Malvertising Quick Look: A Styx Exploit Kit Network
This will be short, since there is a lot going on right now, but I like to acknowledge the Bad Guys when they show some creativity and a sense of humor.
New malvertising domain: adtargetcpm.org registered 3 days ago (10/29), anonymously, of course.
Came on line late last night (Halloween): 10 minutes before midnight (UTC), to be precise.
Fooled several ad networks into letting it serve ads (yieldmanager.com, media-servers.net, adnetwork.net, xtendmedia.com, media-servers.net, adserverplus.com, xertivemedia.com ...).
It sent its traffic on to subdomains of bubbleinbox.pw and pileendas.org, which have had over 1,000 hits in our logs today, all flagged in real time as Malware by WebPulse's Malnet Tracker, since its server is one we've been tracking for 11 days now, ever since it came on-line. (It's a network that uses the Styx exploit kit.)
Nothing particularly newsworthy so far, since we block lots of stuff every day...
However, adtargetcpm.org also sent some traffic to a landing page hosted on a hacked site (gamersdev.com), which in turn used an injected iFrame to lead to a malicious destination. Following this trail led to the following "snooper page", which was worth blogging about:
(For the record, I didn't do either, and nothing bad happened, which isn't surprising, since the snooper page just has the headline text, and nothing else.)
Still, it has earned its anonymous creator a brief instant of fame on the Blue Coat blog...