TOKYO (MacHouse) – In the past several hours, an organized cyber criminal group circulated at least two spam comments around blogs and forums worldwide, implicating four websites. These two comment contains such phrases as nude teens, vanessa hudgens nude, antonella barba nude and jessica alba nude. (See Screenshot 01-2.)
 Screenshot 01 – Source: MacHouse |
 Screenshot 02 – Source: MacHouse |
 Screenshot 03 – Source: Quantcast |
The URLs underlying those phrases point to the following websites. They are Open Library (openlibrary.org), Twine (twine.com), JamBase (jambase.com) and myYearbook (myyearbook.com). These four combined websites attract as many as 4 million U.S. visitors monthly and many more worldwide. The largest website of four is myYearbook. According to Quantcast, this social-networking website attracts 3.2 million U.S. visitors and 4.6 million global users monthly. (See Screenshot 03.)
 Screenshot 04 – Source: Open Library |
 Screenshot 05 – Source: Twine |
 Screenshot 06 – Source: JamBase |
Clicking on any of the hyperlinks in the spam posts, you can find a spam profile with a fake video screen. (See Screenshot 04-7.) Clicking further on the video screen, one can be forwarded to a fake PornTube website hosted at the domain of tube-work-sell.net. (See Screenshot 08.) Not surprisingly, this junk website is set up to have Internet users download and install a file labeled TubePlayer.ver.6.exe. (See Screenshot 09.)
 Screenshot 07 – Source: myYearbook |
 Screenshot 08 – Source: tube-work-sell.com |
 Screenshot 09 – Source: tube-work-sell.com |
The spam posts shown in Screenshot 01-2 contain eight hyperlinks to the following URLs.
http://openlibrary.org/user/nobelsten
http://www.twine.com/user/emial
http://www.jambase.com/Fans/yonga
http://www.twine.com/user/dazcor
http://www.jambase.com/Fans/antonella
http://www.twine.com/user/hudgensva
http://www.myyearbook.com/jessicaalb
http://www.twine.com/user/gamnat
As we reported several days ago, the web server hosting the fake PornTube website at tube-work-sell.net is traced to the IP address of 64.27.18.55. This IP address is assigned to a notorious organization called Hollywood Interactive. We know that a Los Angels/California-based web hosting company called CalPOP is involvement with Hollywood Interactive. (Screenshot 10 shows the index page of CalPOP’s website.) And some of the pornographic images at the fake PornTube website seem to come from t-imgs.net. There may be a website associate with this domain. The web server hosting this website may be traced to the IP address of 78.159.98.129. According to RIPE, this IP address is assigned to a disgraced German web hosting company (See Screenshot 11.) known as netdirekt, which is known to be behind many malicious websites. (Screenshot 12 shows the gate page of netdirekt’s website.)
 Screenshot 10 – Source: CalPOP |
 Screenshot 11 – Source: MacHouse |
 Screenshot 12 – Source: netdirekt |
Furthermore, the server hosting a website used to deliver a suspicious file (TubePlayer.ver.6.exe) is traced to the IP address of 94.247.3.228. This IP address is assigned to a web hosting company in Latvia.
 Screenshot 13 – Source: ZlKon |
According to Norton Internet Security 2009, TubePlayer.ver.6.exe contains malware. The security company calls it Suspicious.MH690.
 Screenshot 14 – Source: MacHouse |
 Screenshot 15 – Source: MacHouse |
 Screenshot 16 – Source: Symantec |
Related stories:
LIVEVIDEO.COM and Other Websites Continuing to Send Internet Users to Fake Codec Websites with Trojan Horse Viruses – Part 2
LIVEVIDEO.COM and Other Websites Continuing to Send Internet Users to Fake Codec Websites with Trojan Horse Viruses – Part 1
Suspicious.MH690 | Symantec
