Malicious advertisement at lyricsmania.com
This incident was reported via a comment on my blog.
The malicious advertisement is visually identical to the myjewelrybox SWF already featured on this blog.
When I first tested this advertisement I was simply redirected to Google, but now the campaign has been activated and I ended up at xpantivirus.com.
First let's look at the advertisement on its own. We start with the advertisement loading:
209.50.243.101/openads/adimage.php?filename=728x90.swf&contenttype=swf&clickTAG=
http : //209.50.243.101/openads/adclick.php%3Fbannerid=102%26zoneid=2%26source=%26dest=
http%3A%2F%2Fwww.myjewelrybox.com
From there we bounce to:
openadstream.net/ad0.php?url=http : //pagead2.googlesyndication.com/pagead/bid=28/nxtgcbb8029000012
5ave/direct/wi/ai&key=V24567233828272323&c=129600064
And on to:
iexplorer-security.org/?id=583400064
As well as:
mystats.com
and
bestsexworld.info/soft.php?aid=011812&d=1&product=XPA
Then finally on to:
xpantivirus.com/2008/1/freescan.php?aid=77011812
------
209.50.243.101 seems to belong to srv.angolotesti.it, but is *located* in the United States, specifically at ServInt Corp, 6861 Elm Street, Suite 4-E, McLean, VA 22101.
------
Advertisement in situ:
Now, I must admit, despite this being a very serious situation I could not help laughing at the error window that appeared - I quote:
"If your computer is infected, you could suffer data loss, erratic PC behaviour, PC freezes and CREAHES".
Not only are the people behind the malicious advertisements the lowest scum of the earth, they also can't spell or proof read ;o)
Eventually we end up here:
