[anti-abuse-wg] Huge List of Domains Cloaking to Malware (5, 000+)
- Previous message (by thread): [anti-abuse-wg] Huge List of Domains Cloaking to Malware (5, 000+)
- Next message (by thread): [anti-abuse-wg] Huge List of Domains Cloaking to Malware (5, 000+)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
steve payne
stevenp8844 at gmail.com
Tue Jan 12 14:40:00 CET 2021
" P.S. Please send me via private email the full list of suspicious URLs. I may not be able to actually do anything with those, but I can at least have a look. (For some reason my browser is not allowing me to just cut and paste from your google docs.)" I have sent you an email with two attachements. Please let me know if you do not receive it! On Tue, Jan 12, 2021 at 6:30 AM steve payne <stevenp8844 at gmail.com> wrote: > Hi, > > "All abuse complaints must be put through their abuse form: > > https://www.ovh.com/world/abuse/" > > I have filled out the form with OVH a few times, almost 2 weeks ago and > have not heard any response. The domains I submitted are still active and > redirecting to malware. > > "It must be put through their abuse form: > > https://www.cloudflare.com/abuse/form" > > The main form for the Cloudflare Malware submit form only allows for 1 url > submission at a time. I have submitted this form many times and support > tickets, as I also have a Cloudflare service. > > I was told this can only be handled by the "Support & Trust" team and they > will reach out to me. We have gone through this Twice, yet all domains are > still actively hosted through Cloudflare. > > "I'm confused. How exactly does one "spam" a search engine? > > And what is "spun text", exactly?" > > This spam operation is no small operation. The way they are spamming > search engines is by using the authority of hacked domains to "link to" > these fraud domains. It's bringing link juice and a lot of search engine > traffic. > > By "spun text", it's basically garbled text that has thousands of keywords > in it and for some reason Google is not able to detect it. > > Here are a couple of links. > > > https://www.google.com/search?q=site%3Aatlantidepz.it&rlz=1C1GCEA_enUS802US802&oq=site%3Aatlantidepz.it&aqs=chrome..69i57j69i58.4172j0j7&sourceid=chrome&ie=UTF-8 > > > https://www.google.com/search?q=site%3Aandrea-rubinetterie.it&rlz=1C1GCEA_enUS802US802&oq=site%3Aandrea-rubinetterie.it&aqs=chrome..69i57j69i58.6191j0j7&sourceid=chrome&ie=UTF-8 > > Basically search google for site:domain and you will see the "spun text". > > Here is a direct domain (there are many inside of the two files I listed): > http://asugroup.ir/bdo-wizard-ziuli/seccomp-bypass-ctf.html > > " seccomp bypass ctf 첫 Seccomp Bypass 공부 This test will connect to a mail > server via SMTP, perform a simple Open Relay Test and verify the server has > a reverse DNS (PTR) record. This is the most disappointing and astonishing > challenge in this year's DEFCON qual. On Linux, chroot() can be used to > break out of a chroot() jail: chroot() does not require your pwd be in the > directory that is chroot()'d to the new root. See the complete profile on > LinkedIn and discover Ajin’s connections and jobs at similar companies. > From the initial plan we know we must change values on > _IO_2_1_STDOUT->file->vtable, and values on the _IO_helper_jumps vtable but > there will be a lot of values in the middle because we are overflowing > everything from the very beginning, in this case from the stdin we can’t > just fill everything with nulls and expect everything to run smoothly , > obviously the program will Apr 14, 2020 · Allocate a chunk using > leave_feedback function and free it and since the seccomp filters uses heap > to allocate its rules the freed chunk will never be merged with top chunk > and considering the big size of allocation is 0x501 the freed chunk will go > to unsorted bin because tcache bins can only holds size lower then 0x408. > Fuzzing {{7*7}} Till {{P1}} This is an SSTI writeup. 1. Current list last > refreshed on Tue, 2020-12-29 at 00:22:48 (local time) Microsoft, McAfee, > Rapid7, and Others Form New Ransomware Task Force id: | 2020-12-23 15:25:00 > Thursday, September 17, 2020 OEM Security Newsalert - 17-Oct-2020. The > binary initializes some seccomp rules, and then EN | ZH. Hence, an attacker > might gain control over some process of a web browser but seccomp will > restrict the set of available syscalls to only those it needs. X. If answer > is Y\x00 then it calls set_context() else it calls system("/bin/sh") 12 > Jul 2018 Introduction After my tutorial on seccomp, thanks for Google CTF > for This post will give the write-up for the execve-sandbox in GoogleCTF. 2 > man page for review. areas of specialty include exmpedded/IoT CTF / Capture > the Flag and IoT Village CTF: Security Innovation will be hosting the CTF > event using their CMD+CTRL platform . > com/2020/07/26/security-101-backups-protecting-backups <p>I can already > hear some readers saying that backups are an 11 Apr 2019 ROP to Shellcode > To ease bypassing of the seccomp filter, let's first set up a ROP Service: > nc gissa-igen-01. HarveyHunt/howm 451 A lightweight, X11 tiling window > manager that behaves like vim trailofbits/ctf 451 CTF Field Guide > bwalex/tc-play 451 Free and simple TrueCrypt Implementation based on > dm-crypt libharu/libharu 450 libharu - free PDF library gittup/tup 449 Tup > is a file-based build system. PHP-FPM/FastCGI bypass disable_functions 6. > 43 runtime : 6 remark : size (MB) : 1. Posted on December 13, 2020* in > ctf-writeups. club MMA CTF 2nd 2016 PPC pwn format string web sql injection > heap ASIS CTF Finals 2016 Use After Free fastbin off-by-one shadow stack > CSAW CTF 2016 overflow Crypto Forensic padding oracle attack World-first > proof-of-principle to bypass Internet kill switches. clMathLibraries/clBLAS > - a software library containing BLAS functions written in OpenCL; > andrewrk/libsoundio - C library for cross-platform real-time audio input > and output View Ajin Abraham’s profile on LinkedIn, the world’s largest > professional community. En este post daremos una posible solución al reto > Weird Chall planteado en el DEKRA CTF 2020. Vulc at n Difensiva Senior > Engineer, DDTEK Hawaii John CTF organizer, Legit Business Syndicate Chris > Eagle CTF organizer, DDTEK Invisigoth CTF organizer, Kenshoto Caezar CTF > organizer In this onlin " > > ETc etc. etc etc. > > > Another easy way to spot them is by searching for 3 letter keywords in the > past hour. "PCH" is a big one. > > > https://www.google.com/search?rlz=1C1GCEA_enUS802US802&biw=1920&bih=937&tbs=qdr%3Ah&sxsrf=ALeKk02CH7HNpzS8urRXOtXxUoV-aiqZUw%3A1610457738956&ei=iqL9X8zwOZfA0PEPyuGm-Ak&q=pch&oq=pch&gs_lcp=CgZwc3ktYWIQAzINCAAQsQMQgwEQyQMQQzIKCAAQsQMQgwEQQzIICAAQsQMQgwEyCAgAELEDEIMBMgQILhBDMgIIADIICAAQsQMQgwEyCAgAELEDEIMBMgIIADICCAA6BAgAEEM6CwguELEDEMcBEKMCOgUIABCxA1DjxxFYxckRYJbLEWgAcAB4AIABpwGIAZ4DkgEDMC4zmAEAoAEBqgEHZ3dzLXdpesABAQ&sclient=psy-ab&ved=0ahUKEwjM3dLLvpbuAhUXIDQIHcqwCZ8Q4dUDCA0&uact=5 > > These results are the same with Bing. > > ------- > > Here is a new Chrome Extension this malware group is promoting with > "download" to continue for search queries: > https://chrome.google.com/webstore/detail/search-and-newtab-by-medi/kgmkoajcbbjaobdbmcnhkppmpnejjpkn > > It has 400,000 downloads and basically changes Google from their default > search engine to "MediaNewPage". > > https://malwaretips.com/blogs/remove-medianewpage-search/ > > There's pages that talk about how to remove a Chrome Browser Extension > Virus, but reporting it does nothing. > > > > > > > On Mon, Jan 11, 2021 at 11:25 PM Ronald F. Guilmette < > rfg at tristatelogic.com> wrote: > >> In message < >> CAMPzqHa0T9PxyjbvA6AFZMOoVVMqipP1OXS8SNa+eY+KtUrQLA at mail.gmail.com>, >> steve payne <stevenp8844 at gmail.com> wrote: >> >> >There is a huge amount of some type of fraud happening with .it, .pl, >> .xyz >> >and other domains being registered (see links below). >> > >> > >> https://docs.google.com/document/d/159Sbik8CkO9WDbLjH_tqAhr-dkpODWS1kt4UULLLfk0/edit?usp=sharing >> > >> > >> https://docs.google.com/document/d/1z43WugqqgyVjNy6-IPgON118YaE0HxrgRMKbVwW42NM/edit?usp=sharing >> > >> >These links contain a list of over 5,000 domains that are currently >> >spamming search engines with spun text and then cloaking users to malware >> >that have the search engine referrer. >> >> I'm confused. How exactly does one "spam" a search engine? >> >> And what is "spun text", exactly? >> >> >> Regards, >> rfg >> >> >> P.S. Please send me via private email the full list of suspicious URLs. >> I may not be able to actually do anything with those, but I can at least >> have a look. (For some reason my browser is not allowing me to just cut >> and paste from your google docs.) >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20210112/1f1ef3df/attachment.html>
- Previous message (by thread): [anti-abuse-wg] Huge List of Domains Cloaking to Malware (5, 000+)
- Next message (by thread): [anti-abuse-wg] Huge List of Domains Cloaking to Malware (5, 000+)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]