TOKYO (MacHouse) – As we reported earlier, an organized cyber criminal group is exploiting a popular video website at livevideo.com to send Internet users to junk websites where they are enticed to download a suspicious file titled exclusivemovie.1630.exe. They have created several spam profiles as shown in Screenshot 01 to catch people’s attention. The underlying URL behind a fake video screen points to a redirection website hosted at the domain of vbestserv.org.
 Screenshot 01 – Source: LiveVideo.com |
 Screenshot 02 – Source: qualityvideofileshere.com |
At the time of publishing the first report, there were at least two destinations to which Internet users were forwarded from the website at vbestserv.org. One destination is a junk website (Free Full Lenght Movie) hosted at the domain of qualityvideofileshere.com. And the suspicious file was delivered from codecdownload.filesstorage4you.com. (See Screenshot 02.) The other destination is hosted at the domain of celebriti-with-you.com. Internet users are enticed to click on celebrity photos of Paris Hilton, Britney Spears, Jessica Alba, Angelina Jolie, Pamela Anderson, Adriana Lima, Christina Aguilera, Lindsay Lohan, Jeniffer Lopez and more) at the website titled Celebrity Porn. (See Screenshot 03.) Then they will eventually end up at a web page with a fake video screen where exclusivemovie.1630.exe awaits them. (See Screenshot 04.)
 Screenshot 03 – Source: celebriti-with-you.com |
 Screenshot 04 – Source: celebriti-with-you.com |
Let’s find out where all junk websites are hosted. The web server of the redirection website at vbestserv.org is traced to the IP address of 88.214.204.100. It belongs to a notorious U.K. network company called Real International Business Corp. We often mention the name of this organization. We assume that it’s the U.K. version of Russian Business Network, and their identity is not known.
How about the scam website of Celebrity Porn? Its web server is traced to the IP address of 216.240.148.68. This web server belongs to a Los Angels/California-based organization called ATMLINK, Inc. It’s better known as CalPOP.com, Inc. (Screenshot 05 shows the index page of CalPOP’s website.) The fake video website at the domain of qualityvideofileshere.com is also hosted by CalPOP’s website. The IP address of its web server is 216.240.148.66.
 Screenshot 05 – Source: CalPOP.com |
 Screenshot 06 – Source: filesstorage4you.com |
 Screenshot 07 – Source: ZlKon |
Finally, let’s find out where the suspicious file of exclusivemovie.1630.exe comes from. If you access filesstorage4you.com with a web browser, you may end up with a blank page. (See Screenshot 06.) That doesn’t mean there is no web server hosting this page. Its web server is traced to the IP address of 94.247.3.232. It belongs to a Latvian web hosting company called ZlKon. (Screenshot 07 shows the index page of ZlKon’s website.)
Several hours ago, we sent the suspicious file of exclusivemovie.1630.exe, which we believe contains an unknown piece of malware, to Sophos. Unfortunately, we were not able to get their analysis results by the time we decided to publish this report.
Related stories:
Junk Profiles at LIVEVIDEO.COM Sending Internet Users to Fake Codec Websites – Part 1
