The Latest in IT Security

Beware the phony Classmates.com email

13
Jun
2012

Classmates.com has become the latest in a series of well-known brands to be abused by a particular gang of malware distributors. The similarities to other outbreaks include:

  • Linking to multiple compromised sites which then redirect to the malware hosting sites
  • Favoring WordPress sites (that can be exploited)
  • Hosting the malware on various .ru domains
  • Showing simple messages on the malware page such as “Please Wait – Loading” (black text on white)
  • Using the same Flash exploits in the malware

Previous attacks use well known brands such as Amazon.com, LinkedIn, Verizon Wireless and AT&T Wireless.

The Classmates.com email thanks the recipient for joining and provides links to confirm the user or make corrections.

Once again the initial link is to a compromised WordPress site. A script hidden on this site dynamically builds a redirect to a forum site. Here, a second script embedded in a forum post directs to the final .ru domain which displays the expected “Loading” message. This “double-hop” is a slight change from previous similar attacks.

The malware on the final site checks for PDF and Flash versions on the target PC.

  • If an appropriate version is found it then redirects to a malicious SWF flash file.
  • If not it redirects to google.de

Leave a reply


Categories

TUESDAY, JULY 16, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments

Social Networks