The crew responsible for the LizaMoon and Worid-Of-Books.com are back with a new set of injection attacks, this time hosted on 94.244.80.7 in Lithuania.
The following domains are currently in use:
bookaros.com
bookarra.com
bookavio.com
bookdolo.com
bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
bookmylo.com
booknunu.com
bookpolo.com
booksgou.com
booksoco.com
booksolo.com
booktuba.com
bookvila.com
bookvivi.com
bookvoxy.com
bookzoul.com
bookzula.com
Registrant details are familiar and fake:
JamesNorthone James Northone [email protected] +1.5168222749 fax: +1.5168222749 128 Lynn Court Plainview NY 1180
us
Injection attacks seem to be either trying to insert an anchor with the word “book” pointing to one of the bad sites, presumably as a “Worid of Books”-type SEO campaign, or alternatively they are using the ur.php approach the LizaMoon used.
The whole 94.244.64.0/18 block looks toxic and is worth blocking. I’ll post more details on that when I get the time.
Leave a reply
