[en] Browlock also by hacked websites

Bloqueur de pub détectée - Vous bloquez l'affichage des publicités.
Pour soutenir le site, merci de bien vouloir laisser les publicités s'afficher.

Plus d'informations : Comment désactiver les bloqueurs de publicité sur un site internet.

A campaign for Browlock but not using malvertising this time.
I want to mention that Malwarebytes has already blog something in May 2014, but im not 100% sure it's the same thing (or it evolve) - difficult to know because there is no much information in the article : https://blog.malwarebytes.org/fraud-scam/2014/05/browlock-redirects-via-google-image-search/

Here some examples of hacked websites.
The hackers create a lot of web pages in the hacked websites to be indexed by Google - then users click on it to be finally redirected to Browlock Ransomware.
SEO poisoning is an old technics, very used in the past (2008/2009/2010) to push scarewares (in french : https://forum.malekal.com/seo-empoisonnement-redirections-recherches-google-t21270.html).

Browlock_google_image_redirections5   Browlock_google_image_redirections2 Browlock_google_image_redirectionsBelow two fiddler screenshots showing the redirection to Browlock webpages from an hacked website :

Browlock_google_image_redirections3Browlock_google_image_redirections4

some hacked domains :
hetkoznapimennyorszag.hu
hydehistoric.com
futureboy.com
madinamasjidnorthampton.org.uk
mybogeywear.com
ntbgames.com
pokojekarwia.pl
royalbalitours.com
sficoop.com
shefieldtechnoplast.com
skupzlota247.pl
sofochurch.com
sovelle.fi
vins-du-coin.fr
www.multisportsolutions.com
www.rogeringlesexecutivo.com.br
www.philsfoodsense.org

There are not so much hacked websites, so i dont think this campaign give them much traffics, but that will be good if Google can do something 🙂

EDIT - 109.206.177.36 - Android Locker SEO Poisonning

Some example :

seo_poisoning_Android_4 seo_poisoning_Android_3 seo_poisoning_Android_2 seo_poisoning_Android

Lead to URL with keywordXXX.html URLs
First redirection is Android Locker Malvertising.

All domains are at : 109.206.177.36 - a well know IP related to Android Locker Malvertising
https://www.virustotal.com/fr/ip-address/109.206.177.36/information/
http://malwaredb.malekal.com/url.php?ip=109.206.177.36
seo_poisoning_Android_5

Vous avez trouvé cet article utile et interressant, n'hésitez pas à le partager...