Beware the phony Classmates.com email

by
filed under malware, Web Security.

Classmates.com has become the latest in a series of well-known brands to be abused by a particular gang of malware distributors.  The similarities to other outbreaks include:

  • Linking to multiple compromised sites which then redirect to the malware hosting sites
  • Favoring WordPress sites (that can be exploited)
  • Hosting the malware on various .ru domains
  • Showing simple messages on the malware page such as “Please Wait – Loading” (black text on white)
  • Using the same Flash exploits in the malware

Previous attacks use well known brands such as Amazon.com, LinkedIn, Verizon Wireless and AT&T Wireless.

The Classmates.com email thanks the recipient for joining and provides links to confirm the user or make corrections.

Once again the initial link is to a compromised WordPress site.  A script hidden on this site dynamically builds a redirect to a forum site.  Here, a second script embedded in a forum post directs to the final .ru domain which displays the expected “Loading” message.  This “double-hop” is a slight change from previous similar attacks. 

The malware on the final site checks for PDF and Flash versions on the target PC.

  • If an appropriate version is found it then redirects to a malicious SWF flash file.
  • If not it redirects to google.de

 

 

 

Leave a Reply

(will not be published)