New Massive BlackHat SEO Attacks

We noticed in these days a new massive number of websites hacked and used in a new campaign of blackhat seo attack with the objective to redirect all users to very dangerous websites that spread the infamous and well known rogue security software and the other dangerous threats such as TDSS rootkit and Zeus.

The hijacked keywords are:

melina+kanakaredes
vonage+login
ind+vs+zim
diff+rent+strokes
amgentourofcalifornia
derrick+favors
mayweather+vs+mosley+results
redspottv+hot+video
liddell+vs+franklin
2012+movie
ufc+116+fight+card
law+and+order+cancelled
eclipse+box+office
ali+bachelorette
cheap+laptops

Pay attention when you search one of the above keywords in search engines as even in the first page of the results is possible to find one of the malicious websites that redirect to dangerous urls.

When an user click on an infected link from the search results, the user is redirected to a malicious website url that looks like identical to YouTube but with a surprise:

Image

When the user click in the black box of the fake video to play it, the browser is hijacked by malicious scripts and is displayed the classic fake scanner page:

Image

This is a complete trace of the network traffic:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
GET /images/page.php?page=keyword&check= HTTP/1.1
Host: www.schermionline .it
 
GET /tick.php?sub=1&r=&u= HTTP/1.1
Host: export.byethost3 .com
 
GET / HTTP/1.1
Host: webcache109 .com
 
GET /images/load.swf?&p=0&t=_self&u= HTTP/1.1
Host: www.schermionline .it
 
GET /images/redir.php HTTP/1.1
Host: www.bestellkanal .tv
 
GET /images/we.php?uid=2034 HTTP/1.1
Host: www.bestellkanal .tv
 
HTTP/1.1 302 Found
Location: hxxp://www3.true-av31 .co.cc/?p=
 
GET /?p= HTTP/1.1
Host: www3.true-av31 .co.cc
 
HTTP/1.1 302 Moved Temporarily
Location: hxxp://www2.ipsec30 .co.cc/?p=
 
GET /?p= HTTP/1.1
Host: www2.ipsec30 .co.cc
 
GET /107a6da77d1a9deac7f69c7524e7980135ed3011811.js HTTP/1.1
Host: www2.ipsec30 .co.cc
 
GET /wadr107_2034.php?p= HTTP/1.1
Host: www1.mysecurity8 .co.cc
 
GET /packupdate107_2034.exe HTTP/1.1
Host: www1.mysecurity8 .co.cc

A summary of malicious domains extracted from the network traffic:

schermionline.it / 217.160.5.133
export.byethost3.com / 209.51.196.250
bestellkanal.tv / 194.145.226.48
www3.true-av31.co.cc / 74.118.193.81
www2.ipsec30.co.cc / 209.222.3.154
www1.mysecurity8.co.cc / 209.222.8.181

This is a small list of compromised websites:

uniquephotollc.com   (69.89.27.211)
familyyoga.org   (66.96.131.33)
mskeever.com   (66.96.130.49)
randyhortonassociates.com   (66.96.130.40)
kheirgroup.com   (66.96.132.9)
ganddsteidtmann.net   (66.96.131.4)
treeoflifeinc.org   (66.147.240.158)
wanakaconference.com   (69.89.22.121)
wallisprinting.com   (69.89.22.101)
tri-statehobbies.com   (70.40.210.51)
traviskmillward.com   (70.40.211.228)
honourbound.com   (66.96.131.7)
saintlouisspring.com   (66.33.213.72)
deltadawnkennels.com   (66.96.131.57)
unionpacificband.com   (69.89.27.248)
number301.com   (66.96.131.85)
walkercountyfair.com   (74.220.202.37)
olneyprep.org   (66.96.132.32)
unforgettablelicensing.com   (69.89.25.175)
bobbyloves.com   (66.96.132.71)
canyonlandsutah.com   (66.96.130.85)
wail-ss.org   (66.96.132.16)
barrybusby.com   (66.96.131.12)
urbanauthentic.com   (69.89.22.110)
webbsrvsupply.com   (70.87.155.26)
gardensbypat.com   (66.96.130.23)
vsracing.net   (74.220.203.167)
wdbc.net   (66.96.130.122)
deluxecakesandpastries.com   (66.96.130.87)
studiodahan.com   (66.96.131.150)
trafficgrafix.com   (74.220.219.124)
salelimo.com   (69.163.251.53)
swoonrocket.com   (66.96.131.30)
drdoregilbert.com   (66.96.132.114)
depauldems.org   (66.96.131.124)
millerstuartinc.com   (66.96.132.99)
zzzap.net   (66.96.131.131)
saunderslawoffice.com   (66.96.131.56)
w-o-o.com   (74.220.219.141)
aaronschuman.com   (66.96.131.145)
sbuild.com   (69.163.237.218)
vmgoflompoc.com   (74.220.202.34)
uptil2music.com   (69.89.22.126)
reddotav.com   (66.96.131.150)
vitalpix.com   (74.220.215.107)
dmcclure.org   (66.96.132.116)
thirtygreen.com   (174.120.117.123)
kellymariesdancewear.co.uk   (85.92.73.119)
deltaarsenal.com   (69.174.52.51)
lensesforless.com   (216.166.84.5)
ncc-achmm.org   (64.235.49.231)
trentbosch.com   (209.217.36.7)
naslub.pl   (77.55.79.46)
cd-tools.de   (87.106.63.62)
advent-umc.org   (67.225.163.159)
salsaboston.com   (67.15.55.147)
alleycatmedia.com.au   (67.228.238.14)
discountblindparts.com   (65.99.242.66)
thaifishshop.net   (122.155.1.40)
boomeranggames.com.br   (189.38.91.27)
bestdiscountperfumeonline.com   (72.52.141.138)
repuestosjuanito.com   (212.34.152.245)
verkkokauppa.jkitsolutions.fi   (77.240.21.141)
hcj.sju.edu.tw   (163.21.75.57)