Yet more blackhat SEO from the Internet Service Team and NetDirekt

[MysteryFCM]

Yet more blackhat SEO from the Internet Service Team and NetDirekt

Following on from the previous documentation on the blackhat SEO campaigns going on in the search engines at present, I've noticed over the past few weeks, that those I previously documented, using filenames such as cadets.php, with the .js file, were mysteriously leading to 404 pages.

Thankfully (or disappointingly, depending on which way you want to look at it), they're still making it super easy to identify their malicious domains. Such as the following for example;

Host: received-latest-microsoft-update.alk.stromiko.com
Current IP: 95.168.191.96
IP PTR: 95.168.191.96.internetserviceteam.com

You'll no doubt have noticed our dear friends at the IST, or missed the fact that whilst the IP range is registered to V3SERVERS-NET-967806 (v3servers.net), it also just so happens to be on the NetDirekt AS - coinkydink? I don't think so.

Getting back to it. Feed this domain a Google referer (I've not tested it, but am 99% sure it'll also work if you feed it a Bing, Live or Yahoo etc referer too), and you're taken to triwoperl.com (IP: 95.168.191.19 - 95.168.191.19.internetserviceteam.com), which looks like an ordinary search page.

http://hphosts.blogspot.com/2009/08/yet-more-blackhat-seo-from-internet.html