Showing posts with label TotalSecurity. Show all posts
Showing posts with label TotalSecurity. Show all posts

Tuesday, September 22, 2009

Another Shameless SEO based on Atlanta Flooding

Users Googling "Atlanta flood pictures" receive a yet another SEO attack, using a possibly compromised legitimate Australian website hosting restaurants in the famous Bondi area.

Here's a screenshot of a google search result:
atlanta_flood_google

A Fiddler capture shows us the redirections:
atlanta_fiddle

So we go from
hxxp://idrb.com/pdf_files/atlanta-flood-pictures.html
>hxxp://06d.ru/t.php
>>hxxp://read-cnn2.com/?pid=207&sid=de9f8f
>>>hxxp://winfixscanner7.com/scan1/?pid=207&engine=pHTyzjTyMzEyOS44Mi4xOTAmdGltZT0xMjUuNgAMPAVN

An installer named Soft_207.exe will be presented for download, which is a variant of the Total Security family of Fake AVs.

At the moment, the following domains have been observed to have been involved in this attack:

winfixscanner7(dot)com
15scanner(dot)com

These domains resolve to the following IP addresses:
89.47.237.55
89.248.174.61
213.163.89.60

But knowing the trend in scareware, there could be heaps more domains being created as we speak.
Posted by at No comments:
Labels: , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)