Sinister Firefox Ad on Google Links to Ridiculous Scam

Discussion in 'malware problems & news' started by JRViejo, Sep 24, 2009.

Thread Status:
Not open for further replies.
  1. JRViejo

    JRViejo Super Moderator

    Jul 9, 2008
  2. Rmus

    Rmus Exploit Analyst

    Mar 16, 2005
    Sneaky trick!

    Years ago when a friend and I were putting together screen shots to aid in helping people set up policies and procedures, we used an example where you can hover the mouse over a hyperlink (displayed URL) to reveal the destination URL, which will expose any trickery that is easy to set up in the web site page code:


    Then, along came the redirect exploit and a tricky one was discovered by noway here at Wilders several years ago.

    The Google link was to Sloan's Tree Farm, but when clicking on the link, you were redirected to a malware site with a drive-by download exploit:



    Disabling automatic redirect in the browser, we could see how the exploit worked. Hovering the mouse on the 302 error page reveals the redirected URL:


    Now, that redirect exploit led to a drive-by download, which is easily caught. But many of today's exploits have pretty much abandoned that technique, choosing instead to trick the user into authorizing the download/installation of the malware. Hence, the fake firefox site which did not run any scripts to do anything automatically.

    While an alert user might notice that the destination URL didn't match exactly what displayed in the Google Firefox link, nonetheless, many would miss it and perhaps consider the enticement to subsribe to the “24/7 Expert Customer Support.”

    While not as persistent as the fake rogue AV scan sites, this technique is the same: trick the user that she/he is better off with this product/service.

    Since the redirect exploits surfaced, I began to emphasize more strongly the policy to verify and check out anything before installing.

    A quick search would reveal that the legitimate Firefox does not offer any such paid support service.

    Last edited: Sep 24, 2009
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.