part I, we went over a few things regarding the landing page and the way the requests flow between the different sites. Let's have a look at the various sites, the IPs and the countries involved.
Name IP Country
ruraltrauma.com 184.108.40.206 US
goodwaystoloseweightsolution.com 220.127.116.11 DE
traffictrackingsys.com 18.104.22.168 DE
www.clclckck.com 22.214.171.124 US
(Alias for wehasoffer-elb.go2cloud.org)
wehasoffers.go2cloud.org 126.96.36.199 US
processingordersonline.com 188.8.131.52 US
authenticgarciniacambogia.net 184.108.40.206 US
affiliate.cpavhits.com 220.127.116.11 US
www.mediahub.bz 18.104.22.168 US
offer.my-secure-page.com 22.214.171.124 US
The majority of servers are hosted in the US and Germany. We can breakdown the hosting companies for these two countries.
The situation for Germany is interesting, due to the only 2 providers involved. Furthermore the upstream provider for "TT Internationl d.o.o." is ... "Hetzner." It seems highly unlikely that a single hoster/provider is unlucky enough to be the only one to serve the spam. A quick search on Google reports that several of their servers are known to distribute malware. SpamHaus goes even further and write down the two "TT International d.o.o.o" networks seen as dirty.
Given the number of hosts returned for "goodwaystoloseweightsolution.com", it could be a number of compromised servers, possibly members of a botnet. Another interesting point of view is who registered what name.
The "www.clclckck.com" is load-balanced across various servers on the Amazon EC cloud. The name is resolved with a TTL of 60 seconds between: 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11 or 18.104.22.168 are some of the IPs returned.
After discussing with my friend, she told me her account was hacked into and she had to change her password. The account was used to send an e-mail to all her contacts.
The front-end URL was most likely hacked into and a script is present that redirects only browsers based on the user agent. That way, if a search engine hits the page, it doesn't notice the redirection and ultimately the spam content.
The number of machines suggests this is not an amateur campaign, but rather an organization is behind it, and that the system can be extended to accommodate for further "products". The Amazon EC is leveraged to provide core redirection, which can ensure persistence should some parts of the chain be cleaned or turned off.
Lastly, it also seems that some of the servers are from less-than-reputable hosting companies known to harbor malware and criminal activities, reinforcing the idea that a criminal organization is behind it.