Strange infection from VeriSign to Italy users

Hello,

thanks to TNT that reported me this strange thing, I've done some analysis of what COULD APPEAR to be a strange hack of VeriSign. In fact, italian users are hit by a wmf exploit that starts when they write a wrong web address with .com or .net extension.

I wrote a paper, if you are interested:

Verisign.com: deeply studying the evidence

Hope it will be an interesting short read.

Best regards,

Marco

 

Thanks Marco. Also a Java exploit and another exploit (XMLHTTP if I remember correctly); malware gets dropped only on largely unpatched machines, but the most shocking is not the exploit themselves (all quite old) but the method...

 

Those types of phishing are all too well known here in DK.
If you type 'bal' instead of 'bla', you'll get hit by some nasty...

Hmm... Maybe not the perfect example, but it sounds like the same thing.
It's been going on for years here.

 

No, sadly it's a totally different thing. This thing happens for any domains containing illegal characters: you type one, you're redirected to an infecting website every single time. This is not typo-cybersquatting, it looks like a root dns server on Verisign that should handle all the characters not permitted in URLs has been compromised and just redirects to a site with exploits.

 

That's sad ... Thx God I don't live in Italy

 

Italy is being targeted hard these days. Sad, and I believe italian users are generally really not ready for this kind of scenario (yes, the computer security industry here is very weak, and many compter users lack basic security knowledge).

 

Well, romanian users are also very poor informed about PC security.
Most of them have an AV installed when purchasing their PC. They did not even know they have to update it from time to time.

 

Looks like VeriSign fixed the redirect

I updated my paper