CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
April 11th, 2008

Malicious Advertisement On www.classmates.com

Malicious flash animation advertisement has been detected on classmates.com. The malicious code was found on (do not click the following URLs)

http://nztv.prod.untd.com/RealMedia/ads/Creatives/ISP/CM_GeminiIntera

_FPR_4_10179/300×250.swf?clickTAG=http://cyclops.prod.untd.com/Real
Media/ads/click_lx.ads/www.classmates.com/School_List/L18968920812/Top
Left/ISP/CM_GeminiIntera_FPR_4_10179/300x250_GeminiInter_Mar08.
html.html/f7148557555666c32626f41444a314d?http%3A//www.myjewelrybox
.com/%3Fids%3D46ps

An analysis of the infected SWF reveals a redirection to a known malware URL, iexplorer-security.org/?id=624400105. The iexplorer-security.org domain is currently active, and redirecting victims as follows:

iexplorer-security.org/?id=624400105 leads to fastwebway.com/soft.php?aid=011807&d=1&product=XPA

fastwebway.com URL in turn leads to xponlinescanner.com/2008/1/freescan.php?aid=77011807

As a part of the hijacking process a cookie is set to expire after 24 hours. As a part of this process, there might also be an attempt to download a file from photobucket.com.

The reverse IP for fastwebway.com is traffic-coverter.biz. Its name servers and mailbox are provided by estdomains. Its IP address is 72.232.224.154, hosted by LayeredTech (ltdomains.com). Other sites/services hosted at 72.232.224.154 are: mail.dvd-disk.net, mail.er-a.net, mail.pornorolikov.net, mail.sexroliki.com, pornorolikov.net, sexroliki.com, bestsexworld.info and dvd-disk.net.

The misdirection also appears to be triggered by clicking on Classmates confirmation e-mails. Clicking on the e-mail confirmation by Classmates will load a redirection to xpscanneronline.com. The Classmates page does not fully load before it is hijacked and there is no time to click anything else.

The issue was reported to RealMedia although it looks like the advertisement is self-hosted, therefore it might take time for the advertisement to be shut down.

Users are advised not to click on those URLs and use an advertisement blocking software/plugins.

Share this item with others:

More on CyberInsecure:
  • Hackers Broke Into New York Times Banner System, Pushing Fake Anti-virus Malvertisements
  • Fake iTunes Invoices Conceal Valentine’s Ads With Pharma Spam
  • Asprox Botnet Mass Attack Hits Governmental, Healthcare, and Top Business Websites
  • Bogus Twitter Profiles Are Being Used To Spread Malware
  • Malicious Advertisements Spotted On Yahoo! Philippines , Visitors Infected With Trojan

    • Posted in Hacked, Malware | Print This Post Print This Post

    This entry was posted on Friday, April 11th, 2008 at 9:43 pm and is filed under Hacked, Malware. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Malicious Advertisement On www.classmates.com

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Click to hear an audio file of the anti-spam word

    « «
    » »