?

Log in

No account? Create an account

Previous Entry | Next Entry

Polyamory and crime on the Internet

Note: Followups to this entry at http://tacit.livejournal.com/238112.html (part 1) and http://tacit.livejournal.com/240750.html (part 2)

UPDATED 13-December-07 10:50 EST Updates indicated in text
UPDATED2 14-December-07 1:05 PM EST Updates indicated in text
UPDATED3 14-December-07 2:00 PM EST Updates indicated in text
UPDATED4 02-January-08 2:44 PM EST Updates indicated in text

So I recently decided, like many folks do, to Google my name. I do this periodically, because it's always fun to see how many sites are linking to me (and I'm in the process of building a list of non-English mirrors of my polyamory site -- it's been translated into Polish, Hebrew, German, and a bunch of other languages, which is cool).

And in the process, I think I've discovered what might be one of the largest-scale cases of Web site hacking and virus distribution I've ever heard of.

A little background is in order. If you've used Google for any length of time, you probably know that when you Google popular keywords you'll often run into "spam pages." These are pages that are just stuffed full of keywords at random; in the Google search results, they will have titles like "tribadism fight scenes, free tribadism porn video Britney Spears, make money fast terrorism Iran big cock" and have excerpts that look like "she shoved it in and bridal hosiery wedding cake viagra fetish smurf Bible amateur transvestite video free vacation europe nymphomaniac ipod". These are spam pages; they are filled with hundreds of keywords, and if you click on them, you will be redirected to the spammer's site. They exist just to intercept popular Google searches and direct traffic wherever the spammers want it.

They are also popular with virus writers. Virus writers will create thousands of fake Web pages filled with popular keywords, then use those Web pages to servers that will attempt to automatically download viruses onto the computer of anyone running Windows who's unwary enough to click on them.

Okay, so.

Yesterday, I did a keyword search for my name. Normally, I get about nine pages of results; but yesterday, I got 56 pages of results, over 200 in all.

Most of these pages look like this:

The polyamory news franklin veaux mitt was rigid enough to prevent me from either closing them too hard or opening polyfamilies polyamory for the practical them too far. She raised my left hand and fastened it in a similar polyamory weekly podcast manner, into a similar latex mitten.society for human sexuality polyamory info "I just wondered. You were standing there with a dazed polyamory open wedding vows look on your face playing with that cucumber and I thought something might world polyamory association presentations and workshops franklin veaux. Once inside, he polyamory san diego quickly stripped off his apron and polyamory cape coral unfastened his belt and pants. It was nearly as big as Mark's, and open relationships polyamory that pleased her. Quickly unbuttoning her blouse to reveal her tits. page personal poly polyamory web He gently squeezed them, making her moan deep in her throat.





UPDATED3: I've looked at some of the random text on these pages, and it's not really random at all--it's a short porn story with random keywords seeded throughout it. It contains a number of statistically improbable phrases. One of these is "Ashley had always wanted to go there"--doing a Google search for that exact phrase results in 13,800 hits--nearly every single one of which is a spam redirector.




You get the idea. "Oh, well, this is interesting," thought I, "polyamory, and my name, have become popular enough Google web searches that the spammers are including them in spam pages now."

I clicked on some of these result links, curious to see who the spammer was and what site he was trying to direct traffic to.

And that's when things started to get weird. What I found was a very large, highly organized campaign to direct Web traffic to servers hosted in Eastern Europe that would infect visitors with a computer virus, all orchastrated by a single person or group of people and all being done by what appears to be a massive breach of hundreds and hundreds of hacked Web sites, all hosted by the same ISP--the largest single Web site security breach I've heard of.

If you want to keep going down the rabbit hole: Follow me! Things are about to get very technical here.Collapse )


Comments

( 88 comments — Leave a comment )
Page 3 of 4
<<[1] [2] [3] [4] >>
serolynne
Dec. 15th, 2007 05:49 pm (UTC)
Excellent vigilante work!!


Why you haven't been approached to be hired to do this sort of sleuthing full time is beyond me...

mzmadmike
Dec. 15th, 2007 08:34 pm (UTC)
So my question is, what does the virus do, and how do the people behind it benefit?

I'm gathering from this that if you google certain terms and then click a site, you can get infected.

I would assume there are links through other search terms, too.

But what do they gain from it?
sweh
Dec. 15th, 2007 08:54 pm (UTC)
I'd _guess_ they're used to create botnets; they can remote-control your machine to send spam on their behalf. Russian controlled botnets are big business :-(
(no subject) - mzmadmike - Dec. 15th, 2007 09:36 pm (UTC) - Expand
(no subject) - tacit - Dec. 15th, 2007 10:42 pm (UTC) - Expand
(no subject) - mzmadmike - Dec. 16th, 2007 12:59 am (UTC) - Expand
Maybe malware folks are morphing their scripts - (Anonymous) - Dec. 17th, 2007 02:24 am (UTC) - Expand
cramer
Dec. 17th, 2007 04:48 am (UTC)
a security breach on a scale that's hard to imagine.

Indeed. I have a shinny new $5 bill that says it's an inside job. They just happened to change all the redirectors the day you sent an email to them. Right. It's an inside job or every corner of their operation is compromised. (read: burn the house down and build a new one.)

[edit: The level to which this is integrated means the server(s) are compromised, not just the individual sites. To do this on such a wide scale suggests it's in the web server configuration and not each individual host.]

Edited at 2007-12-17 04:52 am (UTC)
icedrake
Dec. 19th, 2007 10:30 pm (UTC)
Franklin, can I call on your expertise in a very similar matter?
The executive summary: Received email from a user at juno.com, looks like it was structured to bypass Gmail's spam filtering. The payload appears to be a link to a very long, random-string URL hosted on thirdpartyoffers.juno.com, the root of the account being utterly empty. I went up the directory tree a bit, and the whole thing seems to be a redirect to tagline.bidsystem.com
I'd dig more, but I don't have a fully functional linux box at the moment, so I wanted to ask you to take a look. I can provide the full link, but didn't want to post it uninvited.
tacit
Dec. 20th, 2007 03:34 pm (UTC)
I'm definitely curious. Drop me an email at tacitr (at) aol (dot) com; I'd love to take a look!
(Anonymous)
Dec. 26th, 2007 04:00 am (UTC)
NNNgal
It could be older.

Perhaps two months ago (or more?), I googled my name and came up with websites I had nothing to do with that I can see now are malware sites of exactly this type. They do not appear on google today.

Thanks for doing this research. But arrggh! How do I know if my system is compromised from clicking those links?

www DOT latina-girl DOT ws
www DOT purenudism DOT net
www DOT treize DOT ws
tacit
Dec. 26th, 2007 03:21 pm (UTC)
Re: NNNgal
Unfortunately, a lot of client-side antivirus scanners seem not to be terribly effective at spotting the viruses and malware transmitted by the Russian Business Network. Online scanners seem to fare somewhat better; the one I use is at

http://housecall.trendmicro.com

Though to be honest, the best way I've found to deal with viruses is to run a Mac or run Linux, and run Windows in virtualization. Tat way, if you suspect you're infected, you just delete the virtual disk file and replace it from a known-clean backup.
(Anonymous)
Dec. 28th, 2007 05:52 am (UTC)
Is this thread alive?
The same person seems to have imgstorages.com

I requested their contact info from PrivacyProtect (who appear to be out of the Netherlands?).

I haven't found out any other news through Google. Is there a further update?

I can be reached at bodhisattvah on hotmail if there's anything I can do to help. Or I can post the domain registrant info here when I receive it.
tacit
Dec. 28th, 2007 05:11 pm (UTC)
Re: Is this thread alive?
Right you are; this does in fact seem to be part of the same group's network of virus droppers.

The URL you cited is a redirector to

http://www.sysprocedure.com/download.php?id=4001

which routes to a 404 if it doesn't see a browser type and referrer that it likes,

imgstorages.com is hosted in the Ukraine (surprise, surprise) on ukrtelegroup, the same host for the virus dropper pages I cited above. Ditto for the payload site, sysprocedure.com.
(Anonymous)
Jan. 16th, 2008 07:07 pm (UTC)
A new wrinkle to all this
Good day, My name is Timothy. I webmaster 7 sites on my server and I have been receiving referral spam and in the process of tracking it down I found this blog entry. For those not in the know, referral spam is fake referrals to a website which leaves their web address in the weblogs. Seeing as many people have their weblogs available on-line (webalizer, awstats..ect), they become forwarding links in the search engines. Here are some new addresses to add to the list:

SVIOLETT.COM <refer spam tvsetmp3.com <refer spam When clicked, the forward to : bestdailyvids.com Which tries to install the nasty virus you discovered. After many complaints to privacyprotect.org, they stripped the protection. Of course all these sites are owned by "Nikolay Fedorov" based in Novosibirsk, Russia. That is if you can trust the spammers supplied information. Other sites owned by him/them are: getxxxphotos.com siiprogram.com AS far as a remedy goes, I was able to get ICANN to shutdown the tvsetmp3.com domain due to incorrect contact information. I am also mailing privacyprotect everytime I find any of his sites to remove that layer of protection. I also have added all domains found to ICANNS complaint department hoping to shutdown the domains if possible. Don't know how much this helps in the over all scheme of things but it's all I know how to do. Thank you for all your work on this as it helps me greatly.
(Anonymous)
Jan. 23rd, 2008 04:42 am (UTC)
HACK OF IPOWER SERVERS
Our business site was hacked by xerxer.net late November 2007. I notified iPower and asked for help in doing a reconsideration request in Google. They closed my problem report without any correspondence, let alone help. I reopened the problem report. Guess what? You guessed it, iPower closed the report again with no correspondence. They really couldn't give a stuff. In early January, as a matter of urgency, we moved our site to a new secure server. We lost a lot of sales, and are still losing sales as we have not recovered in the search engines. Lesson is: if you rely on your site, do leave it in the hands of incompetents.

Mad as hell (former) iPower customer
(Anonymous)
Feb. 1st, 2008 04:25 pm (UTC)
It's February,and this story...
...with 'powerof3x.com' still goes on,unfortunately... :-/

http://www.malwaredomainlist.com/forums/index.php?topic=1596.0
(Anonymous)
Jun. 23rd, 2008 04:43 pm (UTC)
jqBrDiORSqAhH
pw63pS dfv078fnw8f934ndvkg2l
revjohn
Jun. 24th, 2008 06:48 am (UTC)
iPowerweb is terrible
I used to host several sites with them and still have one that I'm just now finally getting around to transferring off. Their technical and billing support personnel seem equally incompetent. They actually shut down one of my sites because it was the target of some kind of spam attack, and blamed me for it! These guys are not just a joke. They're a menace.
(Anonymous)
Jul. 22nd, 2008 02:40 am (UTC)
Misdirection from search engines
This is still going on (21 July 08) I have just got to this site because I have found exactly this problem on my web site at www.malagash.com - hosted by, yeh you guessed it... ipower.com.
(Anonymous)
Aug. 8th, 2008 04:34 am (UTC)
OMIGOD
I am one of the hacked sites, and now don't know what to do. I was about to redesign my site and register it until I discovered the bogus site by accident. For one day, I got "file not found" and today the bogus site popped right up. I really hate the tech support answer: we are working on it. I don't even know how long ago this happened. Bless you for finding this...I am going to read everything you wrote on this subject.
(Anonymous)
Feb. 19th, 2010 08:18 pm (UTC)
Manual labor
> So I recently decided, like many folks do, to Google my name. I do this periodically, because it's always fun to see how many sites are linking to me (and I'm in the process of building a list of non-English mirrors of my polyamory site -- it's been translated into Polish, Hebrew, German, and a bunch of other languages, which is cool).

Dude, use Google Alerts (http://www.google.com/alerts) and save yourself some effort!
(Anonymous)
May. 17th, 2010 07:39 pm (UTC)
Cool stuff on your site
I've just discovered your post and I'm finding lots of informative stuff here. I will check back soon and recommend your blog :-)
Page 3 of 4
<<[1] [2] [3] [4] >>
( 88 comments — Leave a comment )