Friday, June 15, 2018

Fake Malware Pop-up Example

I don't believe I've ever done a video blog, but I wanted to show you what it looks like when we look at a fake malware pop-up.  While I was prepping a lecture for a class I'm teaching by looking at something on Encyclopedia Britannica, I experienced a fake malware popup.

Here's what I saw:

"Serifed.Stream" malicious pop-up
The best way to explain this is to show it to you.  To do so, I've saved a little video of the what we saw.


In that walk through, you can see that the advertisement that led to the pop-up goes through a series of hops:

westerndigitalmeasure.com (192.241.254.144)  was the first site I hit, which had me do a POST to /j/pcl.php

(By the way, Westerndigitalmeasure.com is hosted at Cloudflare)

That PHP code sent me to "orgeles-hantests.com" (52.72.0.63) which immediately did a meta refresh to another page on orgeles-hantests.com which had a "redirect?target=(very long string here)"

That sent me to the host "redirect.orgeles-hantests.com" (54.89.11.221) which did another meta refresh to the site "server3.divinedessert.info" (67.207.82.78).

And divinedessert forwarded me to "serifed.stream" which is where we saw the fake Microsoft malware warning, which, by the way, captured and passed on my Internet service provider name and my home IP address in the URL.

We asked the URL scanner at VirusTotal check out "serifed.stream" and "serifed.stream/live/" but got the same result both ways.   0 of 68 URL reputation engines believe the site to be malicious.

Don't Worry, Be Happy, says 68 different URL Reputation Services

When we look by IP address, things aren't much better.  Of the hundreds of ".stream" addresses hosted on that same IP address, 185.44.65.141, which, by the way, is hosted in Iran, almost NOBODY found them to be malicious:



That last one shown, with 5 of 68 URL reputation services saying it might be bad, could also be interpreted as 63 out of 68 URL reputation services would have let your users see the bad content.  HOPEFULLY, they might have blocked a redirector somewhere in between, but honestly, I don't know . . . (this is the part where all of them will complain VirusTotal doesn't capture the totality of their user experience.  Yeah, yeah, yeah, cry me a river. I'm running AV and it happened to me!  Did you see the video?)



How to conclude?  I don't know.  Perhaps by just saying "the criminals are still ahead of us in this game, and this is why we can't have nice things."




No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.