" P.S.  Please send me via private email the full list of suspicious URLs.
I may not be able to actually do anything with those, but I can at least
have a look.  (For some reason my browser is not allowing me to just cut
and paste from your google docs.)"

I have sent you an email with two attachements. Please let me know if you do not receive it!

On Tue, Jan 12, 2021 at 6:30 AM steve payne <stevenp8844@gmail.com> wrote:
Hi,

"All abuse complaints must be put through their abuse form:

https://www.ovh.com/world/abuse/"

I have filled out the form with OVH a few times, almost 2 weeks ago and have not heard any response. The domains I submitted are still active and redirecting to malware.

"It must be put through their abuse form:

https://www.cloudflare.com/abuse/form"

The main form for the Cloudflare Malware submit form only allows for 1 url submission at a time. I have submitted this form many times and support tickets, as I also have a Cloudflare service.

I was told this can only be handled by the "Support & Trust" team and they will reach out to me. We have gone through this Twice, yet all domains are still actively hosted through Cloudflare.

"I'm confused.  How exactly does one "spam" a search engine?

And what is "spun text", exactly?"

This spam operation is no small operation. The way they are spamming search engines is by using the authority of hacked domains to "link to" these fraud domains. It's bringing link juice and a lot of search engine traffic.

By "spun text", it's basically garbled text that has thousands of keywords in it and for some reason Google is not able to detect it.

Here are a couple of links.

https://www.google.com/search?q=site%3Aatlantidepz.it&rlz=1C1GCEA_enUS802US802&oq=site%3Aatlantidepz.it&aqs=chrome..69i57j69i58.4172j0j7&sourceid=chrome&ie=UTF-8

https://www.google.com/search?q=site%3Aandrea-rubinetterie.it&rlz=1C1GCEA_enUS802US802&oq=site%3Aandrea-rubinetterie.it&aqs=chrome..69i57j69i58.6191j0j7&sourceid=chrome&ie=UTF-8

Basically search google for site:domain and you will see the "spun text".

Here is a direct domain (there are many inside of the two files I listed): http://asugroup.ir/bdo-wizard-ziuli/seccomp-bypass-ctf.html

" seccomp bypass ctf 첫 Seccomp Bypass 공부 This test will connect to a mail server via SMTP, perform a simple Open Relay Test and verify the server has a reverse DNS (PTR) record. This is the most disappointing and astonishing challenge in this year's DEFCON qual. On Linux, chroot() can be used to break out of a chroot() jail: chroot() does not require your pwd be in the directory that is chroot()'d to the new root. See the complete profile on LinkedIn and discover Ajin’s connections and jobs at similar companies. From the initial plan we know we must change values on _IO_2_1_STDOUT->file->vtable, and values on the _IO_helper_jumps vtable but there will be a lot of values in the middle because we are overflowing everything from the very beginning, in this case from the stdin we can’t just fill everything with nulls and expect everything to run smoothly , obviously the program will Apr 14, 2020 · Allocate a chunk using leave_feedback function and free it and since the seccomp filters uses heap to allocate its rules the freed chunk will never be merged with top chunk and considering the big size of allocation is 0x501 the freed chunk will go to unsorted bin because tcache bins can only holds size lower then 0x408. Fuzzing {{7*7}} Till {{P1}} This is an SSTI writeup. 1. Current list last refreshed on Tue, 2020-12-29 at 00:22:48 (local time) Microsoft, McAfee, Rapid7, and Others Form New Ransomware Task Force id: | 2020-12-23 15:25:00 Thursday, September 17, 2020 OEM Security Newsalert - 17-Oct-2020. The binary initializes some seccomp rules, and then EN | ZH. Hence, an attacker might gain control over some process of a web browser but seccomp will restrict the set of available syscalls to only those it needs. X. If answer is Y\x00 then it calls set_context() else it calls system("/bin/sh")  12 Jul 2018 Introduction After my tutorial on seccomp, thanks for Google CTF for This post will give the write-up for the execve-sandbox in GoogleCTF. 2 man page for review. areas of specialty include exmpedded/IoT CTF / Capture the Flag and IoT Village CTF: Security Innovation will be hosting the CTF event using their CMD+CTRL platform . com/2020/07/26/security-101-backups-protecting-backups <p>I can already hear some readers saying that backups are an 11 Apr 2019 ROP to Shellcode To ease bypassing of the seccomp filter, let's first set up a ROP Service: nc gissa-igen-01. HarveyHunt/howm 451 A lightweight, X11 tiling window manager that behaves like vim trailofbits/ctf 451 CTF Field Guide bwalex/tc-play 451 Free and simple TrueCrypt Implementation based on dm-crypt libharu/libharu 450 libharu - free PDF library gittup/tup 449 Tup is a file-based build system. PHP-FPM/FastCGI bypass disable_functions 6. 43 runtime : 6 remark : size (MB) : 1. Posted on December 13, 2020* in ctf-writeups. club MMA CTF 2nd 2016 PPC pwn format string web sql injection heap ASIS CTF Finals 2016 Use After Free fastbin off-by-one shadow stack CSAW CTF 2016 overflow Crypto Forensic padding oracle attack World-first proof-of-principle to bypass Internet kill switches. clMathLibraries/clBLAS - a software library containing BLAS functions written in OpenCL; andrewrk/libsoundio - C library for cross-platform real-time audio input and output View Ajin Abraham’s profile on LinkedIn, the world’s largest professional community. En este post daremos una posible solución al reto Weird Chall planteado en el DEKRA CTF 2020. Vulc@n Difensiva Senior Engineer, DDTEK Hawaii John CTF organizer, Legit Business Syndicate Chris Eagle CTF organizer, DDTEK Invisigoth CTF organizer, Kenshoto Caezar CTF organizer In this onlin "

ETc etc. etc etc.

 
Another easy way to spot them is by searching for 3 letter keywords in the past hour. "PCH" is a big one.

https://www.google.com/search?rlz=1C1GCEA_enUS802US802&biw=1920&bih=937&tbs=qdr%3Ah&sxsrf=ALeKk02CH7HNpzS8urRXOtXxUoV-aiqZUw%3A1610457738956&ei=iqL9X8zwOZfA0PEPyuGm-Ak&q=pch&oq=pch&gs_lcp=CgZwc3ktYWIQAzINCAAQsQMQgwEQyQMQQzIKCAAQsQMQgwEQQzIICAAQsQMQgwEyCAgAELEDEIMBMgQILhBDMgIIADIICAAQsQMQgwEyCAgAELEDEIMBMgIIADICCAA6BAgAEEM6CwguELEDEMcBEKMCOgUIABCxA1DjxxFYxckRYJbLEWgAcAB4AIABpwGIAZ4DkgEDMC4zmAEAoAEBqgEHZ3dzLXdpesABAQ&sclient=psy-ab&ved=0ahUKEwjM3dLLvpbuAhUXIDQIHcqwCZ8Q4dUDCA0&uact=5

These results are the same with Bing.

-------

Here is a new Chrome Extension this malware group is promoting with "download" to continue for search queries: https://chrome.google.com/webstore/detail/search-and-newtab-by-medi/kgmkoajcbbjaobdbmcnhkppmpnejjpkn

It has 400,000 downloads and basically changes Google from their default search engine to "MediaNewPage".

https://malwaretips.com/blogs/remove-medianewpage-search/

There's pages that talk about how to remove a Chrome Browser Extension Virus, but reporting it does nothing.






On Mon, Jan 11, 2021 at 11:25 PM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
In message <CAMPzqHa0T9PxyjbvA6AFZMOoVVMqipP1OXS8SNa+eY+KtUrQLA@mail.gmail.com>,
steve payne <stevenp8844@gmail.com> wrote:

>There is a huge amount of some type of fraud happening with .it, .pl, .xyz
>and other domains being registered (see links below).
>
>https://docs.google.com/document/d/159Sbik8CkO9WDbLjH_tqAhr-dkpODWS1kt4UULLLfk0/edit?usp=sharing
>
>https://docs.google.com/document/d/1z43WugqqgyVjNy6-IPgON118YaE0HxrgRMKbVwW42NM/edit?usp=sharing
>
>These links contain a list of over 5,000 domains that are currently
>spamming search engines with spun text and then cloaking users to malware
>that have the search engine referrer.

I'm confused.  How exactly does one "spam" a search engine?

And what is "spun text", exactly?


Regards,
rfg


P.S.  Please send me via private email the full list of suspicious URLs.
I may not be able to actually do anything with those, but I can at least
have a look.  (For some reason my browser is not allowing me to just cut
and paste from your google docs.)