 2009: Koobface is resuming scareware (Inst_312s2.exe) operations at which was taken offline for a short period of time. ISP has been notified again, action should be taken shortly. The current domain portfolio including new ones parked there: 

ereuqba .cn - Email:
eqoxyda .cn - Email:
evouga .cn - Email:
edivuka .cn - Email:
ebeama .cn - Email:
kebugac .cn - Email:
eqoabce .cn - Email:
kixyhce .cn - Email:
cecyde .cn - Email:
evybine .cn - Email:
eqaone .cn - Email:
dyqunre .cn - Email:
byzivte .cn - Email:
dovzyag .cn - Email:
ebeozag .cn - Email:
cafgouh .cn - Email:
kebfoki .cn - Email:
ebogumi .cn - Email:
dyzani .cn - Email:
dybapi .cn - Email:
dusyti .cn - Email:
dutsyvi .cn - Email:
dutfij .cn - Email:
bysivak .cn - Email:
eqiovak .cn - Email:

cecxoyk .cn - Email:
dyqkuam .cn - Email:
edamym .cn - Email:
eqibuym .cn - Email:
ducyqan .cn - Email:
duzebyn .cn - Email:
etyawjo .cn - Email:
cerdiko .cn - Email:
erauso .cn - Email:
etuacwo .cn - Email:
etuexyp .cn - Email:
etywuq .cn - Email:
ebejar .cn - Email:
ebiuhas .cn - Email:
dozabes .cn - Email:
eqoybu .cn - Email:
eviyzru .cn - Email:
evaopsu .cn - Email:
ebaetu .cn - Email:
dytrevu .cn - Email:
eboezu .cn - Email:
eruqav .cn - Email:
eqoumiv .cn - Email:
epuneyv .cn - Email:
etykauw .cn - Email:
ebeoxuw .cn - Email:
eqidax .cn - Email:
evaolux .cn - Email:
cafropy .cn - Email:
etyupy .cn - Email:
kebquty .cn - Email:
cakevy .cn - Email:
eqouwy .cn - Email:
epuvyiz .cn - Email: 

UPDATED - Monday, November 16, 2009: The Koobface gang is pushing a new update, followed by a new portfolio of scareware redirectors and actual scareware serving domains.

New portfolio of redirectors parked at
befree2 .cn - Email:
scandinavianmall .cn - Email: 
densityoze .cn - Email:
moored2009 .cn - Email:
pica-pica .cn - Email:
stroboscopicmovie .cn - Email:
comedienne .cn - Email:
densityoze .cn - Email:
furorcorner .cn - Email:
ionisationtools .cn - Email:
wax-max .cn - Email:
plate-tracery .cn - Email:
little-bitty .cn - Email:
night-whale .cn - Email:
scary-scary .cn - Email:

Second redirectors portfolio at
disorganization000 .cn - Email:
rainbowlike .cn - Email:
skewercall .cn - Email:
wegenerinfo .cn - Email:
kangaroocar .cn - Email:
pericallis .cn - Email:
treasure-planet .cn - Email:
genusbiz .cn - Email:

Currently pushing scareware from primescan1 .com -;;; Sampled scareware phones back to windowsupdate8 .com/download/timesroman.tif - and angle-meter .com/?b=1 (safewebnetwork .com) -

More scareware domains are parked on the same IPs:
yourantivira7 .com - Email: - detection rate
web-scanm .com - Email: - detection rate
yourantivira3 .com (wwwsecurescana1 .com) - Email:
primescan8 .com
online-check-v11 .com
antivir-scan1 .com - Email:
antispy-scan1 .com - Email:
primescan1 .com
checkforspyware2 .com - Email:
pc-antispyware3 .com - Email:
premium-protection6 .com - Email:
antivir7 .com - Email:
online-check-v7 .com
beprotected8 .com - Email:
pc-antispyware9 .com - Email:
online-check-v9 .com
checkfileshere .com - Email:
scanfileshere .com - Email:
antivir-scano .com - Email:
check-files-now .com - Email:
antivir-scanz .com - Email:
antispy-scanz .com - Email:

ISP's contributing the the monetization of Koobface have been notified.

UPDATE: has been taken offline courtesy of Blue Square Data Group Services Limited -- previous cooperation took place within a 3 hour period -- with the Koobface gang migrating scareware operations to (AS29073 ECATEL-AS , Ecatel Network) and; - (AS24940, HETZNER-AS Hetzner Online AG RZ) - ISPs have been notified.

The .info scareware domain portfolio will be suspended within the next 24 hours.

Ali Baba and the 40 thieves LLC a.k.a my Ukrainian "fan club", the one with the Bahama botnet connection, the recent malvertising attacks connection, and the current market leader of black hat search engine optimization campaigns, has been keeping themselves busy over the past couple of weeks, continuing to add additional layers of legitimacy into their campaigns ( redirectors to accounts leading to compromised hosts), proving that if a cybercrime enterprise wants to, it can run its malicious operations on the shoulders of legitimate service providers using them as "virtual human shield" in order to continue its operations without fear of retribution.
Over the past two weeks, the Koobface gang once again indicated that it reads my blog, "appreciates" the ways I undermine the monetization element of their campaigns, and next to redirecting Facebook's entire IP space to my blog, they've also, for the first time ever, moved from using my name in their redirectors, to typosquatting it.

For instance, the -- now suspended -- Koobface domain pancho-2807 .com is registered to Pancho Panchev,, followed by rdr20090924 .info registered to Vancho Vanchev, As always, I'm totally flattered, and I'm still in a "stay tuned" mode for my very own branded scareware release - the Advanced Pro-Danchev Premium Live Mega Professional Anti-Spyware Online Cleaning Cyber Protection Scanner 2010.

It's time to summarize some of the Koobface gang's recent activities, establish a direct connection with the Bahama botnet, the Ukrainian dating scam agency Confidential Connections whose botnet operations were linked to money-mule recruitment scams, with active domains part of their affiliate network parked at a Koobface-connected scareware serving domains, followed by the fact that they're all responding to an IP involved in the ongoing U.S Federal Forms themed blackhat SEO campaign. It couldn't get any uglier.

As of recently the gang has migrated to a triple-layer of legitimate infrastructure, consisting of redirectors, leading to automatically registered Blogspot account which redirect to Koobface infected hosts serving the Koobface binary and the redirecting to a periodically updated scareware domain. Here are some of the domains involved.

Ongoing campaing dynamically generating URLs redirecting to automatically registered Blogspot accounts, using the following URLs: /VumFK -> drbryanferazzoli /lJcK3 -> toyetoyebalnaja /3mFyzs -> raimeishelkowitz /2wuSPj -> kelakelamccovery /2Pnn8l -> pattyedevero /2wuSPj -> kelakelamccovery /1HDmbm -> malinegainey-green. /2xf5vB -> advaadvarukuni /3mFyzs -> raimeishelkowitz /2xf5vB -> advaadvarukuni /46pcCI -> paulangelogaetano /1HDmbm -> malinegainey-green /3JZsDD -> derieuwsdarrius /lJcK3 -> toyetoyebalnaja /2h7XRU -> shunnarahamandla /3JZsDD -> derieuwsdarrius /3Zj98G -> schubachmarquis /1sXgRH -> nicnicmiralles /3eijza -> froneksaxxon /1I3rr7 -> attreechappy /2m3wP4 -> bilsboroughkebrom /30wcJn -> raheelanucci /2U7jYM -> orvelorvelblues /1CWOlZ -> kondrackinehemias /2m3wP4 -> bilsboroughkebrom /1qbXsi -> lizzamottymotty /79ONz -> rayvongonsalves /22Jyex -> klaartjebjorgvinsson /p07jC -> humphriesteelateela /2lpZXx -> kalandraaleisha

The Blogspot accounts consist of a single post of automatically syndicated news item, which compared to previous campaign which relied on 25+ Koobface infected IPs directly embedded at Blogspot itself, this time relies on a single URL which attempts to connect to any of the Koobface infected IPs embedded on it. The currently active campaign redirects to rainbowlike cn/?pid=312s02&sid=4db12f, which then redirects to the scareware domain secure-your-files .com, with the sample phoning back to forbes-2009 .com/?b=1s1 -, with another domain parked there activate-antivirus .com - Email:

Time to expose the entire portfolio of scareware domains pushed by the gang, and offer some historical OSINT data on their activities which were not publicly released until enough connections between multiple campaigns were established.Which ISPs are currently offering hosting services for the scareware domains portfolio pushed by the Koobface gang? The current portfolio is parked at (AS36351 SOFTLAYER Technologies Inc. surprise, surprise!); (AS44042 ROOT eSolutions surprise, surprise part two) and at (AS44042 ROOT eSolutions).

Scareware redirectors parked at
rainbowlike .cn - Email:
authorized-payments .com - Email:
poltergeist2000 .cn - Email:
sestiad2 .cn - Email:
uninformed2 .cn - Email:
retrocession2 .cn - Email:
unimpressible3 .cn - Email:
uncrown3 .cn - Email:
sneak-peak .cn - Email:
cellostuck .cn - Email:
stinkingthink .cn - Email:
skewercall .cn - Email:
be-spoken .cn - Email:
transmitteron .cn - Email:
kangaroocar .cn - Email:
pericallis .cn - Email:
exponentials .cn - Email:
triforms .cn - Email:
outperformoly .cn - Email:
genusbiz .cn - Email:

Scareware domains parked at; and
anti-malware-scan-for-you .com - Email: information@brunter.sw
available-scanner .com - Email:
bewareofspyware .com - Email:
defender-scan-for-you .com - Email: information@brunter.sw
defender-scan-for-you3 .com - Email:
foryoumalwarecheck .com - Email: information@brunter.sw
friends-protection .com - Email:
further-scan .com - Email:
goodonlineprotection .com - Email:
good-scans .com - Email:
guidetosecurity3 .com - Email:
howtocleanpc2 .com - Email:
howtoprotectpc3 .com - Email:
howtosecure2 .com - Email:
howtosecurea .com - Email:
how-to-secure-pc2 .com - Email:
protection-secrets .com - Email:
scan-for-you .com - Email: information@brunter.sw
scannerantimalware2 .com
scannerantimalware4 .com
scannerantimalware6 .com
secure-your-data0 .com - Email:
secure-your-files .com - Email:
security-guide5 .com - Email:
security-info1 .com - Email:
security-tips3 .com - Email:
security-tools4 .com - Email:
webviruscheck1 .com
webviruscheck-4 .com
webviruscheck5 .com

Let us further expand the portfolio by listing the newly introduced scareware domains at, which was first mentioned in part one of the Koobface Botnet's Scareware Business Model as a centralized hosting location for the gang's portfolio.

Scareware domains parked at
g-antivirus .com - Email:
generalantivirus com - Email:
general-antivirus .com - Email:
general-av .com - Email:
generalavs .com - Email:
gobackscan .com - Email:
gobarscan .com - Email:
godeckscan .com - Email:
godirscan .com - Email:
godoerscan .com - Email:
goeachscan .com - Email:
goeasescan .com - Email:
gofatescan .com - Email:
gofowlscan .com - Email:
gohandscan .com - Email:
goherdscan .com - Email:
goironscan. com - Email:
gojestscan. com - Email:
golimpscan. com - Email:
golookscan. com - Email:
gomendscan. com - Email:
gomutescan. com - Email:
gonamescan. com - Email:

goneatscan .com - Email:
gopickscan. com - Email:
gorestscan. com - Email:
goroomscan. com - Email:
gosakescan. com - Email:
goscanadd. com - Email:
goscanback .com - Email:
goscanbar .com - Email:
goscancode .com - Email:
goscandeck. com - Email:
goscandir. com - Email:
goscandoer .com - Email:
goscanease. com - Email:
goscanfowl. com - Email:
goscanhand. com - Email:
goscanherd. com - Email:
goscanjest. com - Email:
goscanlike. com - Email:
goscanlimp. com - Email:
goscanmend .com - Email:
goscanname. com - Email:
goscanneat .com - Email:
goscanpick. com - Email:

goscanref. com - Email:
goscanrest .com - Email:
goscanroom .com - Email:
goscansake. com - Email:
goscanslip. com - Email:
goscansole .com - Email:

goscantoil. com - Email:
goscantrio. com - Email:
goscanxtra. com - Email:
gosolescan. com - Email:
gotoilscan. com - Email:
gotrioscan. com - Email:
gowellscan. com - Email:
goxtrascan. com - Email:
iantiviruspro .com - Email:
iantivirus-pro .com - Email:
ia-pro .com - Email:
iav-pro .com - Email:
in5ch .com - Email:
in5cs .com - Email:
in5ct .com - Email:
in5id .com - Email:
in5it .com - Email:
in5iv .com - Email:
in5st .com - Email:
inavpro .com - Email:
scanatom6 .com - Email:
windoptimizer .com - Email:
wopayment .com - Email:
woptimizer .com - Email:

cafropy .cn - Email:
cakevy .cn - Email:
dotqyuw .cn - Email:
dovnaji .cn - Email:
dovzyag .cn - Email:
dozabes .cn - Email:
ducyqan .cn - Email:
duvaba .cn - Email:
duvegy .cn - Email:
duwbiec .cn - Email:
duxsoez .cn - Email:
duzebyn .cn - Email:
dybapi .cn - Email:
dyqkuam .cn - Email:
dyqunre .cn - Email:
dytrevu .cn - Email:
dyzani .cn - Email:
ebaetu .cn - Email:
ebeoxuw .cn - Email:
ebeozag .cn - Email:
edoqeg .cn - Email:
epuneyv .cn - Email:
epuvyiz .cn - Email:

eqadozu .cn - Email:
eqaofed .cn - Email:
eqaone .cn - Email:
eqayweh .cn - Email:
eqibuym .cn - Email:
eqidax .cn - Email:
eqiovak .cn - Email:
eqoabce .cn - Email:
eqoumiv .cn - Email:
erauso .cn - Email:
ereuqba .cn - Email:
erujale .cn - Email:
eruqav .cn - Email:
esuteyb .cn - Email:
etuacwo .cn - Email:
etuexyp .cn - Email:
etyawjo .cn - Email:
etykauw .cn - Email:
evaolux .cn - Email:
evaopsu .cn - Email:
keturma .cn - Email:
kevsopi .cn - Email:
kijxayt .cn - Email:
kiluxso .cn - Email:
kipuxo .cn - Email:
kirdabe .cn - Email:
kiwraux .cn - Email:
kixyhce .cn - Email:

adjudg .info - Email:
afront .info - Email:
anprun .info - Email:
apalet .info - Email:
argier .info - Email:
asbro .info - Email:
atquit .info - Email:
atwain .info - Email:
bagse .info - Email:
bedaub .info - Email:
bedrid .info - Email:
beeves .info - Email:
besort .info - Email:
bettev .info - Email:
bettre .info - Email:
birnam .info - Email:
botled .info - Email:
brawns .info - Email:
brisky .info - Email:
camlet .info - Email:
caretz .info - Email:
cheir .info - Email:
cuique .info - Email:
daphni .info - Email:

deble .info - Email:
debuty .info - Email:
declin. info - Email:
devicel .info -
dislik. info - Email:
dolchi. info - Email:
dolet. info - Email:
dolet. info - Email:
droope .info - Email:
empery .info - Email:
engirt .info - Email:
eratile .info - Email:
erpeer .info - Email:
evyns. info - Email:
exampl .info - Email:
extrip .info - Email:
fatted .info - Email:
fedar. info - Email:
fifthz .info - Email:
figgle .info - Email:
fliht .info - Email:
fosset .info - Email:
freckl .info - Email:
freiny. info - Email:

froday. info - Email:
fulier. info - Email:
gaudad .info - Email:
gelded. info - Email:
gicke .info - Email:
girded .info - Email:
goterm .info - Email:
guiany. info - Email:
haere .info - Email:
hilloa. info - Email:
holdit. info - Email:
hownet .info - Email:
ignomy. info - Email:
implor. info - Email:
inclin. info - Email:
inquir .info - Email:
jorgan .info - Email:
kedder .info - Email:
knivel .info - Email:
krapen .info - Email:
lavolt .info - Email:
lavyer .info - Email:

lequel .info - Email:
lowatt .info - Email: - Email: - Email:
midid .info - Email:
miloty .info - Email:
mobled .info - Email:
monast. info - Email:
moont. info - Email:
narowz .info - Email:
nevils .info - Email:
nnight .info - Email:
nroof .info - Email:
numben .info - Email:
obsque .info - Email:
octian .info - Email:
odest. info - Email:
onclew .info - Email:
orifex .info - Email:
orodes .info - Email:
outliv .info - Email:

pante .info - Email:
pasio .info - Email:
pittie. info - Email:
plamet .info - Email:
plazec. info - Email:
potinz. info - Email:
pplay. info - Email:
pretia .info - Email:
quoifs. info - Email:
qward. info - Email:
raught .info - Email:
realfly .info - Email:
reglet. info - Email:
rogero .info - Email:
sallut. info - Email:
sawme .info - Email:
scarre .info - Email:
scrowl. info - Email:
sigeia. info - Email:
sighal. info - Email:
speen. info - Email:
spelem .info - Email:
spinge. info - Email:
squach. info - Email:

stampo. info - Email:
steepy. info - Email:
strawy. info - Email:
suivez. info - Email:
sundery .info - Email:
surnam. info - Email:
swoln. info - Email:
swoons .info - Email:
taulus. info - Email:
tenshy. info - Email:
tented. info - Email:
ticedu. info - Email:
tithed. info - Email:
topful. info - Email:
unclin. info - Email:
undeaf. info - Email:
unowed. info - Email:
unwept. info - Email:
usicam. info - Email:
vagrom. info - Email:
veldun. info - Email:
vipren. info - Email:
voided. info - Email:
volsce. info - Email:
washy. info - Email:
wincot. info - Email:
wiving. info - Email:
wooer. info - Email:
xonker. info - Email: 

Historical OSINT of Koobface scareware activity over a period of two weeks
The following is a snapshot of Koobface scareware activity during the last two weeks, establishing a direct connection between the Koobface botnet, the ongoing blackhat SEO campaigns, the Bahama botnet with scareware samples modifying HOSTS files, and an Ukrainian dating scam agency where the gang appears to be part of an affiliate network.

Scareware samples pushed by Koobface, with associated detection rates:
mexcleaner .in - Email:
safetyscantool .com - - Email:
stabilitytoolsonline .com - Email:
securitytestnetonline .com - - Email:
securityprogramguide .com - Email:
cheapsecurityscan .com - Email:
securitycheckwest .com; webbiztest .com - Email:
securitycodereviews .com - - Email:
netmedtest .com - - Email:
toolsdirectnow .com - Email:
(ratspywawe .in; wqdefender .in; pivocleaner .in; mexcleaner .in; sapesoft .in; alsoft .in; samosoft .in; jastaspy .in; lastspy .in; felupdate .info; inkoclear .info; drlcleaner .info; tiposoft .info; fkupd .eu; piremover .eu; igsoft .eu; sersoft .eu) - detection rate

Download locations of the actual scareware binary used over the past two weeks:
0ni9o1s3feu60 .cn - Email:
6j5aq93iu7yv4 .cn - Email:
mf6gy4lj79ny5 .cn - Email:
84u9wb2hsh4p6 .cn - Email:
6pj2h8rqkhfw7 .cn - Email:
7cib5fzf462g8 .cn - Email:
7bs5nfzfkp8q8 .cn - Email:
kt4lwumfhjb7a .cn - Email:
q2bf0fzvjb5ca .cn - Email:
rncocnspr44va .cn - Email:
t1eayoft9226b .cn - Email:
4go4i9n76ttwd .cn - Email:
kzvi4iiutr11e .cn - Email:
hxc7jitg7k57e .cn - Email:
mfbj6pquvjv8e .cn - Email:
mt3pvkfmpi7de .cn - Email:
fb7pxcqyb45oe .cn - Email:
fyivbrl3b0dyf .cn - Email:
z6ailnvi94jgg .cn - Email:
ue4x08f5myqdl .cn - Email:
p7keflvui9fkl .cn - Email:
gjpwsc5p7oe3m .cn - Email:
f1uq1dfi3qkcm .cn - Email:
7mx1z5jq0nt3o .cn - Email:
3uxyctrlmiqeo .cn - Email:
p0umob9k2g7mp .cn - Email:
od32qjx6meqos .cn - Email:
bnfdxhae1rgey .cn - Email:
7zju2l82i2zhz .cn - Email:

What's the deal with the historical OSINT and why wasn't this data communicated right away? Keep reading.

The Bahama Botnet Connection
During September, the folks at ClickForensics made an interesting observation regarding my Ukrainian "fan club" and the ad revenue stealing/click-fraud committing botnet Bahama - some of the scareware samples were modifying the HOSTS file and presenting the victim with "one of those cybecrime-friendly search engines" stealing revenue in the process.

Once the connection was also established by me at a later stage, data released in regard to the New York Times malvertising attack once again revealed a connection between all campaigns - the very same domains used to serve the scareware, were also used in a blackhat SEO campaign which I analyzed a week before the incident took place. Basically, the scareware pushed by the Koobface botnet, as well as the scareware pushed by the blackhat SEO campaigns maintained by the gangs is among the several propagation approaches used for the DNS records poisoning to take place:

"However, in the case of the Bahama Botnet, this DNS translation method gets corrupted.  The Bahama botnet malware causes the infected computer to mistranslate a domain name.  Instead of translating “” as, an infected computer will translate it as That number doesn’t represent any computer owned by Google.  Instead, it represents a computer located in Canada.  When a user with an infected machine performs a search on what they think is, the query actually goes to the Canadian computer, which pulls real search results directly from Google, fiddles with them a bit, and displays them to the searcher.  

Now the searcher is looking at a page that looks exactly like the Google search results page, but it’s not.  A click on the apparently “organic” results will redirect as a paid click through several ad networks or parked domains — some complicit, some not.  Regardless, cost per click (CPC) fees are generated, advertisers pay, and click fraud has occurred."

The mentioned is actually AS30407 (Velcom), which has also been used in recent campaigns.

ISP and domain registrars have been notified, action should be taken shortly. What was particularly interesting to observe was scareware pushed by the Koobface botnet phoning back to its well known urodinam .net/8732489273.php domain, was also modifying the HOSTS file in the following way. Sample HOSTS modification of scareware (MD5: 0x0FBF1A9F8E6E305138151440DA58B4F1) pushed by Koobface:

Sample HOSTS modification of scareware (MD5: 0x0FBF1A9F8E6E305138151440DA58B4F1) pushed by blackhat SEO:

The historical OSINT paragraph mentioned that several of the scareware domains pushed during the past two weeks were responding to This very same IP was hosting domains part of an Ukrainian dating scam agency known as Confidential Connections earlier this year, whose spamming operations were linked to a botnet involved in money mule recruitment activities.

For the time being, the following dating scam domains are responding to the same IP:
healthe-lovesite .com - Email:
love-isaclick .com - Email:
love-is-special .com - Email:
only-loveall .com - Email:
and-i-loveyoutoo .com - Email:
andiloveyoutoo .com - Email:
romantic-love-forever .com - Email:

love-youloves .com - Email:
love-galaxys .com - Email:
love-formeandyou .com - Email:
ifound-thelove .net - Email:
findloveon .net - Email:
love-isexcellent .net - Email:

Could it get even more malicious and fraudulent than that? Appreciate my thetoric. The same email ( that was used to register the dating scam domains was also used to register exploit serving domains at, participate in phishing campaigns, and register a money mule recruitment site for the non-existent Allied Insurance LLC. (Allied Group, Inc.).

Now that's a multi-tasking underground enterprise, isn't it? The ISPs have been notified, domains suspension is pending.

Related posts:
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

This post has been reproduced from Dancho Danchev's blog.