The injected code points to itsallbreaksoft.net
This then bounces through paymoneysystem.info/in.cgi?michaeleknowlton before hitting a seemingly random PPC search engine site hosted on 95.211.27.154, for example sdeh.net/iframe.html. Sophos have an excellent write-up of the anatomyof the injection attack here, and it's pretty clear that somebody is ripping somebody else off for PPC traffic.. its hard to say who the victims actually are.
The domains itsallbreaksoft.net and paymoneysystem.info belong to the same person, these are interesting because of the registration details:
Nexton LimitedThese contact details are very well known for very bad things. Incidentally, the registrar is ruler-domains.com, also an enterprise registered to "Sergey Ryabov" (if that's a real person).
Ryabov Sergey (director@climbing-games.com)
+79219270961
Fax: +79219270961
Scherbakova st., 6-38
Saint-Petersburg, 197375
RU
It's all kind of strange as there doesn't appear to be a malware payload, which is good. But because of the way click arbitrage works, finding the real victims and villains is tricky, although interested researchers may want to have a poke around.
7 comments:
Hey Dynamoo,
I just ran a quick Google search of the code snippet you provided, and the top spot in Google is not a malware alert site, it is an anti-abortion site. The code is embedded in the source code for the page, but it renders like the original site.
This may be a dumb question, but is this a sign of hacking/injecting?
Although I don't quite agree with their views, I was going to warn them but see no contact link on that page. Thanks
It's a Wordpress injection attack, so the obfuscated code snippet turns up on victim sites rather than the payload site.
Right at the moment this appears to be account for most of the injection attacks that I am seeing.
Hi,
my wordpress blog is infected with that. Can you tell how to fix it please? ty
found it in the haeder.php and deleted it.. thx
I've been on to Leaseweb and had sdeh.net suspended (aling with rich-traffic.com, which was also related to this) :o)
Idownloadstream.com is related to the same individual/company.
It is a complete scam.
When looking for a download, the site will rank first in the search.
Site offers a 3 day test for $1.95.
But it charges $80.69 for 6 months in your back (rip-off).
When you login on the site, you find out that the file you expected doesn't exist (bait & switch).
Then you try to get a refund, but it goes through web-support-center (anonymous).
The site's activity has grown tremendously since January 2010.
The owner is Russian, whom is known for its lawlessness internationally:
Nexton Limited
Ryabov Sergey (director@climbing-games.com), probably a fake name too.
+79219270961
Fax: +79219270961
Scherbakova 6-38
Saint-Petersburg, 197375
Russia
Ruler-domains.com is simply a reseller of the registrar Enom.com.
The director@climbing-games.com etc is the default info they used to put in if their customers opted for a whois-protect. More recently they started to use Enom's own whois-protection instead.
Sergey Ryabov is a real person, the owner of the ruler-domains.
Post a Comment