Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Further information regarding the malvertizements touting ebay discovered at perezhilton.com

April 27th 2009 in Uncategorized

The malvertizement redirects victims to various fraudware/scareware products via several redirects (some of the URLs change at random – victims don’t hit all of the domains listed below).

These are the URLs that are hit by the malvertizement – we have seen all of them before:

statcluster.com/crossdomain.xml
statcluster.com/c/index.php?id<<redacted>>
crustat.com/ts/in.cgi?<<redacted>>
olinredr2.com/?accs=<<redacted>>
pyani.com/in.cgi?<<redacted>>
offer-provider.com/<<redacted>>
truconv.com/<<redacted>>
justwebsecurity.com/<<redacted>>

 

Final destinations:

offer-provider.com is a fraudware domain touting fake security software under various names such as "SpywareRemover" and "VirusRemover2009" and "AntiSpywareSolution 2009".

trueconv leads to the fraudware total-virusprotection.com.

justwebsecurity.com leads to a fake "System Security" scanning page.


Comments are closed.

perezhilton.com is an extremely popular site, and the potential audience for the malvertizers is *huge*. Kimberley and I make a great team.  I knew that there was a malvertizement being displayed on perezhilton.com, but I hadn’t been able to get definitive proof – Kimberley got it. Check out the screenshot below – note […]

Previous Entry

There are two malvertizements that I highlighted, being: m1.au.2mdn.net/1949664/hp_300x250.swf m1.emea.2mdn.net/989589/hp_728x90.swf The 300×250 malvert touches hit-detect.com and measurehits.com. The 728×90 malvert touches ydmstats.com and measurehits.com.   Redirects: We go from measurehits.com to crustat.com. From there we go to one of several different […]

Next Entry

Archives