If you've been anywhere online lately, especially Google or the likes, you'll no doubt have noticed or read about, the blackhat SEO campaigns. One of the many ISP's involved, whether deliberately or otherwise, is EuroConnex. This ISP has an excessively large amount of malicious domains currently present within their network.
One of the most recent I came across, was actually whilst writing this, or rather, whilst considering writing this (was deciding whether to write about EuroConnex or Ecatel, thought I'd leave Ecatel till next time). As you can see from the above screenshot, this is you're typical fake scan page, that tells you your computer is so badly infected that you really really really, need their "software" (don't worry, by the time they're finished, it will definately be really really really, infected). The site that is responsible for taking you there (and bear in mind, this is one of thousands), is;
IP PTR: 94-76-205-176.static.as29550.net
ASN: 29550 18.104.22.168/18 EUROCONNEX-AS Blueconnex Networks Ltd
Which appeared in the Google results. It's worth noting, as with the vast majority of these, it'll only work if you give it the correct referrer. Further, I had flash and ActiveX disabled when clicking it (will load it on the test machine later), so you'll possibly see different results if you've got these enabled (you'll no doubt end up with the same resulting site, and the same infections). The site takes you to the following if you've got Flash/ActiveX disabled;
Clicking either of the "results" shown here, results in your being taken to;
IP PTR: bod11.i0waterford.net
ASN: 29131 22.214.171.124/17 RAPIDSWITCH-AS RapidSwitch Ltd
Side note: No, I'm not surprised to see RapidSwitch here either, but that's for another article
Which then infects you courtesy of;
IP PTR: Resolution failed
ASN: 29550 126.96.36.199/24 EUROCONNEX-AS Blueconnex Networks Ltd
Which downloads as win_protection_update.exe, which is 1.88MB of malicious goodness.
EuroConnex have not surprisingly, been completely unresponsive, just like many others, and due to the sheer amount that is on their network (over 500 recorded domains on 188.8.131.52/24 alone), I wouldn't be surprised to find they're directly involved (note this is only a suspicion, not fact).
I'm posting this article for two main reasons. First and foremost, because I'd like to see people blackholing the networks responsible for this rubbish, until they "clean house" as it were, and secondly because I'd like to hope (yep, I know), that they'll finally take security and responsibility seriously, and boot those responsible for filling their networks with this rubbish, instead of focusing on lining their own pockets instead.