Search Engine Optimization & Web Hosting Solution

TOKYO (MacHouse) - As we reported several hours ago, a junk comment circulated by an organized cyber criminal group contained hyperlinks leading to spam profiles or forums topics at such websites as kaboodle (www.kaboodle.com), Livevideo.com (www.livevideo.com) and VideoCodeZone (www.videocodezone.com). (See Screenshot 01.) Livevideo.com and kaboodle both have more than 1 million visitors monthly.

Screenshot 01 - Source: MacHouse

Screenshot 02 - Source: kaboodle

Screenshot 03 - Source: tube-work-sell.net

Accessing any of the URLs in the spam post, one of your final destinations will be a fake PornTube website at tube-work-sell.net. If you access http://www.kaboodle.com/blowjobmovies, for example, you will land at a spam profile with a fake video screen. (See Screenshot 02.) The underlying URL is http://vbestserv.org/ds/go.php?sid=1. A few days ago, we mentioned that the redirection website at vbestserv.org was hosted by a web server in the U.K. It’s still the same web server with the IP address of 88.214.204.100. That is, it’s hosted by a disgraced U.K. network company known as Real International Business Corp. Anyway, clicking on the fake video screen, you can be forwarded to the fake PornTube website. If you further click on any of the pornographic images, you will be forced to download a file labeled TubePlayer.ver.6.exe. (See Screenshot 03.)

Screenshot 04 - Source: MacHouse

Screenshot 05 - Source: tube-work-sell.net

Screenshot 06 - Source: MacHouse

Earlier, using the Windows version of Norton Internet Security, we found out that a suspicious file that we had downloaded at tube-work-sell.net (delivered from pure-download-new.net) two days ago contained a Trojan Horse variant. (See Screenshot 04.) The file that we downloaded at tube-work-sell.net through http://www.livevideo.com/nudebeach a few hours ago has the same file name. It was also delivered from pure-download-new.net. But Norton Internet Security has found no suspicious code, which suggests that it contains a new Trojan Horse variant. (See Screenshot 5-6.)  

Okay. Let’s find out who the guilty parties are behind this Trojan Horse campaign. The web server hosting the fake PornTube website at tube-work-sell.net is traced to the IP address of 64.27.18.55. It belongs to an organization called Hollywood Interactive, Inc. We mention the name of this organization from time to time. We never knew till today who is behind this organization. But let’s see. According to ARIN, the IP address of 64.27.18.55 belongs to Hollywood Interactive, Inc. (See Screenshot 07.) Oops, sorry… I already said that a few seconds ago. Their registered address is






600 W. 7th Street, Ste. 360
Los Angels






Hmm… We know who is located at this address. It’s a Los Angels/California-based web hosting company called CalPOP.com. (Screenshot 08 shows the index page of CalPOP.com’s website.) In fact, you can find the exactly same address at web hosting company’s contact web page. (See Screenshot 09.)

Screenshot 07 - Source: MacHouse

Screenshot 08 - Source: CalPOP.com

Screenshot 09 - Source: CalPOP.com

Next, let’s see where the virus-distributing website is hosted. The server hosting the website at pure-download-new.net is traced to 94.247.3.228. It’s hosted in the Baltic nation of Latvia. We mentioned the name a few days. The website is hosted by ZlKon. (Screenshot 10 shows the index page of ZlKon’s website.)

Screenshot 10 - Source: ZlKon

We don’t know if CalPOP.com runs the fake PornTube website. We don’t know if they represent Hollywood Interactive, either. Nonetheless, if anybody wants to know who is behind Hollywood Interactive, we are quite certain that CalPOP.com has very good leads.






Click on the button to watch a short documentation video.
Click on the button to watch more documentation videos.






Related stories:

LIVEVIDEO.COM and Other Websites Continuing to Send Internet Users to Fake Codec Websites with Trojan Horse Viruses - Part 1
YouTube And kaboodle, Spam-Vandalized Side by Side - Spam Campaign Sponsored by US Drugstore (US-DS.COM)
Junk Profiles at LIVEVIDEO.COM Sending Internet Users to Fake Codec Websites - Part 2
Junk Profiles at LIVEVIDEO.COM Sending Internet Users to Fake Codec Websites - Part 1

********** ********** ********** ********** ********** ********** ********** **********

MacHouse is not funded by tax payers' money. We have limited resources. We also need time to sleep and eat just as others. So we will not act as the International police to contact all victims of website abuse. All you have to do is to subscribe to spam messages and spam posts. If we can, why don't you?