Zscaler to Expand Zero Trust Exchange Platform's AI Cloud with Data Fabric Purpose-built for Security

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Phishing For Ad Scams

image
CHRIS MANNON
July 24, 2013 - 3 min read
Today we have a perfect storm of basic attack vectors which inevitably lead victims to a variety of advertising scams including adware executables, parked domains, pay-per-click scams or phishing sites.  First a small list of all of the websites seen to be hosting this threat.
  • 1yahoo.com/
  • testflightapps.com/
  • www.find-your-date.org/
  • www.conmdirect.de/
  • www.chanuteinsurancepool.net/
  • translateitonline.com/
  • compartel.gov.cofacebook.com/
  • www.autobypass.com/
  • rerbox.com/
  • ravelrey.com/
  • www.corall.com/
  • accountservices.wiipro.com/
  • losangeles.craigslst.org/
  • www.styel.com/
  • spritnpcs.com/
  • www.nbarumors.com/
  • www.eetime.com/
  • bleacherrepot.com/
  • www.elmundoe.es/
  • iflswa.com/
  • debshop.com/
  • www.cnnis.com/
  • myfintesspal.com/
  • televisaeportes.com/
  • www.testflightapps.com/
  • wwwbunte.de/
  • hiffingtonpost.com/
  • bhestbuy.com/
  • www.dbm.de/
  • noobroom6.com/
  • scripts.codingclick.com/
  • eaterny.com/
  • www.thatlantic.com/
  • usnwwc.com/
  • texasrangersmlb.com/
  • idlebrian.com/
  • laspass.com/
  • spliwise.com/
  • www.iflswa.com/
  • www.usbankhomemortagage.com/
  • www.linkdein.com/
  • mdrudgereport.com/
  • theeverywhereist.com/
  • www.hiffingtonpost.com/
  • redditt.com/
  • www.saukaryam.com/
  • malaimalar.com/
  • www.bradypeople.com/
  • bmohariss.com/
The thing that all of these websites have in common is that they all take advantage of cybersquatting, by registering slight variations of popular domain names. This common phishing technique is used to bring a false sense of certainty that the victim is on the intended website. These websites were pulled together from a list of referral URLs, which matched a common pattern for dubious redirection found in Javascript files.  Once the user visits the site, they are presented with a Javascript redirect via an iFrame, similar to the following:

 
Image
 
       
This immediately takes you to a seemingly random series of advertising scams. One of the scams presents a "Click Here To Enter"link.
 
Image
NO DON'T! 
The above picture is the only visible addition to this page.  After clicking on the link, the victim is immediately sent to a page that leads them to suspect their Browser/Flash version is not up to date.
 
Image
 
Image


These cases both resolve to one of two adware binaries being installed on the customer's system.

https://www.virustotal.com/en/file/a157438070a712bbd3c26ff9de26eb8013af7b18d63d6d707553e45e3369c2f2/analysis/1374266431/
https://www.virustotal.com/en/file/56eebb8067af1febd1ecb35b4ece27fab83200ba6d4e1815749decdcdad9eb1b/analysis/1374266466/

In other cases, the victim is only redirected to a pay-per-click scam that promises "Free Vouchers" and free Apple products, but fails to deliver. 

 
Image
 
Image



Revisiting one such domain in the list will only lead the victim back to a parked domain page. This is done to discourage researchers from dissecting their threat to avoid meaningful detection from security vendors.  The best idea to avoid misdirection from such phishing attempts would be to tighten up your browser security.

 
form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.