Bestbuy.com Infected With Gumblar Malware, Users Redirected From Language Option Page
Earlier today, Trend Micro Technical Account Manager Fioravante Souza in Brazil spotted a (potentially harmful) URL that redirects users from the Best Buy domain site. Users who visit www.bestbuy.com, as it turns out, are redirected to the URL, http://pics. bubbled.cn/gallery/
hardcore/?23c4f60c1b9f604d6ffb21cba599301f (do not visit). The compromised page in the domain is found to be the landing page where visitors can choose the language to be used as they browse within the site. Threat Research Manager, Ivan Macalintal, further identifies that a GEO-IP check happens prior to displaying the said landing page.
“If (the) requesting IP is from the Latin America Region (LAR), users are redirected to the ‘Choose English or Spanish’ page—and then bingo!” Macalintal says.
The source code of the landing page shows a garbled set of code found at the bottom of the script, a clear sign of code obfuscation. Beneath a 3-layer obfuscation, an iframe redirects the user to a Luckysploit-laden site. The Luckysploit web exploit kit and the obfuscation seen is reminiscent of that found in Gumblar.
The WHOIS info of the .CN site states that it has been created just last June 4, 2009 by the same old criminals. Further investigation shows that the first .CN site is actually located in Germany and is used by attackers in Ukraine. Suffice it to say, the Russkranians are the culprits once again.
Best Buy has been informed of the said URL redirections and is resolving the matter.
Credit: TrendLabs/Trend Micro
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.