TOKYO (MacHouse) – As we reported more than 15 hours ago, a cyber spam terrorist circulated a short spam comment involving five vBulletin websites. (See Screenshot 01.) The domains of the forums websites advertised in this trivial spam post are attc.edu.au, blokt.com, djw.hr, escort-czech.com and gopckt.com. Clicking on any of the five URLs shown in the post, one will be forwarded to a spam profile created by a spammer.
 Screenshot 01 – Source: MacHouse |
 Screenshot 02 – Source: attc.edu.au |
 Screenshot 03 – Source: videopreviewshow.com |
Furthermore, all five spam profiles share a common hyperlink whose underlying link is http://vbestserv.org/ds/go.php?sid=1. (See Screenshot 02.) This domain is used to redirect Internet users to one of the several websites. One destination is the website at videopreviewshow.com. (See Screenshot 03.) Another destination is a fake PornTube website at kukuzhmuku.com. (See Screenshot 04.)
There are several domains + one IP address involved with this spam profile operation. They are listed below.
- vbestserv.org – Being used to redirect Internet users to one of the scam-sponsoring websites
- videopreviewshow.com – hosting a fake free movie website
- 216.240.151.122 – delivering a suspicious file titled c-setup.exe through the fake video website
- kukuzhmuku.com – hosting a fake PornTube website
- download-top-software.net – delivering a suspicious file titled FullBSCodecz.exe through the fake PornTube website
 Screenshot 04 – Source: kukuzhmuku.com |
 Screenshot 05 – Source: vbestserv.org |
 Screenshot 06 – Source: videopreviewshow.com |
Visiting the addresses shown in No. 1, 2, 3 and 4, no website seems to be hosted. (See Screenshot 05-8.) But don’t be fooled. They are all in the pink of health. For example, you may not find the fake PornTube website by accessing http:// kukuzhmuku.com, but you will find it by accessing http:// kukuzhmuku.com/xvideo.php or http:// kukuzhmuku.com/xfreeporn.php.
 Screenshot 07 – Source: 216.240.151.122 |
 Screenshot 08 – Source: kukuzhmuku.com |
As we reported in the last report, we were forced to download two files (c-setup.exe and FullBSCodecz.exe), one each from 216.240.151.122 and download-top-software.net. Scanning these files with Sophos AntiVirus for Windows, we have not been able to detect any suspicious codes.
 Screenshot 09 – Source: MacHouse |
 Screenshot 10 – Source: MacHouse |
 Screenshot 11 – Source: MacHouse |
Finally, let’s find out where these scam websites are hosted. The web server of the redirection website at vbestserv.org is traced to the IP address of 88.214.204.100. It belongs to a mysterious U.K. organization known as Real International Business Corp., which we occasionally mention. (See Screenshot 12.) We don’t know its true identity.
 Screenshot 12 – Source: MacHouse |
 Screenshot 13 – Source: MacHouse |
 Screenshot 14 – Source: CalPOP.com |
The fake video website hosted at the domain of videopreviewshow.com seems to be hosted in Ukraine. Its web server is traced to the IP address of 91.203.93.25. The net name of this IP address is registered as ZHITOMIR-NET, according to RIPE. We don’t know if this organization is a hosting company. Meanwhile, the registered e-mail address suggests that UaTelecom (uatelecom.com.ua) may be involved in hosting the fake video website. (See Screenshot 13.) Furthermore, the web server of the fake codec delivery website at 216.240.151.122 is traced to a California-based hosting company called CalPOP.com, Inc. (Screenshot 14 shows the website of CalPOP.com.)
 Screenshot 15 – Source: 216.240.151.122 |
 Screenshot 16 – Source: kukuzhmuku.com |
Let’s move on to the fake PornTube website. The web server of the fake PornTube website hosted at the domain of kukuzhmuku.com is traced to the IP address of 64.27.18.55. This IP address belongs to a notorious spam-delievering organization known as Hollywood Interactive, Inc. (See Screenshot 15.) Although we occasionally mention the name, the identity of this organization is not well known. Perhaps, it’s the Hollywood version of Russian Business Network (RBN). Moreover, the server of the website delivering a fake codec file (FullBSCodecz.exe) at download-top-software.net is traced to the IP address of 94.247.3.228. The web host is located in Latvia, one of the Baltic nations. The fake-codec website may be hosted at ZLKon (zlkon.lv). (Screenshot 16 shows the index page of ZlKon’s website.)
References:
Beware of Fake PornTube Website at KUKUZHMUKU.COM Hosted in California – Part 1
