A couple more malicious banner advertisements…
The bad guys are certainly expanding their stable of advertisements.
Both lead victims to malicious quinquecahue.com URLs. More later…
The bad guys are certainly expanding their stable of advertisements.
Both lead victims to malicious quinquecahue.com URLs. More later…
There appears to be a new URL under quinquecahue.com/statsg.php
You then get redirected to scanner2.malware-scan.com
The payload is Trojan.win32 agent (variant of)
Expedia.com has been infiltrated by a malicious banner advertisement – a new one that I have not seen before.
Victim site
Expedia.com (216.251.114.10)
SWF host
media.expedia.com
SWF Source
Target fraudware domain
scanner2.malware-scan.com
Banned cities, countries and IPs
199.3.0.0-199.3.255.255216.251.0.0-216.251.255.255172.30.0.0-172.30.25.255 (note: expedia.com’s IP is banned)IN, IL, UK, AU, FR, IT, CN, JP, DE, ES, MX, AEcolorado, washington, california, massachusetts, ontario, texas, hawaii, missouri, illinois
Permitted cities, countries […]
This incident was reported via a comment on this blog.
We have not found the malicious advertisement yet, but we can tell you that victims who are caught by the hijack when visiting mayoclinic.com end up being redirected to:quinquecahue.com/swf/gnida.swf?campaign=fabulistor&u=1200910285
We can also tell you that this particular campaign (fabulistor) is coded to NOT trigger when the victim’s computer falls within the following […]
“A couple more malicious banner advertisements…”