Europe Domains Host BlackHole

Tuesday, November 27, 2012 @ 05:11 PM gHale


Cyber criminals registered malicious .eu domains and set them up to host the BlackHole exploit kit.

In order to avoid security filtering, attackers registered several domains, which they use to infect the computers of unsuspecting users, said researchers at security firm Sophos.

RELATED STORIES
DNS Records Hacked
Best Practices for DKIM Hole
Email Signature Holes Fixed
Weak Crypto Keys Fixed

After closely analyzing the domains, experts found they all resolve to the IP address of a server located in the Czech Republic. The server hosts over 100 domains utilized as exploit sites and gateways for adult websites.

These cybercriminals seem to have a clever method of keeping their operations online. If this month they’ve registered domains such as nrxpxq.eu, vjtjpy.eu, xzjvhs.eu or xipuww.eu, a few months ago they registered domains hosted on the .in TDL.

Each of the domains is active only for a short period of time and all their names appear to follow this pattern of six random characters.

One interesting connection between all these domains appears to be Finland. The .in domains all ended up registered by someone apparently from Finland and the .eu registrant’s language was set to Finnish.



Leave a Reply

You must be logged in to post a comment.