Beware of XXX.WHATSDIRECT.COM and HQTUBE.COM – Redirection to Porn Website and ANTIVIRUS-SCANONLINE.COM

TOKYO (MacHouse) – An international scum group has been circulating spam comments for the past several days. It looks as if they were advertising a porn website at http://pics.hqtube.com or http://hqtube.com. (See Screenshot 01.) It’s no question that this website hosts hard-core pornographic content. Hmm… A spam comment advertising a porn website reminds us of what? You might expect that it’s an infamous codec scam where you will be forced to download a file designed to make it as if you needed to watch free porn websites. But their intention is probably different.

Screenshot 01 – Source: MacHouse

Screenshot 02 – Source: Completewhois.Com

Screenshot 03 – Source: MacHouse

Seeing is deceiving. The underlying hyperlinks behind http://pics.hqtube.com/gallery/anal_xplosion_sc1_1.jpg and others aren’t really what they say they are. As shown at the bottom of Screenshot 01, the actual designated hyperlinks are those at http://xxx.whatsdirect.com.

Let’s quickly check the domain registration of whatsdirect.com. As shown in Screenshot 02, the registrant uses an anonymous domain to hide its identity.

This domain designates two nameservers, which are ns1.whatsdirect.com and ns2.whatsdirect.com. (See Screenshot 03.) Running a traceroute search on one of them leads us to the IP address of 64.27.21.175. (See Screenshot 04.) According to ARIN, this IP address belongs to Hollywood Interactive, Inc. (See Screenshot 05.) It is possible that this organization has something to do with a Los Angels-based web hosting company called CalPOP. But we are not 100% sure. (Screenshot 06 shows the index page of CalPOP’s website.)

Screenshot 04 – Source: MacHouse

Screenshot 05 – Source: MacHouse

Screenshot 06 – Source: CalPOP

Meanwhile, if you access http://xxx.whatsdirect.com?s or beyond, you will end up at






http://new-content-s2008.com (porn website) or
http://alwebsearch.info (junk directory) or
http://antivirus-scanonline.com (infamouse fake anti-virus scan website with a Trojan horse virus)

Screenshot 07 – Source: new-content-s2008.com (digitally altered)

Screenshot 08 – Source: alwebsearch.info

Screenshot 09 – Source: MacHouse

Click on the button to watch a documentation video.
Click on the button to watch more documentation videos.






References:

Is the Fake Anti-Virus Scan Website at ANTIVIRUS-SCANONLINE.COM Still at Risk?
Antivirus 2008 (ANTIVIRUS-SCANONLINE) Wrap-Up June-01
Briefly: A U.K. College Website Exploited for Antivirus 2008 (ANTIVIRUS-SCANONLINE.COM)
Saudi Arabian Government Website Falling a Victim to Antivirus 2008 (ANTIVIRUS-SCANONLINE.COM) Exploitation
Briefly: 3 New Websites Falling Victims to the Exploitation of Antivirus 2008 (ANTIVIRUS-SCANONLINE.COM)
Antivirus 2008 (ANTIVIRUS-SCANONLINE.COM) Finding New Home in the Netherlands?
New York-Based Web Hosting Company Ezzi.net Failing to Pull the Plug Off Fake Anti-Virus Scan Websites
Hopefully, Saying Good-Bye to the Fake Anti-Virus Scan Websites of ANTIVIRUS-SCANNER.COM and ANTIVIRUS-SCANONLINE.COM for Now…
Victims of ANTIVIRUS 2008 (Malware) & Troj/FakeVir-BF Growing Exponentially
Failure to Remove Ill Files Converts Beacon University Websites Into Redirection Points for ANTIVIRUS-SCANONLINE.COM
ANTIVIRUS-SCANONLINE.COM: Response to a Comment at FORUMS.SLICKDEALS.NET
The Name of A Next Anti-Virus Scan Domain Will Be…
File Determined to Contain Troj/FakeVir-BF
What Do We Know About These Fake Anti-Virus Scan Websites?
Lehigh University’s Multiple Department Websites Exploited for Redirection to ANTIVIRUS-SCANONLINE.COM
ANTIVIRUS-SCANONLINE.COM: 15 Websites Victimized in the Latest ‘?prj’ Exploitation Scheme
Warning: A New Fake Anti-Virus Scan Website Discovered