TOKYO (MacHouse) – As we reported earlier, as many as 72 websites that have a free open-source course management system package called Moodle have been exploited with spam profiles, which lead Internet users to a fake porn website. Many spam-exploited websites are those of academic institutions.
 Screenshot 01 – Source: upd.edu.ph |
 Screenshot 02 – Source: MacHouse Domain Lookup |
 Screenshot 03 – Source: HiVelocity Hosting |
Clicking on any of the sexually-explicit images at a Moodle profile like the one shown in Screenshot 01 forwards one to a fake porn website hosted at the domain of hot-porntube-08.com. This is where you will be forced to download a suspicious file titled xcodec.143.exe, zcodec.1036.exe or another.
So what do we know know about the fake porn website hosted at the domain of hot-porntube-08.com? Looking at its domain registration, there is little information that we can collect. It appears that the domain was registered in September 20. (See Screenshot 02.) So it’s relatively new. In the meantime, we know where this fake porn website is possibly hosted. It’s probably hosted in Tampa, Florida. We mentioned the name of one hosting company located in Tampa back in August, right? It’s NOC4Hosts or HiVelocity Hosting. (Screenshot 03 shows the index page of HiVelocity Hosting’s website.) They were the host of a fake PornTube website found at the domain of tube-viewer.com.
Likewise, there is little information to collect on the domain of softportalforfun08.net. This is the domain associated the website distributing suspicious files including xcodec.141 and others. The domain was registered in September 25. (See Screenshot 04.) So it’s quite new. And the website hosted at this domain also appears to be harbored by HiVelocity Hosting.
 Screenshot 04 – Source: MacHouse Domain Lookup |
Screenshot 05 – Source: MacHouse Domain Lookup |
 Screenshot 06 – Source: netdirekt.de |
There is one more domain. The domain of superkri.info is used to redirect Internet users to the fake porn website at hot-porntube-08.com. Screenshot 05 shows the domain registration of superkri.info. It looks like the domain was registered in June, 2008. So it’s not totally new. And the address is in Tashkent, Uzbekistan, which draws some suspicion on credibility. Anyway, there may be a website associated with this domain since Internet users are redirected to the porn website at hot-porntube-08.com. It appears that a German web hosting company knows something about a redirection website associated with superkri.info. netdirekt is behind many malicious websites we have found this year. (Screenshot 06 shows the index page of netdirekt’s website.) And a website at the domain of superkri.info also appears to be hosted by this German company.
Click on the button to watch a documentation video. 
Click on the button to watch more documentation videos.
References:
Multiple Porn-Attacks on Moodle-Installed Websites, Leading Internet Users to Fake Porn Website at HOT-PORNTUBE-08.COM – Part 1
Singapore’s Ngree Ann Polytechnic’s Website Exploited and Used As Redirection Point to Send Internet Users to Fake PornTube Website
A Large Chain of Pharmacy Exploitation Affecting Dozens of University Websites Through Open-Source Script
Pharmacy Spam Exploitation at St. Louis University Medical School Again…
