Malicious advertisement detected at www.classmates.com
Thanks to Susan Bradley for the heads up that there is a problem at www.classmates.com
The malicious creative can be seen at this URL:
Here is a screenshot of the malicious advertisement:
An analysis of the SWF reveals a URL pointing to a known malware domain:
The iexplorer-security.org URL is active, and redirecting victims to xponlinescanner.com as follows:
The URL iexplorer-security.org/?id=624400105 leads us to:
The fastwebway.com URL in turn leads us to:
It should be noted that as part of the hijacking process a cookie is set that expires after just 24 hours.
The malicious advertisement has been reported to RealMedia although it looks like the advertisement is self-hosted, therefore it may take a little while for the advertisement to be shut down.
Who are fastwebway.com?
The reverse IP for this domain is traffic-coverter.biz.
Its name servers and mailbox are provided by estdomains.
Its IP address is 220.127.116.11, hosted by LayeredTech (ltdomains.com)
Other sites/services hosted at 18.104.22.168 are: