{"id":16610,"date":"2014-05-23T10:46:41","date_gmt":"2014-05-23T16:46:41","guid":{"rendered":"https://www.webroot.com/blog/?p=16610"},"modified":"2023-12-08T11:38:04","modified_gmt":"2023-12-08T18:38:04","slug":"compromised-accounts-server-based-managed-iframe-ing-service-spotted-wild","status":"publish","type":"post","link":"https://www.webroot.com/blog/2014\/05\/23\/compromised-accounts-server-based-managed-iframe-ing-service-spotted-wild\/","title":{"rendered":"Long run compromised accounting data based type of managed iframe-ing service spotted in the wild"},"content":{"rendered":"

In a cybercrime ecosystem dominated by DIY(do-it-yourself)\u00a0malware\/botnet generating releases, populating multiple market segments<\/strong><\/a> on a systematic basis, cybercriminals continue seeking new ways to acquire and efficiently monetize fraudulently obtained accounting<\/strong><\/a> data<\/strong><\/a>, for the purpose of achieving a positive ROI (Return on Investment) on their fraudulent operations.\u00a0In a series of blog posts, we’ve been detailing the existence of commercially available server-based<\/strong><\/a> malicious script\/iframe<\/strong><\/a> injecting\/embedding releases\/platforms<\/strong><\/a>\u00a0utilizing legitimate infrastructure<\/strong><\/a> for the purpose of hijacking legitimate traffic, ultimately infecting tens of thousands of legitimate users.<\/p>\n

We’ve recently spotted a long-run Web-based managed malicious\/iframe injecting\/embedding service relying on compromised accounting data for legitimate traffic acquisition purposes. Let’s discuss the managed service, its features, and take a peek inside the (still running) malicious infrastructure behind it.<\/p>\n

More details:<\/p>\n

<\/p>\n

In terms of Q&A (Quality Assurance), the key differentiation features\u00a0of the service include: automatic URL AV\/blacklist detection through a third-party managed service, (compromised) legitimate Web site\u00a0page rank checker<\/strong><\/a>,\u00a0metrics based statistical system,\u00a0IM notifications, as well as (compromised)\u00a0login validation.<\/p>\n

Affected CMS platforms:<\/strong>
\nJoomla.Site
\nWordPress
\nDataLife Engine
\nDrupal
\ncmsimple
\nBBpress
\nphpBB
\npostnuke
\ne107
\nPHP-NUKE
\nPunBB
\nSimple Machines Forum (SMF)
\nMODX Revolution
\nFluxBB
\ncmsmadesimple
\nnucleus
\nContao Open Source CMS
\nslaed<\/p>\n

The managed service is currently priced at $250 on a monthly basis, $1,500 for six months, and $2,500 for one year subscription. It’s capable of maintaining up to 500 simultaneous threads.\u00a0Let’s take a peek inside the fraudulent infrastructure behind it.<\/p>\n

\"Cybercrime_Managed_Service_Malware_Malicious_Software_Malicious_Script_iframe\"<\/a><\/p>\n

Known to have responded to the same IP (209.99.40.222; 209.99.40.223) as the original hosting location are also the following fraudulent\/typosquatted domains:<\/strong>
\nhxxp:\/\/11si0s8.t3.d.googleadservice.net
\nhxxp:\/\/11si0se.t3.d.googleadservice.net
\nhxxp:\/\/11si0u9.t3.d.googleadservice.net
\nhxxp:\/\/11si0vh.t3.d.googleadservice.net
\nhxxp:\/\/11si0vo.t3.d.googleadservice.net
\nhxxp:\/\/11si0vu.t3.d.googleadservice.net
\nhxxp:\/\/11sl2nr.t3.d.googleadservice.net
\nhxxp:\/\/11sl9jv.t3.d.googleadservice.net
\nhxxp:\/\/11sl9k0.t3.d.googleadservice.net<\/p>\n

Known to have phoned back to the same IP (209.99.40.222) as also the following malicious MD5s:<\/strong>
\nMD5: 35908d4fb26949b2431849d3d8165740
\nMD5: 1e47a4a9744fff22b54077bfbb588aed
\nMD5: 4d9cc9ff385732f9f61ca926acb5ff1d
\nMD5: aa4057d07e1fcf258779be5d26ce99cb
\nMD5: 5f9b815eb20c49b57a7cc7fa8d144e00
\nMD5: 015208aa2fc88b176be1281fdaac6d24
\nMD5: 175c12348d05d8bfdeaae607db2cd0a9
\nMD5: cb0699ecf69598e822e8f8d68b13817d
\nMD5: b4c5b5e5c5e00dcf78bb5027af03766f<\/p>\n

Once executed MD5: 35908d4fb26949b2431849d3d8165740 phones back to:<\/strong>
\n31.170.179.179
\n209.99.40.222
\n208.91.196.252
\n208.91.196.4
\n144.76.167.153
\n31.170.178.179
\n148.251.97.163
\n69.195.129.70
\n195.22.26.252
\n200.98.255.192<\/p>\n

Related malicious MD5s known to have phoned back to the same C&C server (31.170.179.179):<\/strong>
\nMD5: 35908d4fb26949b2431849d3d8165740
\nMD5: c358eab15a24b50769f31130d82f81ad
\nMD5: 757661a1ebfec599bbbff8e7eb9ef36f
\nMD5: 64eadeaf41536d3db4abd65fb7efa4c0
\nMD5: ca1219813e7a190f310a3c599adb3031<\/p>\n

Known to have phoned back to the same IP (209.99.40.223) as the original hosting location are also the following fraudulent domains:<\/strong>
\nMD5: 655cbf254d476fa1b5ac8e8b8f8d1300
\nMD5: 2c4d569539a3732a5e37b2f01305c87b
\nMD5: 6271df03b4074daf92a9ae75fd572c70
\nMD5: 559c4869c327726ff7d2566874569a46
\nMD5: 65f189242a45493c162b375bd4d1446f<\/p>\n

Webroot\u00a0SecureAnywhere<\/a><\/strong>\u00a0users are proactively protected from these threats.<\/p>\n","protected":false},"excerpt":{"rendered":"

In a cybercrime ecosystem dominated by DIY(do-it-yourself)\u00a0malware\/botnet generating releases, populating multiple market segments on a systematic basis, cybercriminals continue seeking new ways to acquire and efficiently monetize fraudulently obtained accounting data, for the purpose of achieving a positive ROI (Return on Investment) on their fraudulent operations.\u00a0In a series of blog posts, we’ve been detailing the […]<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[18003,18001,5973,17743,18011,4047,3721,11211,4065,15475,10703,3971,18005,17983,17973,9527,4029,18007,3947,18009],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16610"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=16610"}],"version-history":[{"count":20,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16610\/revisions"}],"predecessor-version":[{"id":32511,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16610\/revisions\/32511"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=16610"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=16610"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=16610"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=16610"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}