Daily cyber threats and internet security news: network security, online safety and latest security alerts
February 12th, 2009 Hit By Comments Spam That Leads To Malware

According to PandaSecurity, the social news site is targeted by cybecriminals on their way to acquire legitimate traffic to their malware serving domains. The ongoing attack is far more widespread the originally stated, with +500,000 bogus comments leading to 15 currently active malware domains, where the end user is enticed to install a fake video codec in order to view the video. Once executed, the codec attempts to trick the user that they’re infected with malware, and in order to get rid of it, a rogue security software has to be purchased.

The cybercriminals are taking advantage of on purposely registered bogus accounts, in a combination with compromised legitimate accounts to not only post Digg stories directly leading to malware, but also, to heavily comment on legitimate and bogus stories by posting even more malware-serving links.

“Malware distributors have been creating false stories with catchy subject lines as an attempt to bait (Rickroll) users into clicking links leading to an infection,” explains Panda researcher Sean-Paul Correll. “In some cases the attackers do not create the news story themselves, rather linking to others relevant content.”

As well as driving surfers to maliciously constructed domains, the trick also boosts the search engine ranking of hacker-controlled websites.’s abuse department has been notified of the attack and the malware domains it seeks to promote.

Over recent weeks both LinkedIn and Twitter have been used to distribute malware in a pattern of abuse that now extends to Digg and shows no signs of dying off.

A list of the domain redirectors used in the comment spam attack (from

worldnews-video .com – 459,000 bogus comments
youtube-top-video .com – 98,000 bogus comments
new-videos .info – 92,500 bogus comments
film-man .com – 50,700 bogus comments
last-sex-news .com – 26, 000 bogus comments
video-news .cn – 25, 500 bogus comments
last-porno-news .com – 21,500 bogus comments
fresh-video-news .com – 10,900 bogus comments
broken-tv .com – 10,000 bogus comments
video-trailers .net – 8,370 bogus comments
exclusive-videos .net – 7860 bogus comments
funkytube .net – 6,170 bogus comments
shocking-stars .net – 2,600 bogus comments
cinemacafe .tv – 1560 bogus comments
watch-video .cn – 3000 bogus comments
vidstream .cn – 397 bogus comments
divgg .com – 174 bogus comments
golden-portal .us – 3040 bogus comments
tubedirects .net – 290 bogus comments
funkytube .net – 6,480 bogus comments
watchepisodes .cn – 331 bogus comments

video-sensation .com – 1,500 bogus comments
bestlive-tv .cn – 216 bogus comments
svtube .cn – 222 bogus comments
onlyhotvideos .com – 413 bogus comments
celebnudestars .net – 326 bogus comments
usatvshows .us – 41 bogus comments
vidstream .cn – 398 bogus comments
divgg .com – 171 bogus comments
tubedirects .net – 285 bogus comments
yuotnbe .com – 370 bogus comments
omeia .info – 769 bogus comments
video.stumbulepon .com – 669 bogus comments
shocking-stars .net – 2,650 bogus comments
sowonder .net – 3000 bogus comments
sex-tapes-celebs .com – 2,210 bogus comments
video-sensation .com – 1,690 bogus comments

Currently active download locations for the fake codecs, and the rogue security software:

vivaextra .com
tube-xxx-tv2009 .com
onlinestreamsofware .com
demoextra .com
best-tube-2008 .net
tubeportalsoftware2008 .com
tubesoftwareviewer2008 .com
exefilesdownload2009 .com
tubesoftwareviewer2009 .com
uporntube-07 .com
tubeporn08 .com
uporn-tube .com
uporntube2009 .com
porn-tube09 .com
tubeporn09 .com
xxxporn-tube .com
porntubenew .com
ultra-extra .com
xp-police .com
xp-police-av .com
xp-police-2009 .com
antiviralscanner14 .com

Credit: Dancho Danchev, ZDNet
Credit: John Leyden, The Register

Share this item with others:

More on CyberInsecure:
  • Third-party Marketing Agency Spammed A Security Expert Blog After Being Hired By Sophos
  • Spam From 750 Compromised Twitter Accounts Invited Users To Visit Porn Website
  • WordPress Doorway Spam Attacks
  • Infecting Christmas E-greetings Are Distributed Via Spam
  • Apple iTunes Users Are Targeted By Phishers

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Hit By Comments Spam That Leads To Malware

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.