Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

An interesting browser hijacking that I have not seen before… watch out for the "free" Geobytes Geoflag

July 8th 2008 in Uncategorized

Edit: the Geobytes flag has been removed from the blog being discussed below – YAY!!!

I was pinged by another MVP tonight, who was very concerned because he had visited a blog on msmvps.com, only to have his web browser immediately hijacked – redirected away from the blog he wanted to read to ozdirect.com.au.  So, I went to take a look.

I, also, was immediately redirected away from the blog to ozdirect.com.au.

Thankfully I had made sure that Fiddler was running in the background, just in case, because the hijack occurred once, and I can confirm that the free Geobytes Geoflag on the blog is what is hijacking visitors to the blog in question.

This is what happens.

When the blog loads, I see the following request and response:


Note the window.open and reference to ozdirect.com.au

Now, look what happens if I refresh the blog:

Request and


No more window.open or ozdirect.com.au.


Now, it just so happens that Geobytes states on their web page that, if you add the free Geoflag to your site, the following will occur:

Source: http://www.geobytes.com/GeoPhrase.htm

The site then goes on to say:


The problem is, the “new window [with] the original intended content” did not open – not for me, and not for my MVP correspondent.

I mean, seriously, what website owner in his or her right mind would agree to allowing his or her visitors to be hijacked – dragged away from their site and dumped somewhere else under such circumstances in a world where pop-up blockers are the rule, rather than the exception.  Oh, and by the way, I have long since disabled the pop-up blocker in IE8 on my system – I need to see pop-ups as part of my role as an Online Compliance Researcher, so we can’t even blame a pop-up blocker for Geobytes’ failure to open the promised new window on this system.

We will report the problem to the blog’s owner, so hopefully the nasty little flag will be gone soon…  What nasty flag?  This nasty flag – the Australian flag that you can see in the screenshot below:


Comments are closed.

Kimberly, who is monitoring the ongoing malvertizement problems at isuisse.com, ibelgique.com and iquebec.com, has discovered a new malvertizement featuring Forex Autopilot. “A yet unseen, new malvertizement is present on the homepage of isuisse.com, ibelgique.com & iquebec.com. The banner advertises Forex AutoPilot and the creative is belonging to the new generation created with Fuse Kit 2.1.4. […]

Previous Entry

No company is safe from impersonation…. Campaign URLS: waytotheprofit.com/?cmpid=contangogostation-appraisals.com/c/index.php?id=<<removed>>   The waytotheprofit URL leads us to an adverdaemon.com URL, and from there to the fraudware site – I ended up at a German site, being sicherheitstool.com. Robtex reports that “sicherheitstool.com is a domain controlled by two nameservers at sicherheitstool.com […]

Next Entry