Beware of XXX.WHATSDIRECT.COM and HQTUBE.COM - Redirection to Porn Website and ANTIVIRUS-SCANONLINE.COM
TOKYO (MacHouse) - An international scum group has been circulating spam comments for the past several days. It looks as if they were advertising a porn website at http://pics.hqtube.com or http://hqtube.com. (See Screenshot 01.) It’s no question that this website hosts hard-core pornographic content. Hmm… A spam comment advertising a porn website reminds us of what? You might expect that it’s an infamous codec scam where you will be forced to download a file designed to make it as if you needed to watch free porn websites. But their intention is probably different.
 Screenshot 01 - Source: MacHouse |
 Screenshot 02 - Source: Completewhois.Com |
 Screenshot 03 - Source: MacHouse |
Seeing is deceiving. The underlying hyperlinks behind http://pics.hqtube.com/gallery/anal_xplosion_sc1_1.jpg and others aren’t really what they say they are. As shown at the bottom of Screenshot 01, the actual designated hyperlinks are those at http://xxx.whatsdirect.com.
Let’s quickly check the domain registration of whatsdirect.com. As shown in Screenshot 02, the registrant uses an anonymous domain to hide its identity.
This domain designates two nameservers, which are ns1.whatsdirect.com and ns2.whatsdirect.com. (See Screenshot 03.) Running a traceroute search on one of them leads us to the IP address of 64.27.21.175. (See Screenshot 04.) According to ARIN, this IP address belongs to Hollywood Interactive, Inc. (See Screenshot 05.) It is possible that this organization has something to do with a Los Angels-based web hosting company called CalPOP. But we are not 100% sure. (Screenshot 06 shows the index page of CalPOP’s website.)
 Screenshot 04 - Source: MacHouse |
 Screenshot 05 - Source: MacHouse |
 Screenshot 06 - Source: CalPOP |
Meanwhile, if you access http://xxx.whatsdirect.com?s or beyond, you will end up at
http://new-content-s2008.com (porn website) or
http://alwebsearch.info (junk directory) or
http://antivirus-scanonline.com (infamouse fake anti-virus scan website with a Trojan horse virus)
 Screenshot 07 - Source: new-content-s2008.com (digitally altered) |
 Screenshot 08 - Source: alwebsearch.info |
 Screenshot 09 - Source: MacHouse |
Click on the button to watch a documentation video. 
Click on the button to watch more documentation videos.
References:
Is the Fake Anti-Virus Scan Website at ANTIVIRUS-SCANONLINE.COM Still at Risk?
Antivirus 2008 (ANTIVIRUS-SCANONLINE) Wrap-Up June-01
Briefly: A U.K. College Website Exploited for Antivirus 2008 (ANTIVIRUS-SCANONLINE.COM)
Saudi Arabian Government Website Falling a Victim to Antivirus 2008 (ANTIVIRUS-SCANONLINE.COM) Exploitation
Briefly: 3 New Websites Falling Victims to the Exploitation of Antivirus 2008 (ANTIVIRUS-SCANONLINE.COM)
Antivirus 2008 (ANTIVIRUS-SCANONLINE.COM) Finding New Home in the Netherlands?
New York-Based Web Hosting Company Ezzi.net Failing to Pull the Plug Off Fake Anti-Virus Scan Websites
Hopefully, Saying Good-Bye to the Fake Anti-Virus Scan Websites of ANTIVIRUS-SCANNER.COM and ANTIVIRUS-SCANONLINE.COM for Now…
Victims of ANTIVIRUS 2008 (Malware) & Troj/FakeVir-BF Growing Exponentially
Failure to Remove Ill Files Converts Beacon University Websites Into Redirection Points for ANTIVIRUS-SCANONLINE.COM
ANTIVIRUS-SCANONLINE.COM: Response to a Comment at FORUMS.SLICKDEALS.NET
The Name of A Next Anti-Virus Scan Domain Will Be…
File Determined to Contain Troj/FakeVir-BF
What Do We Know About These Fake Anti-Virus Scan Websites?
Lehigh University’s Multiple Department Websites Exploited for Redirection to ANTIVIRUS-SCANONLINE.COM
ANTIVIRUS-SCANONLINE.COM: 15 Websites Victimized in the Latest ‘?prj’ Exploitation Scheme
Warning: A New Fake Anti-Virus Scan Website Discovered
********** ********** ********** ********** ********** ********** ********** **********
MacHouse is not funded by tax payers' money. We have limited resources. We also need time to sleep and eat just as others. So we will not act as the International police to contact all victims of website abuse. All you have to do is to subscribe to spam messages and spam posts. If we can, why don't you?
June 10th, 2008 at 7:25 am
hi,
we are coming here to clarify that Hqtube.com have nothing to do with this bad movement in the internet. They are using our picture and they are just fishing ppl. we are trying to track this ppl, if you have any information that could help, please get in contact with us direct tru our e-mail. HQTUBE.com once more have NOTHING to do with this, we are doing out best to not be used as fish.
Mark
June 10th, 2008 at 11:11 am
I see. I don’t have trouble accepting a possibility that you are not affiliated with them, but…
(1) Your IP address is recorded as a known spammer by the WordPress community.
(2) May I ask how you found this article so soon?