Search Engine Optimization & Web Hosting Solution

TOKYO (MacHouse) - In the past several hours, an organized cyber criminal group circulated at least two spam comments around blogs and forums worldwide, implicating four websites. These two comment contains such phrases as nude teens, vanessa hudgens nude, antonella barba nude and jessica alba nude. (See Screenshot 01-2.)

Screenshot 01 - Source: MacHouse

Screenshot 02 - Source: MacHouse

Screenshot 03 - Source: Quantcast

The URLs underlying those phrases point to the following websites. They are Open Library (openlibrary.org), Twine (twine.com), JamBase (jambase.com) and myYearbook (myyearbook.com). These four combined websites attract as many as 4 million U.S. visitors monthly and many more worldwide. The largest website of four is myYearbook. According to Quantcast, this social-networking website attracts 3.2 million U.S. visitors and 4.6 million global users monthly. (See Screenshot 03.)

Screenshot 04 - Source: Open Library

Screenshot 05 - Source: Twine

Screenshot 06 - Source: JamBase

Clicking on any of the hyperlinks in the spam posts, you can find a spam profile with a fake video screen. (See Screenshot 04-7.) Clicking further on the video screen, one can be forwarded to a fake PornTube website hosted at the domain of tube-work-sell.net. (See Screenshot 08.) Not surprisingly, this junk website is set up to have Internet users download and install a file labeled TubePlayer.ver.6.exe. (See Screenshot 09.)  

Screenshot 07 - Source: myYearbook

Screenshot 08 - Source: tube-work-sell.com

Screenshot 09 - Source: tube-work-sell.com

The spam posts shown in Screenshot 01-2 contain eight hyperlinks to the following URLs.






http://openlibrary.org/user/nobelsten
http://www.twine.com/user/emial
http://www.jambase.com/Fans/yonga
http://www.twine.com/user/dazcor
http://www.jambase.com/Fans/antonella
http://www.twine.com/user/hudgensva
http://www.myyearbook.com/jessicaalb
http://www.twine.com/user/gamnat






As we reported several days ago, the web server hosting the fake PornTube website at tube-work-sell.net is traced to the IP address of 64.27.18.55. This IP address is assigned to a notorious organization called Hollywood Interactive. We know that a Los Angels/California-based web hosting company called CalPOP is involvement with Hollywood Interactive. (Screenshot 10 shows the index page of CalPOP’s website.) And some of the pornographic images at the fake PornTube website seem to come from t-imgs.net. There may be a website associate with this domain. The web server hosting this website may be traced to the IP address of 78.159.98.129. According to RIPE, this IP address is assigned to a disgraced German web hosting company (See Screenshot 11.) known as netdirekt, which is known to be behind many malicious websites. (Screenshot 12 shows the gate page of netdirekt’s website.)

Screenshot 10 - Source: CalPOP

Screenshot 11 - Source: MacHouse

Screenshot 12 - Source: netdirekt

Furthermore, the server hosting a website used to deliver a suspicious file (TubePlayer.ver.6.exe) is traced to the IP address of 94.247.3.228. This IP address is assigned to a web hosting company in Latvia.

Screenshot 13 - Source: ZlKon

According to Norton Internet Security 2009, TubePlayer.ver.6.exe contains malware. The security company calls it Suspicious.MH690.

Screenshot 14 - Source: MacHouse

Screenshot 15 - Source: MacHouse

Screenshot 16 - Source: Symantec

Related stories:

LIVEVIDEO.COM and Other Websites Continuing to Send Internet Users to Fake Codec Websites with Trojan Horse Viruses - Part 2
LIVEVIDEO.COM and Other Websites Continuing to Send Internet Users to Fake Codec Websites with Trojan Horse Viruses - Part 1
Suspicious.MH690 | Symantec

********** ********** ********** ********** ********** ********** ********** **********

MacHouse is not funded by tax payers' money. We have limited resources. We also need time to sleep and eat just as others. So we will not act as the International police to contact all victims of website abuse. All you have to do is to subscribe to spam messages and spam posts. If we can, why don't you?