Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Oh dear, oh dear, oh dear…

January 26th 2009 in Uncategorized

Its amazing what we find sometimes…

WARNING: I am assuming that my readers are smart enough to *NOT* visit the victim site, or the malicious URLs, without hefty protection in place, yes?  In fact, don’t go there at all unless you are willing to reformat your computer, potentially without being able to back up your data (yes, some nasties out there are killing the ability to copy data to USB and whatnot).  You have been warned!

 

I was taking a look at one of the recent SQL injection incidents the other day when I came across an interesting web site that had been affected (millerscitax.com).  Here is a screenshot of an obvious problem:-

image

If we click on a “Read More” link, we see the following:-

image

 

So, anyway, being a good netizen ‘n’ all that, I decided to use the “Contact Us” page to warn the site owners that they had a problem (it should be noted that the News page is not hyperlinked as far as I can see – you need to know that it is there, and guess the URL, to find it).  When I clicked on the “Submit” button on the “Contact Us” page, this is what I saw:-

image

 

<sigh>  You would think that that is bad enough, yes?  But, it gets even better (err, worse)… when we view the page source on the “Contact Us” page for the taxi site we find the following:

 image

 

So, the next question is – why does the Millers City Taxis “Contact Us” page have code that references the gillibrand.co.uk web site?  A potential explanation may be found in the fact that the Registrant for millerscitax.com is “eBusiness UK Ltd” (Capricorn House, Capricorn Park, Blakewater Road, Blackburn, Lancashire – 44.1254.279.998), and the fact that the “Web design” for gillibrand.co.uk is listed as having been completed by, you guessed it, eBusiness UK Ltd which lists its Lancashire address as Capricorn House, Capricorn Park, Blackburn, Lancashire – 01254.279.998.

Umm, oops.

 

image

image


Comments are closed.

  I sent an email to DIRECTI on the same day that I wrote this blog post: http://msmvps.com/blogs/spywaresucks/archive/2009/01/21/1663955.aspx The email said, essentially, the same thing that I said in that blog post. As you can see, they have initiated a “whois inaccuracy complaint” against the domains quigley-simpson.net, hyundai-inc.com, mediavest-corp.com, […]

Previous Entry

Seen (and heard) at 123greetings.com:   Not only does the pictured advertisement flash and bounce, it DINGS, and it keeps on DINGING, sounding exactly like the Windows Error sound effect.  The sound is so intrusive that my husband came in to my office from another room to ask me what […]

Next Entry

Archives