Spyware Sucks » Blog Archive » New malvertizement featuring Forex AutoPilot

New malvertizement featuring Forex AutoPilot

July 6th 2008 in Uncategorized

Kimberly, who is monitoring the ongoing malvertizement problems at isuisse.com, ibelgique.com and iquebec.com, has discovered a new malvertizement featuring Forex Autopilot.

“A yet unseen, new malvertizement is present on the homepage of isuisse.com, ibelgique.com & iquebec.com. The banner advertises Forex AutoPilot and the creative is belonging to the new generation created with Fuse Kit 2.1.4. This is now the FOURTH malicious banner discovered since June the 12th on websites belonging to the group iEUROP. Just on a site note, the XM Radio malvertizement is also being displayed at isuisse on the portal page. This brings the count up to THREE active malvertizements being served to the visitors!!! Imagine the number of users being redirected to fake online scanners … Enough is enough, this has to stop.“

Malicious domains:

adoptserver.info/_statis.gif?url=[removed]
windowsxp-privacy.net/?id=198760063
xponlinescanner.com/soft.php?aid=024202&d=3&product=XPA
xponlinescanner9.com/2009/1/freescan.php?aid=77024202 (registered 1 July 2008)

Fraudware sites:

antivirus-2009.com
antivirus-database.com
antivirus2009professional.com
xpantivirusonline.com
xponlinescanner.com
xponlinescanner9.com

swf181

swf182

swf183

swf184

swf185

Images courtesy of Kimberley

Source: http://www.bluetack.co.uk/forums/index.php?showtopic=18064&pid=87978&mode=threaded&show=&st=90&#entry87978

Comments are closed.

Oh goody. Another SWF display conduit to keep an eye on :o(

Adobe Reader 9 has been released, and guess what, it can display SWF and FLA files… I wonder what implication this has with regards to the security landscape surrounding malicious SWF. Are we going to have to watch out for PDFs which contain malicious SWF? I simply do not have enough information to judge […]

Oh goody. Another SWF display conduit to keep an eye on :o(Previous Entry

An interesting browser hijacking that I have not seen before… watch out for the "free" Geobytes Geoflag

Edit: the Geobytes flag has been removed from the blog being discussed below – YAY!!! I was pinged by another MVP tonight, who was very concerned because he had visited a blog on msmvps.com, only to have his web browser immediately hijacked – redirected away from the blog he wanted to read to ozdirect.com.au. So, […]

An interesting browser hijacking that I have not seen before… watch out for the "free" Geobytes GeoflagNext Entry