[nsp-sec] Profilespam - likely proxies.

Scott A. McIntyre scott at xs4all.net
Sat Oct 10 04:38:29 EDT 2009 

Hi,

A friend of mine is an administrator of www.myexperiment.org where  
they've recently been hit pretty hard by folks creating fake profiles  
which contain links to other sites -- presumably some sort of an  
attempt to increase search result hits.  The sites referred to didn't  
seem to have any "obvious" signs of malware, but I only looked at a  
handful.  Some were even at Amazon or Youtube, which was a bit odd.

The following list of ASNs had systems which were used to create these  
bogus profiles.  In some cases these are probably running some  
proxying malware, in other cases, it may be humans.  The destination  
site is running a captcha system but, predictably, that isn't  
providing much protection.

852
3320
4775
4788
5089
5607
5778
6648
7132
9105
9299
9829
10139
10507
11556
12390
14051
17488
17557
17806
17895
17974
18101
19262
20115
20804
24560
33660
34397
38023

The attachment "asn.txt" to this mail has the specific IPs for these  
systems.

The second attachment, "user_list.txt" contains the URLs which were  
being inserted into the bogus profiles, as well as the email addresses  
used as part of the signup verification process.  Lots of Yahoo and  
Gmail accounts - so maybe of interest to our representatives from  
those places.

I realise these are drops in the ocean when it comes to this type of  
provider-service abuse, but there may be something in the data here  
which someone recognises as part of a larger pattern, specific  
malware, whatever.  The times in the asn.txt are UTC+0100, by the way.

Happy hunting,

Scott A. McIntyre
XS4ALL Internet B.V.




-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: asn.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20091010/3d1e8d44/attachment-0002.txt>
-------------- next part --------------



-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: user_list.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20091010/3d1e8d44/attachment-0003.txt>

More information about the nsp-security mailing list