Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Phishing For Ad Scams

July 24, 2013 - 3 min read
Today we have a perfect storm of basic attack vectors which inevitably lead victims to a variety of advertising scams including adware executables, parked domains, pay-per-click scams or phishing sites.  First a small list of all of the websites seen to be hosting this threat.
  • 1yahoo.com/
  • testflightapps.com/
  • www.find-your-date.org/
  • www.conmdirect.de/
  • www.chanuteinsurancepool.net/
  • translateitonline.com/
  • compartel.gov.cofacebook.com/
  • www.autobypass.com/
  • rerbox.com/
  • ravelrey.com/
  • www.corall.com/
  • accountservices.wiipro.com/
  • losangeles.craigslst.org/
  • www.styel.com/
  • spritnpcs.com/
  • www.nbarumors.com/
  • www.eetime.com/
  • bleacherrepot.com/
  • www.elmundoe.es/
  • iflswa.com/
  • debshop.com/
  • www.cnnis.com/
  • myfintesspal.com/
  • televisaeportes.com/
  • www.testflightapps.com/
  • wwwbunte.de/
  • hiffingtonpost.com/
  • bhestbuy.com/
  • www.dbm.de/
  • noobroom6.com/
  • scripts.codingclick.com/
  • eaterny.com/
  • www.thatlantic.com/
  • usnwwc.com/
  • texasrangersmlb.com/
  • idlebrian.com/
  • laspass.com/
  • spliwise.com/
  • www.iflswa.com/
  • www.usbankhomemortagage.com/
  • www.linkdein.com/
  • mdrudgereport.com/
  • theeverywhereist.com/
  • www.hiffingtonpost.com/
  • redditt.com/
  • www.saukaryam.com/
  • malaimalar.com/
  • www.bradypeople.com/
  • bmohariss.com/
The thing that all of these websites have in common is that they all take advantage of cybersquatting, by registering slight variations of popular domain names. This common phishing technique is used to bring a false sense of certainty that the victim is on the intended website. These websites were pulled together from a list of referral URLs, which matched a common pattern for dubious redirection found in Javascript files.  Once the user visits the site, they are presented with a Javascript redirect via an iFrame, similar to the following:

This immediately takes you to a seemingly random series of advertising scams. One of the scams presents a "Click Here To Enter"link.
The above picture is the only visible addition to this page.  After clicking on the link, the victim is immediately sent to a page that leads them to suspect their Browser/Flash version is not up to date.

These cases both resolve to one of two adware binaries being installed on the customer's system.


In other cases, the victim is only redirected to a pay-per-click scam that promises "Free Vouchers" and free Apple products, but fails to deliver. 


Revisiting one such domain in the list will only lead the victim back to a parked domain page. This is done to discourage researchers from dissecting their threat to avoid meaningful detection from security vendors.  The best idea to avoid misdirection from such phishing attempts would be to tighten up your browser security.

form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.