1. MSN site redirects to Cool Exploit Kit
Last weekend the AVG Web Threat Research group noticed a spike in LinkScanner® detections on an Italian language MSN page. The website contained an obfuscated redirect to another website running the Cool Exploit Kit and installing ransomware on users’ machines.
In the screenshot below you see the java exploit running on a user’s computer:
Here is a piece of the obfuscated redirect that was added into the page:
The Cool Exploit kit uses a number of different exploits to infect a user’s PC. In this case it’s a malicious .jar file which downloads and installs a piece of ransomware. The ransomware page says that in order for users to unlock their PC they must pay $300 or clean the PC themselves. Paying the ransom is not known to unlock the machine.
Microsoft was notified and the obfuscated redirects are no longer on any MSN websites.
2. Fake YouTube pages post spam to Facebook
We noticed a new scam offering a fake Selena Gomez and Justin Bieber scandal tape on Facebook. We found lots more in many different languages.
Users clicking on the Facebook wall posts are taken to a YouTube lookalike page that pops up a phony “YouTube security verification” alert.
If you look really closely you will notice that the scammers overlay the Facebook “Comment” with a SUBMIT image.
Also, if you look closely, the box where a user is to enter the five-digit code is actually a Facebook comment box.
So when users enter the five-digit code and hit “submit” they are actually entering a comment and posting the spam to their own wall which will go to all their friends.
After users do this they still don’t get to see the video, but they do get sent on to other sites. Yes, this is yet one more of that infinite number of scams to draw Internet users to fake “contest,” “gift card” or adware sites (all of which make money for affiliates who send unsuspecting users along to the install sites). Here are three that this scam redirects to:
3. Avoiding the Spam Filter
Pharma spam that is intended to draw customers to pharma web sites (also called Canadian pharmacy, Internet pharmacy or penis pill sites) has been with us nearly as long as we’ve had email. While there is nothing malicious about the spam or the sites (generally) it sucks a huge amount of bandwidth and is generally fraudulent. It is illegal in the U.S. to purchase prescription medications from any person or business except registered pharmacies. Making a purchase from a pharma web site opens one up to the possibility of credit card theft. Some actually do send the ordered medications, although a lot of it has been found to be fake and sometimes actually contains harmful ingredients.
Recently we’ve noticed a pharma spammer using Google translate in an interesting way to sneak links to his pharma sites past web mail filters. While web mail services have been getting better and better and spotting pharma spam (indeed all spam) and sending it to users’ spam directories, this little gimmick seems to work. Instead of putting a direct link to a pharma web site in the email message, this spammer puts a link to Google’s translation engine in the spam message. That resolves to the URL of the actual pharma site.
Here’s the spam email with the Google translate link:
Clicking on the link takes the user to Google translate:
Then to the actual pharma site:
We have no idea what a “Pharmacy Escrow Service” is, but it’s pretty obvious it isn’t any place to buy legitimate drugs.
In spite of the U.S. phone numbers, the site is registered to someone in Moscow.
The site is apparently GeoIP blocked since one of our analysts in the Asia-Pacific area noticed that he was blocked by the site and can only reach it through a proxy. So, in spite of the fact that selling prescription drugs in the U.S. is illegal except through a registered pharmacy, this site seems to be aimed at U.S. customers.
The issue here for Web users: be careful what you click on in emails from strangers and clearly, buy your prescription drugs from a legitimate pharmacy.
– Web Threats Research group