Further information regarding the malvertizements touting ebay discovered at perezhilton.com
The malvertizement redirects victims to various fraudware/scareware products via several redirects (some of the URLs change at random – victims don’t hit all of the domains listed below).
These are the URLs that are hit by the malvertizement – we have seen all of them before:
statcluster.com/crossdomain.xml
statcluster.com/c/index.php?id<<redacted>>
crustat.com/ts/in.cgi?<<redacted>>
olinredr2.com/?accs=<<redacted>>
pyani.com/in.cgi?<<redacted>>
offer-provider.com/<<redacted>>
truconv.com/<<redacted>>
justwebsecurity.com/<<redacted>>
Final destinations:
offer-provider.com is a fraudware domain touting fake security software under various names such as "SpywareRemover" and "VirusRemover2009" and "AntiSpywareSolution 2009".
trueconv leads to the fraudware total-virusprotection.com.
justwebsecurity.com leads to a fake "System Security" scanning page.