Adware, malware, spyware, hijacker discussion and information

[Gain Knowledge]  [Install Prevention]  [Maintain Security]  [Spyware Removal Help]


It is currently Sat Jul 31, 2010 2:20 pm

Board index » Emerging Security Threats and News » Countermeasures Discussions\News

All times are UTC - 7 hours




Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 
  Print view Previous topic | Next topic 
Author Message
TeMerc
 Post subject: Fake Web Hosting Provider - Front-end to Scareware Blackhat
PostPosted: Mon Jun 08, 2009 1:04 am 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15493
Location: PHX, AZ
Just like GazTranzitStroyInfo's case, what we've got here is failure to understand that the efforts put into building legitimacy of front-ends to cybercrime, is prone to get undermined upon closer examination of the particular web hosting provider.

Who, and what is Life4you .info - Free Hosting for Live (dirsite .com; 65.98.15.80; Dennis Linkor Email: admin@dirsite.com)?

What's so special about them? Well, for starters, they've got no customers but the cybercriminals themselves maintaining a portfolio of over 7,000 adult related keywords which they have been using for blackhat SEO campaigns across thousands of automatically registered -- CAPTCHA recognition outsourced -- Blogspot accounts since February, 2009.

With the Blogspot campaign still ongoing, let's assess it and expose all the participating scareware domains. Upon automatic generation of the Blogspot accounts, links like the following are included next to the bogus content, all using dirsite.com's pseudo-legitimate hosting services:
    goto.dirsite .com/go.php?sid=2&tds-key=erotic+bikini+babes
    goto.dirsite .com/go.php?sid=2&tds-key=sexe+amateur+on+my+space
    goto.dirsite .com/go.php?sid=2&tds-key=aunt+judy+older+women
    goto.dirsite .com/go.php?sid=2&tds-key=view+private+profiles+on+myspace
    goto.dirsite .com/go.php?sid=2&tds-key=fullmetal+alchemist+porn
    goto.dirsite .com/go.php?sid=2&tds-key=Asian+style+bed+throws
    goto.dirsite .com/go.php?sid=2&tds-key=cheerleader+candid+pictures
    goto.dirsite .com/go.php?sid=2&tds-key=desisexstories
    goto.dirsite .com/go.php?sid=2&tds-key=Hey+Arnold+porno
    goto.dirsite .com/go.php?sid=2&tds-key=warcraft+henrai

Upon clicking the users are redirected to tdncgo2009 .com/?uid=68&pid=3 (trdatasft .com; fra22 .net; Email: ) 64.86.17.47, Email: hmlragnsky@whoisservices.cn, where the scareware domains are randomly loaded:

virusdoctor-onlinedefender .com - 64.213.140.69 Email: sebarinvert.ivus@gmail.com
onlinescan-ultraantivirus2009 .com - 206.53.61.76
virussweeper-scan .net - 206.53.61.76
virusalarm-scanvirus .net - 206.53.61.76
viruscatcher .net - 64.213.140.71 Email: jeannemcpeters@gmail.com
fast-antivirus .com - 64.213.140.68

The scareware attempts to phone back to update1.virusshieldpro .com/ReleaseXP.exe - 206.53.61.75 - Email: unitedisystems@gmail.com and to updvmfnow .cn - 64.86.17.9 Email: oijfsd.sd@gmail.com. ReleaseXP.exe then phones back to the following locations, naturally earning profit for the cybecriminal -

0-= Continued @ DDanchev Blog

_________________
Image

Top
 Profile Send private message  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 

Board index » Emerging Security Threats and News » Countermeasures Discussions\News

All times are UTC - 7 hours


Who is online

Users browsing this forum: Yahoo and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  

Who is online
Who is online In total there are 2 users online :: 1 registered, 0 hidden and 1 guest (based on users active over the past 5 minutes)
Most users ever online was 115 on Tue Jul 13, 2010 5:32 pm

Users browsing this forum: Yahoo and 1 guest

New posts    No new posts    Forum locked
cron
Powered by phpBB