Sinister Firefox Ad on Google Links to Ridiculous Scam

Discussion in 'malware problems & news' started by JRViejo, Sep 24, 2009.

Thread Status:
Not open for further replies.
  1. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,955
    Location:
    U.S.A.
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Sneaky trick!

    Years ago when a friend and I were putting together screen shots to aid in helping people set up policies and procedures, we used an example where you can hover the mouse over a hyperlink (displayed URL) to reveal the destination URL, which will expose any trickery that is easy to set up in the web site page code:

    redirect-1.gif

    Then, along came the redirect exploit and a tricky one was discovered by noway here at Wilders several years ago.

    The Google link was to Sloan's Tree Farm, but when clicking on the link, you were redirected to a malware site with a drive-by download exploit:

    sloan-google.gif


    [​IMG]

    Disabling automatic redirect in the browser, we could see how the exploit worked. Hovering the mouse on the 302 error page reveals the redirected URL:

    sloan-redirect.gif

    Now, that redirect exploit led to a drive-by download, which is easily caught. But many of today's exploits have pretty much abandoned that technique, choosing instead to trick the user into authorizing the download/installation of the malware. Hence, the fake firefox site which did not run any scripts to do anything automatically.

    While an alert user might notice that the destination URL didn't match exactly what displayed in the Google Firefox link, nonetheless, many would miss it and perhaps consider the enticement to subsribe to the “24/7 Expert Customer Support.”

    While not as persistent as the fake rogue AV scan sites, this technique is the same: trick the user that she/he is better off with this product/service.

    Since the redirect exploits surfaced, I began to emphasize more strongly the policy to verify and check out anything before installing.

    A quick search would reveal that the legitimate Firefox does not offer any such paid support service.


    ----
    rich
     
    Last edited: Sep 24, 2009
Loading...
Thread Status:
Not open for further replies.