Massive number of blogs hacked for Blackhat SEO

We noticed a new high number of blogs (more than 60) hacked for massive blackhat SEO strategies used to redirect users to fake scanner pages that will prompt the users to download a rogue security software named Security Master AV. This is a small list of hacked websites we have found that host malicious scripts used to capture keywords and redirect users to dangerous websites:

URLVoid Report gubserfarms. com
URLVoid Report buenapetito. net
URLVoid Report renurestoration. com
URLVoid Report robertsawards. biz
URLVoid Report practicumgroup. com
URLVoid Report renedaalder. com
URLVoid Report pl
URLVoid Report deliciouz. com
URLVoid Report calicompras. com
URLVoid Report za
URLVoid Report rocahosting. com
URLVoid Report hillarynan. com

When the user search a specific keyword in a search engine, on the first pages we can see websites that contain .php scripts in the /images/ folder … this looks like a bit suspicious:

Host: www.gubserfarms. com

As response we get a HTTP/1.1 200 OK and there is a redirection in the META HTTP-EQUIV that points to another dangerous link:

URL=hxxp://ghostroadpress. com/xredir.php?uid=2033">

Most of the hacked websites point to ghostroadpress. com (URLVoid Report) and we noticed that it contains always a link to another suspicious website that looks like to be used for statistics:

ctrash.byethost4. com/tick.php?sub=1&r=

URLVoid Report ctrash.byethost4. com

Now we get redirected again to another URL:

HTTP/1.1 302 Moved Temporarily
Location: hxxp://www3.smartbestav4.

URLVoid Report www3.smartbestav4.

It is not over! We get again a redirect to another URL:

HTTP/1.1 302 Moved Temporarily
Location: hxxp://www1.avscaner-34pr.

URLVoid Report www1.avscaner-34pr.

And finally we get the fake scanner page:


A common action of these fake scanner page is that it is always loaded a .js script that as filename it has an hash:

GET /107aee58f4ea1267e6735c8fb0c51431bd8c3010411.js HTTP/1.1

When we click in any place of the fake scanner page we get again redirected to a new page that will prompt the download of the setup file of the rogue security software named Security Master AV.

HTTP/1.1 302 Moved Temporarily
Location: hxxp://www2.zonecleaner-87pd.

URLVoid Report www2.zonecleaner-87pd.

Here we can see a screenshot of the setup file that is trying to download and install the rogue security software in our system:


This is an image of the installed Security Master AV:


And these are the files created during the installation process:


After the installation finished to install the rogue security software, the program established various connections with these VERY dangerous websites:

URLVoid Report com/index.php?def387=
URLVoid Report com/xp_2b2ff.exe
URLVoid Report www1.detector11-pr.
URLVoid Report www5.securitymasterav. com
URLVoid Report secure2.protectzone. net/?abbr=SMAV&pid=3
URLVoid Report report.zoneguardland. com
URLVoid Report report.goodguardz. com
URLVoid Report secure1.protect-zone. com/?abbr=SMAV&pid=3
URLVoid Report report.myfairland. com
URLVoid Report report1.stat-mx.xorg. pl
URLVoid Report com

Be always careful while searching for any kind of keywords in Search Engines!

Random Posts

Previous Posts