Expedia France/Realmedia hosting malicious SWF featuring yourmusic.com

MAD discovered this incident.  Full details here:

http://www.bluetack.co.uk/forums/index.php?showtopic=18064&pid=86456&st=0&#

 

The SWF is identical to the one hosted by SNCF.COM

Screenshots:

Malicious URLs include:

"http : //station-appraisals.com/c/index.php?id=TGVwWjgwV29vcWdVVWlxRk8wNDRoPTEyMDQ2NTE3MjcmcG56Y252dGE9cWJjYmm7NkiZmdm95bAYNkiDgNmYNkiDgNm"

http: // waytotheprofit.com/?cmpid=dopossibly

The redirect happens as follows.  First we hit waytotheprofit.com/?cmpid=dopossibly

which sends us to:
prevedmarketing.com/?tmn=mwatmp&aid=dopossibly&lid=&ax=1&ed=2&mt_info=5694_6106_2358

From there we end up at:
scanner2.malware-scan.com/14_swp/?tmn=null&aid=dopossibly_ma14s_mb1t&lid=&affid=&ax=1&ed=2&mt_info=5694_6106_2358:3958_0_15358

or

harddriveguard.com/?tmn=es5&eai=dopossibly&eli=&3&mt_info=5694_0_4217

And a cookie that expires after just 24 hours or so is set by adservernet.com, statsgod.com and bucksbill.com.

Expedia and 247RealMedia have been alerted.

Published Fri, Mar 21 2008 14:04 by sandi
Filed under: , , ,

Comments

# re: Expedia France/Realmedia hosting malicious SWF featuring yourmusic.com

Friday, March 21, 2008 2:07 AM by John

Does EXPEDIA.FR care about the customers that are being afected?

In general, EXPEDIA's customer service is awful.  

# re: Expedia France/Realmedia hosting malicious SWF featuring yourmusic.com

Friday, March 21, 2008 6:46 PM by sandi

Well, I can tell you that the malicious advertisements have been taken down, so they must care a bit :o)

Sandi

# re: Expedia France/Realmedia hosting malicious SWF featuring yourmusic.com

Saturday, March 22, 2008 8:19 AM by MAD

Thanks girls :]=~

# re: Expedia France/Realmedia hosting malicious SWF featuring yourmusic.com

Saturday, March 22, 2008 8:32 AM by sandi

What can I say... I'm a scary person :o)