Phishers Want You to Have a Coke and a Drive-by

by


Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

As recently as a few months ago, malware distributors went to what looked like great lengths to craft complex, sophisticated Web pages designed to trick visitors into believing they were visiting a page with an embedded video and — oops! — you need to update your copy of Adobe Flash in order to view it.

Well, those days of hard work seem to have faded into memory. All we’re left now is this.

In a recent attack that came to my attention, the guys behind the attack didn’t bother to build a sophisticated Web page. Well, nothing along the lines of pages we’ve seen before, with cool graphics, slick design, or interesting programming. In fact, they hardly built a Web page at all.

In this case, the unknown person or people created an HTML file that loads someone else’s graphic, which happens to be a warning about an outdated version of Flash, that is located elsewhere. Specifically, they load a graphic that just happens to be hosted on the Coca-Cola company‘s Web server. This isn’t a site hack against the Coke people — the graphic is probably legitimate, considering how Flash-heavy the Website is — just an example of how pathologically lazy or incompetent some malware distributors can be.


The hack itself was pretty rudimentary: You visit a page on the malicious domain, the graphic appears, and if you click the graphic, it starts the browser downloading a file called adobe_flash_update.exe. Never mind the fact that the real Adobe Flash updater doesn’t use a file with this filename to perform its updates.

Oh, and if you don’t click the graphic, it doesn’t matter: The page also¬† loads a one-pixel-square iFrame from a Web server running on port 8080¬† on a different domain, named Lunchstroke.ru, registered in Russia. That site performs a drive-by download of a different malware payload.

Both payloads in this scenario are the ubiquitous Trojan-Backdoor-Zbot, a comprehensive password stealer and botnet client. It’s a nasty piece of malware delivered by a haphazard, cruddily built, halfhearted attack which, sadly, probably worked on at least some of its targeted victims—proving once again that social engineering remains the king of the malware jungle.
wordpress blog stats