When Affiliates get hacked
While tooling around on Google Diagnostic I happened across the following:
Now the site itself appears to be a legit affiliate site for Webroot's SpySweeper ... where all the links point to Webroot:
hxxp://www.webroot.com/consumer/products/spysweeper/freescan.html?rc=5757 (URL disabled)
I'm guessing the "rc5757" is the affiliate number?
However the server itself has been hacked and several malicious scripts have been injected. As you can see below there are several other sites that show up (highlighted in blue) where "obfuscated .name" redirects to "inject .in" a rather nasty place ...
Google Diagnostic (inject .in) reports: "Malicious software includes 758 scripting exploit(s)"
(I had already added this site to the HOSTS file prior to landing on "webroot-spysweeper .com")
Google Diagnostic (obfuscated .name) reports: Malicious software includes 373 scripting exploit(s), 30 trojan(s)
Both of these sites are hosted at (not surprisingly) Netdirekt - [22.214.171.124 - 126.96.36.199] that is a haven for nasties of all kinds ... the Google Diagnostic report for Netdirekt bears this out ...
674 site(s), served content that resulted in malicious software being downloaded and installed without user consent
Over the past 90 days, we found 140 site(s) on this network, that appeared to function as intermediaries for the infection of 1695 other site(s)
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 146 site(s), that infected 10169 other site(s)
The other two sites ("ge92 .net" and "tr92 .cn" are hosted at Netplace [188.8.131.52 - 184.108.40.206]
Google Diagnostic reports: Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 25 site(s), that infected 2962 other site(s)
Anybody with contacts to Webroot might want to mention the above ... as it's a shame that someone trying to purchase a legit product gets whacked in the process ... "webroot-spysweeper" is hosted at "Schlund + Partner Ag (1&1 Internet)" but the owner is hidden behind a private registration service.