Exploit Kits Skin an Innocent Site
[From our internal blog, 8/12 (Monday).]
In the classic move Men In Black, there's a wonderful villain: an alien who kills a back-country farmer and steals his skin to wear as camouflage.
I thought of "Edgar" the alien when I was researching a network of exploit kit sites. They looked like this:
Not quite as scary.
But they get scarier when you keep seeing the same page on lots of domains -- domains that are also being used to host exploit kits.
You see, the real "caring advocates" site has been "skinned" to be used as camouflage. Here's the current version of the real site (with a different Flash video):
This malware gang operates by using a series of junk subdomains for a domain like this seniorbookoflife.com example. In this case, we saw a total of 6 different subdomains today [8/12], with names like heittelivtcovarian.seniorbookoflife.com and esialamfeverthermometer.seniorbookoflife.com.
The parent domains are parked (wearing their camouflage) on one server (all of the examples I found were on various GoDaddy IPs, 184.108.40.206, 220.127.116.11, 18.104.22.168, etc.), while the evil subdomains are on other servers -- we've seen 22.214.171.124 and 126.96.36.199 used today [8/12].
Some of the hijacked/borrowed domains are registered to the same owner as seniorbookoflife.com (e.g., theseniorbook.com, stanleyterman.com), but others are not (e.g., prettywomansyndrome.com, lovedecisions.com), and they are on different IPs, so it does look like the Bad Guys deliberately "skinned" caringadvocates.org, rather than accidentally "inheriting" a default site across other hijacked domains on the same server.
In the past, this gang was content to leave the parent domain sporting the standard GoDaddy "parked domain" page, but now they're getting a bit more creative. (They're still cockroaches.)