EC-Council Resorts to Blog Spamming to Advertise the CEH Certification

Thu Dec 1 02:13:13 CST 2011

On November 27, 2011, Ryan Dewhurst (aka @ethicalhack3r) blogged about suspicious comments left on his blog. After some digging, he realized that the same comments appeared on dozens of other blogs. Each comment was similar in style, and each advertised the Certified Ethical Hacker (C|EH) certification from EC-Council. The number of comments found on various blogs made it clear this was part of a targeted blog spamming campaign, presumably at the behest of EC-Council.

Jay Bavisi, President of EC-Council, responded to Dewhurst's blog in a very defensive and accusatory reply. Bavisi also posted a reply on the EC-Council blog that has since been changed to a short official statement from ECC. In Bavisi's reply, he makes the following points:

Also shocking is that the post that you are complaining about was apparently in Feb and May of 2010 and that no one has written to us since then about this matter.

EC-Council has grown to what it is today by acting ethically and running a sound organization and there is no need for us to resort to such tactics when there is an abundant amount of intellectual capability at EC-Council.

These tactics are not condoned by myself or any member of our management.

Any ethical person would have raised this with EC-Council prior to posting fictional theories on the web.

We have many representatives, many evangelists who believe in our approach globally...

To quickly address these points; Dewhurst noticed the blogs some time after they were posted. Bavisi fails to acknowledge that the blog spam was often done up to a year after the blog post the spam appears on. The "ethically" run organization he touts is obviously in question, as demonstrated by the Errata page devoted to EC-Council. The tactics are not condoned he says, yet subsequent evidence demonstrates pretty conclusively that the blog spam campaign did originate from an EC-Council employee (see below). Finally, calling Dewhurst or anyone else 'unethical' for complaining about unethical advertising is absurd. All in all, Bavisi's comments are disingenuous and very poor spin control.

On November 29, 2011, Dewhurst updated his article to include additional evidence pointing to EC-Council as the originator of the spam campaign:

A hacker group called TeaMp0isoN had leaked the r00tsecurity.org forum database last year which happened to contain the IP addresses of the users when they registered. One of those IP addresses was the same one that left the SPAM on my blog. The IP address belonged to the "rkvishwakarma" username, who had registered with the "rajkumar@eccouncil.org" email address, a long time employee of EC-Council.

http://www.gonullyourself.org/ezines/TeaMp0isoN/TeaMp0isoN%201.txt

On November 28, 2011, Dave Lewis posted his own article that shows additional blog spam and challenges some of Bavisi's statements. The 91.198.227.49 IP address Lewis points out is on several block lists and is a known blog comment spammer. At some point after Dewhurst made an update, another IP address (81.169.173.120) was used to post a comment from EC-Council. That IP address is also a known blog comment spammer and on at least one block list. An email address affiliated with some of the spam, smith.dyer@gmail.com, is known to use a known node of a botnet to post spam comments on blogs, as well as promote EC-Council in other places.

Looking at the blog spam across a dozen blogs, several of the profiles created by the blog spammer link directly to the EC-Council web page, and post comments linking to the C|EH page. The blog spam campaign appears to have been active between February 22, 2010 and May 5th, 2010. Based on Google searches and the various blogger profiles, we see that they were pretty active.

Based on all of the evidence, we believe it is clear that EC-Council hired a third-party to use blog comments to advertise their C|EH certification, and to this day, continue to use some of the same proxies and IP addresses that the spam originated from.