Search Engine Optimization & Web Hosting Solution

TOKYO (MacHouse) - More than 24 hours ago, an organized cyber criminal group circulated a list of spam links around the WordPress blog community. This list covers more than 90 redirection URLs created at 1 URL (http://www.1url.in). (See Screenshot 01. And watch the video for some of the actual shorten links hosted at www.1url.in.) There are several destinations associated with these links. One is a fake movie website at http://2008-adult-2008.com. Another final destination is the fake PornTube website at http://tubescollection.com. There may be more redirection channels.

Screenshot 01 - Source: www.1url.in

Screenshot 02 - Source: 2008-adult-2008.com

Screenshot 03 - Source: 2008-adult-2008.com

If you access any of the shorten URLs appearing in the video, your web browser will probably draw data from iwontvip.com at first. Other things being unchanged, the web browser will then access 2008-adult-2008.com. In a matter of seconds, you will be forced to download a file, which presumably contains a Trojan derivative. A file titled MediaTubeCodec_ver1.213.0.exe comes from a server accessible at s-soft08freeware.com.

There’s another channel that we have confirmed. After accessing a spam URL at 1 URL, the web browser may first access iwontvip.com and then clipsuniverse.com, next. In this channel, the final destination will be a fake PornTube website hosted at the domain of tubescollection.com. Upon arrival, you will be forced to download a file like 1023.dmg, which contains a Trojan horse derivative like the one designed to change DNS settings (OSX.RSPlug.A).

Let’s see where malicious sites are hosted quickly. The IP location of the server associated with the domain of iwontvip.com is 88.214.198.95. This IP address belongs to Real International Business Corp. in the U.K. For now, we have little information on Real International Business Corp.

The IP location of the server distributing a malicious file through s-soft08freeware.com is 91.203.70.18. This IP address belongs to a web hosting company in Latvia called Nano IT (http://www.nano.lv).

Screenshot 04 - Source: Nano IT

Screenshot 05 - Source: DecentHost

Screenshot 06 - Source: High Sky Hosting

And the IP location of the server associated with the domain of 2008-adult-2008.com is 72.21.53.218. This IP address belongs to a Dallas (Texas)-based web hosting company called DecentHost (http://decenthost.net).

Furthermore, the IP location of the server associated with the domain of clipsuniverse.com is identified as 78.108.177.83. It belongs to a web hosting company called High Sky Hosting of St. Petersburg, Russia.(http://hiskyhost.net). We have heard of this Russian hosting company a couple of times, right?






Click on the button to watch a documentation video.
Click on the button to watch more documentation videos.






References:

Beware of WWW.1URL.IN: Systematic Redirection to Malicious Websites (1)
10 More Scam Websites with Chinese Domains, Leading Internet Users to Fake PornTube with Trojan Horse
10 More Websites with Chinese Domains Designed to Infect Mac Users with a Trojan Horse Virus
Fake PornTube Websites with 10 Chinese Domains Distributing Mac-Targeting Computer Virus
Fake PornTube Website With Computer Virus Targeting Mac Users
Warning: Fake PornTube Websites Found

********** ********** ********** ********** ********** ********** ********** **********

MacHouse is not funded by tax payers' money. We have limited resources. We also need time to sleep and eat just as others. So we will not act as the International police to contact all victims of website abuse. All you have to do is to subscribe to spam messages and spam posts. If we can, why don't you?