Malicious Advertisement On www.classmates.com
Malicious flash animation advertisement has been detected on classmates.com. The malicious code was found on (do not click the following URLs)
http://nztv.prod.untd.com/RealMedia/ads/Creatives/ISP/CM_GeminiIntera
_FPR_4_10179/300×250.swf?clickTAG=http://cyclops.prod.untd.com/Real
Media/ads/click_lx.ads/www.classmates.com/School_List/L18968920812/Top
Left/ISP/CM_GeminiIntera_FPR_4_10179/300x250_GeminiInter_Mar08.
html.html/f7148557555666c32626f41444a314d?http%3A//www.myjewelrybox
.com/%3Fids%3D46ps
An analysis of the infected SWF reveals a redirection to a known malware URL, iexplorer-security.org/?id=624400105. The iexplorer-security.org domain is currently active, and redirecting victims as follows:
iexplorer-security.org/?id=624400105 leads to fastwebway.com/soft.php?aid=011807&d=1&product=XPA
fastwebway.com URL in turn leads to xponlinescanner.com/2008/1/freescan.php?aid=77011807
As a part of the hijacking process a cookie is set to expire after 24 hours. As a part of this process, there might also be an attempt to download a file from photobucket.com.
The reverse IP for fastwebway.com is traffic-coverter.biz. Its name servers and mailbox are provided by estdomains. Its IP address is 72.232.224.154, hosted by LayeredTech (ltdomains.com). Other sites/services hosted at 72.232.224.154 are: mail.dvd-disk.net, mail.er-a.net, mail.pornorolikov.net, mail.sexroliki.com, pornorolikov.net, sexroliki.com, bestsexworld.info and dvd-disk.net.
The misdirection also appears to be triggered by clicking on Classmates confirmation e-mails. Clicking on the e-mail confirmation by Classmates will load a redirection to xpscanneronline.com. The Classmates page does not fully load before it is hijacked and there is no time to click anything else.
The issue was reported to RealMedia although it looks like the advertisement is self-hosted, therefore it might take time for the advertisement to be shut down.
Users are advised not to click on those URLs and use an advertisement blocking software/plugins.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.