Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Indian Gov't Site Victim Of Ad Campaign

image
THREATLABZ
February 05, 2010 - 2 min read

I noticed an Inidan Gov't site in Zscaler's blocked logs from yesterday:

hxxp://www.hil.gov.in

Image
Hindustan Insecticides Limited: A Government of India Enterprise
(I'm sure you can appreciate the irony here, as insecticides are used to kill bugs).

Viewing the source of the page, there is an embedded iframe in the beginning to:
hxxp://193.104.27.99/ad.php

Image
which redirects to: hxxp://cfkrdbfplrla.com/ld/tuta4/and is used to advertise A/V, registry cleaner, etc. wares through:

hxxp://www.searchmagnified.com/Free_Antivirus.cfm?domain=cfkrdbfplrla.com&foiffs=in100fweg&cifr=1&fp= ~snip~

ImageMcAfee SiteAdvisor and other Google results for SearchMagnified lists it as being involved in some suspicious activities.
Image
I was expecting to follow the link and reach an obvious Fake A/V page. Instead I reached:

Imagehxxp://www.cyberdefender.com/EDC/landing/10/?affl=tsayahooedc_antixvirusxfree&campaign_code=002048&int_page=1& ~snip~

Note the affiliate ID and the campaign code in the link parameters. The SearchMagnified links are pay-per-click links, so they are making a buck off the Indian Gov't redirect when folks follow the links. The links in this case pointed me to CyberDefender, a legit A/V vendor who are paying affiliates to advertise on the web for them - the problem is that the affiliates may engage in less than legit practices (as is the case here).

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
TOITOIN Trojan
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.