I received a plea for help a few days ago from a high traffic Web site's Customer Service Representative ("CSR") who was hoping for some assistance in tracking down an advertisement that was hijacking visitors to his web site and redirecting them to a "Performance Optimizer" web site. As always happens in these situations, the CSR was unable to reproduce the hijacking behavior.
The CSR works for a pretty substantial, popular site - it has a 7/10 Google Rating, and an Alexa site ranking in the 23,000's.
This time, I could not reproduce the redirect either (as happens every so often), but fear not gentle reader, within hours of sending an email out to a private mailing list I had the data I needed. Sadly, I cannot tell you who recorded the essential data and give them the public congratulations that they deserve, for obvious reasons - we work best under a cloak of secrecy and we don't want them to know where in the world we are when we catch them out so that they cannot code their wares to avoid us.
Anyway, here it is - the hijacking advertisement we found was the one you can see below - it looks innocent enough, doesn't it.
The good news is that the SWF in question is no longer available at the URL that we found it at, being:
h t t p:// a248.e.akamai.net/7/800/14845/1189781201/oasc04.247realmedia.com/RealMedia/ads/Creatives/Traffic/Poetry.com_728x90/poetry_728x90.swf?
That being said, the hijacking we caught is *not* the one that was being complained of, being "Performance Optimizer". We found MalwareAlarm instead. Therefore, I fear the CSR who asked for help may not be out of the woods yet.
One thing I have noticed in recent times is that the quality of the malicious creatives being submitted by the rogue advertisers is improving constantly, and they continue to get better at avoiding detection. But, when you have access to a mailing list with members all over the world, well, it can be damned hard to hide...
So, let's see what happened if you were caught by the redirect. Check out what happens when you load the URL below, harvested from the same hijacking incident - of course, do NOT do this if you are not running IE7 / Vista. At time of writing the URL was still live, although that will (hopefully) change.
URL: prevedmarketing.com/?tmn=mwatmp&aid=5ide5run&lid=keyin_ao_4216_1853_2358_ao_&ax=1&ed=2&mt_info=4216_1853_2358
If you load the prevedmarket.com URL you will end up at scanner.malware-scan.com - a pretty typical Winfixer type site - first you see this error:
Then, when you use the red x to close the alert (do NOT use the Cancel button) you see the web page below - of course, you should ignore the dialogue box in in the middle of the window - simply Alt-F4 or use the red close button in the very tip right of screen (or, if you have more than one tab open, you'll be able to close that one tab).
By the way, the test system that I was using doesn't have a D drive, or a DVD-Ram, or a shared documents folder, for that matter. The page that you see is designed to trick the visitor into thinking that a scan really is running, but nothing will install until you click on that OK button (assuming you are running XPSP2 / Vista / IE7 with at least the default security settings.
Note also how the fraudsters try to look XP'ish by the use of the Security Shield, green arrows, blue panel down the left of screen and standard system fonts and icons.
