Spamdexing and another YouTube look-alike

A little background … I have this blog set to “Approve” most content that is added via the “Comments” link. Now I usually get a few Spam entries that I simply ignore … but this one caught my eye and I thought I’d follow the link posted to see where it went …



Notice the content posted at the bottom of the above page? … it’s a quote from one of my posts the other day “Beware of YouTube look-alikes” … however clicking on any of the images just above that leads to “reportblogsite(dot)com” … even the page layout and design is the same … strange …


 Image edited for display purposes.


Which looks like a typical blog type site … except if you click any of the images on the page which leads to …



Imagine that! … another YouTube look-alike with the same old bogus (Trojan.Codec/Zlob) prompt … the download “setup_axplugin.exe” from “axvideoplay(dot)com” is not very well detected [VirusTotal results]


Then just this morning I get another Spamdexing comment … waiting for Approval … same page layout and design as the others … well isn’t that special! … and you guessed it … clicking any of the innocent looking images leads to “youutubee(dot)com“. Matter of fact the images are actually being drawn from Metacafe a safe YouTube type site …



Needless to say all these culprits will be added to the next HOSTS file update …
reportblogsite(dot)com and reachnewsworld(dot)com are both hosted at Intercage [69.50.160.0 – 69.50.191.255]
axvideoplay(dot)com and axvideoplugin(dot)com are both hosts at Layered Technologies which is fast becoming a new haven for the Trojan.Codec gang … as evidenced in my last post



3 Responses to “Spamdexing and another YouTube look-alike”

  1. You probably know about these clones of reportblogsite, but if not…

    dotinfonews.com
    mediafornews.com
    newspaceinfo.com
    reachnewschannel.com
    reachnewsonline.com
    saveyournews.com
    skyviewinfo.com
    supernewsblog.com
    surfnewsmag.com
    topviewreport.com
    tvnewsmag.com
    viewforinfo.com

  2. That’s a new one on me. I’ve sen a pattern to the way the owners of these sites generate traffic, using a complex network of redirectors that I’ve documented on my own blog at

    http://tacit.livejournal.com/238112.html

    but I haven’t seen the attackers generate traffic to these sites using lookalikes of blogging sites before. Very interesting.

  3. Great stuff, Mike – keep it up!