By: Chris Mannon

Phishing For Ad Scams

Phishing

Today we have a perfect storm of basic attack vectors which inevitably lead victims to a variety of advertising scams including adware executables, parked domains, pay-per-click scams or phishing sites.  First a small list of all of the websites seen to be hosting this threat.
  • 1yahoo.com/
  • testflightapps.com/
  • www.find-your-date.org/
  • www.conmdirect.de/
  • www.chanuteinsurancepool.net/
  • translateitonline.com/
  • compartel.gov.cofacebook.com/
  • www.autobypass.com/
  • rerbox.com/
  • ravelrey.com/
  • www.corall.com/
  • accountservices.wiipro.com/
  • losangeles.craigslst.org/
  • www.styel.com/
  • spritnpcs.com/
  • www.nbarumors.com/
  • www.eetime.com/
  • bleacherrepot.com/
  • www.elmundoe.es/
  • iflswa.com/
  • debshop.com/
  • www.cnnis.com/
  • myfintesspal.com/
  • televisaeportes.com/
  • www.testflightapps.com/
  • wwwbunte.de/
  • hiffingtonpost.com/
  • bhestbuy.com/
  • www.dbm.de/
  • noobroom6.com/
  • scripts.codingclick.com/
  • eaterny.com/
  • www.thatlantic.com/
  • usnwwc.com/
  • texasrangersmlb.com/
  • idlebrian.com/
  • laspass.com/
  • spliwise.com/
  • www.iflswa.com/
  • www.usbankhomemortagage.com/
  • www.linkdein.com/
  • mdrudgereport.com/
  • theeverywhereist.com/
  • www.hiffingtonpost.com/
  • redditt.com/
  • www.saukaryam.com/
  • malaimalar.com/
  • www.bradypeople.com/
  • bmohariss.com/
The thing that all of these websites have in common is that they all take advantage of cybersquatting, by registering slight variations of popular domain names. This common phishing technique is used to bring a false sense of certainty that the victim is on the intended website. These websites were pulled together from a list of referral URLs, which matched a common pattern for dubious redirection found in Javascript files.  Once the user visits the site, they are presented with a Javascript redirect via an iFrame, similar to the following:

 
 
     
This immediately takes you to a seemingly random series of advertising scams. One of the scams presents a "Click Here To Enter"link.
 
NO DON'T!  
The above picture is the only visible addition to this page.  After clicking on the link, the victim is immediately sent to a page that leads them to suspect their Browser/Flash version is not up to date.
 
 


These cases both resolve to one of two adware binaries being installed on the customer's system.

https://www.virustotal.com/en/file/a157438070a712bbd3c26ff9de26eb8013af7b18d63d6d707553e45e3369c2f2/analysis/1374266431/
https://www.virustotal.com/en/file/56eebb8067af1febd1ecb35b4ece27fab83200ba6d4e1815749decdcdad9eb1b/analysis/1374266466/

In other cases, the victim is only redirected to a pay-per-click scam that promises "Free Vouchers" and free Apple products, but fails to deliver. 

 
 



Revisiting one such domain in the list will only lead the victim back to a parked domain page. This is done to discourage researchers from dissecting their threat to avoid meaningful detection from security vendors.  The best idea to avoid misdirection from such phishing attempts would be to tighten up your browser security.

 

Learn more about Zscaler.