{"id":3090,"date":"2010-07-31T12:16:22","date_gmt":"2010-07-31T19:16:22","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=3090"},"modified":"2018-01-30T12:34:30","modified_gmt":"2018-01-30T19:34:30","slug":"phishers-want-you-to-have-a-coke-and-a-drive-by","status":"publish","type":"post","link":"https://www.webroot.com/blog/2010\/07\/31\/phishers-want-you-to-have-a-coke-and-a-drive-by\/","title":{"rendered":"Phishers Want You to Have a Coke and a Drive-by"},"content":{"rendered":"<p class=\"getsocial\" style=\"text-align: left;\"><img decoding=\"async\" style=\"border: 0; margin: 0; padding: 0;\" alt=\"\" src=\"http:\/\/getsocialserver.files.wordpress.com\/2009\/08\/gs2002.png\" \/><a title=\"Add to Facebook\" href=\"http:\/\/www.facebook.com\/sharer.php?u=http:\/\/blog.webroot.com\/2010\/07\/31\/phishers-want-you-to-have-a-coke-and-a-drive-by\" target=\"_blank\" rel=\"nofollow\"><img decoding=\"async\" style=\"border: 0; margin: 0; padding: 0;\" alt=\"Add to Facebook\" src=\"http:\/\/getsocialserver.files.wordpress.com\/2009\/08\/gs2012.png\" \/><\/a><a title=\"Add to Digg\" href=\"http:\/\/digg.com\/submit?phase=2&amp;url=http%3A%2F%2Fblog.webroot.com%2F2010%2F07%2F31%2Fphishers-want-you-to-have-a-coke-and-a-drive-by&amp;title=Phishers%20Want%20You%20to%20Have%20a%20Coke%20and%20a%20Drive-by\" target=\"_blank\" rel=\"nofollow\"><img decoding=\"async\" style=\"border: 0; margin: 0; padding: 0;\" alt=\"Add to Digg\" src=\"http:\/\/getsocialserver.files.wordpress.com\/2009\/08\/gs2022.png\" \/><\/a><a title=\"Add to Del.icio.us\" href=\"http:\/\/del.icio.us\/post?url=http%3A%2F%2Fblog.webroot.com%2F2010%2F07%2F31%2Fphishers-want-you-to-have-a-coke-and-a-drive-by&amp;title=Phishers%20Want%20You%20to%20Have%20a%20Coke%20and%20a%20Drive-by\" target=\"_blank\" rel=\"nofollow\"><img decoding=\"async\" style=\"border: 0; margin: 0; padding: 0;\" alt=\"Add to Del.icio.us\" src=\"http:\/\/getsocialserver.files.wordpress.com\/2009\/08\/gs2032.png\" \/><\/a><a title=\"Add to Stumbleupon\" href=\"http:\/\/www.stumbleupon.com\/submit?url=http%3A%2F%2Fblog.webroot.com%2F2010%2F07%2F31%2Fphishers-want-you-to-have-a-coke-and-a-drive-by&amp;title=Phishers%20Want%20You%20to%20Have%20a%20Coke%20and%20a%20Drive-by\" target=\"_blank\" rel=\"nofollow\"><img decoding=\"async\" style=\"border: 0; margin: 0; padding: 0;\" alt=\"Add to Stumbleupon\" src=\"http:\/\/getsocialserver.files.wordpress.com\/2009\/08\/gs2042.png\" \/><\/a><a title=\"Add to Reddit\" href=\"http:\/\/reddit.com\/submit?url=http%3A%2F%2Fblog.webroot.com%2F2010%2F07%2F31%2Fphishers-want-you-to-have-a-coke-and-a-drive-by&amp;title=Phishers%20Want%20You%20to%20Have%20a%20Coke%20and%20a%20Drive-by\" target=\"_blank\" rel=\"nofollow\"><img decoding=\"async\" style=\"border: 0; margin: 0; padding: 0;\" alt=\"Add to Reddit\" src=\"http:\/\/getsocialserver.files.wordpress.com\/2009\/08\/gs2052.png\" \/><\/a><a title=\"Add to Blinklist\" href=\"http:\/\/www.blinklist.com\/index.php?Action=Blink\/addblink.php&amp;Description=&amp;Url=http%3A%2F%2Fblog.webroot.com%2F2010%2F07%2F31%2Fphishers-want-you-to-have-a-coke-and-a-drive-by&amp;Title=Phishers%20Want%20You%20to%20Have%20a%20Coke%20and%20a%20Drive-by\" target=\"_blank\" rel=\"nofollow\"><img decoding=\"async\" style=\"border: 0; margin: 0; padding: 0;\" alt=\"Add to Blinklist\" src=\"http:\/\/getsocialserver.files.wordpress.com\/2009\/08\/gs2062.png\" \/><\/a><a title=\"Add to Twitter\" href=\"http:\/\/twitter.com\/home\/?status=Phishers%20Want%20You%20to%20Have%20a%20Coke%20and%20a%20Drive-by+%40+http%3A%2F%2Fblog.webroot.com%2F2010%2F07%2F31%2Fphishers-want-you-to-have-a-coke-and-a-drive-by\" target=\"_blank\" rel=\"nofollow\"><img decoding=\"async\" style=\"border: 0; margin: 0; padding: 0;\" alt=\"Add to Twitter\" src=\"http:\/\/getsocialserver.files.wordpress.com\/2009\/08\/gs2072.png\" \/><\/a><a title=\"Add to Technorati\" href=\"http:\/\/www.technorati.com\/faves?add=http:\/\/blog.webroot.com\/2010\/07\/31\/phishers-want-you-to-have-a-coke-and-a-drive-by\" target=\"_blank\" rel=\"nofollow\"><img decoding=\"async\" style=\"border: 0; margin: 0; padding: 0;\" alt=\"Add to Technorati\" src=\"http:\/\/getsocialserver.files.wordpress.com\/2009\/08\/gs2082.png\" \/><\/a><a title=\"Add to Yahoo Buzz\" href=\"http:\/\/buzz.yahoo.com\/buzz?targetUrl=http%3A%2F%2Fblog.webroot.com%2F2010%2F07%2F31%2Fphishers-want-you-to-have-a-coke-and-a-drive-by&amp;headline=Phishers%20Want%20You%20to%20Have%20a%20Coke%20and%20a%20Drive-by\" target=\"_blank\" rel=\"nofollow\"><img decoding=\"async\" style=\"border: 0; margin: 0; padding: 0;\" alt=\"Add to Yahoo Buzz\" src=\"http:\/\/getsocialserver.files.wordpress.com\/2009\/08\/gs2092.png\" \/><\/a><a title=\"Add to Newsvine\" href=\"http:\/\/www.newsvine.com\/_wine\/save?u=http%3A%2F%2Fblog.webroot.com%2F2010%2F07%2F31%2Fphishers-want-you-to-have-a-coke-and-a-drive-by&amp;h=Phishers%20Want%20You%20to%20Have%20a%20Coke%20and%20a%20Drive-by\" target=\"_blank\" rel=\"nofollow\"><img decoding=\"async\" style=\"border: 0; margin: 0; padding: 0;\" alt=\"Add to Newsvine\" src=\"http:\/\/getsocialserver.files.wordpress.com\/2009\/08\/gs2102.png\" \/><\/a><img decoding=\"async\" style=\"border: 0; margin: 0; padding: 0;\" alt=\"\" src=\"http:\/\/getsocialserver.files.wordpress.com\/2009\/08\/gs2112.png\" \/><\/p>\n<p><a href=\"http:\/\/webrootblog.files.wordpress.com\/2010\/07\/20100723_coke00_opener_80.jpg\"><img decoding=\"async\" loading=\"lazy\" class=\"alignleft size-full wp-image-3093\" title=\"20100723_coke00_opener_80\" alt=\"\" src=\"http:\/\/webrootblog.files.wordpress.com\/2010\/07\/20100723_coke00_opener_80.jpg\" width=\"352\" height=\"54\" \/><\/a>As recently as a few months ago, malware distributors went to what looked like great lengths to craft complex, sophisticated Web pages designed to trick visitors into believing they were visiting a page with an embedded video and &#8212; oops! &#8212; you need to update your copy of Adobe Flash in order to view it.<\/p>\n<p><a href=\"http:\/\/webrootblog.files.wordpress.com\/2010\/07\/20100723_coke_flashupdate-graphic.jpg\"><img decoding=\"async\" loading=\"lazy\" class=\"alignright size-medium wp-image-3096\" title=\"20100723_coke_flashupdate-graphic\" alt=\"\" src=\"http:\/\/webrootblog.files.wordpress.com\/2010\/07\/20100723_coke_flashupdate-graphic.jpg?w=300\" width=\"300\" height=\"270\" \/><\/a>Well, those days of hard work seem to have faded into memory. All we&#8217;re left now is this.<\/p>\n<p>In a recent attack that came to my attention, the guys behind the attack didn&#8217;t bother to build a sophisticated Web page. Well, nothing along the lines of pages we&#8217;ve seen before, with cool graphics, slick design, or interesting programming. In fact, they hardly built a Web page at all.<\/p>\n<p>In this case, the unknown person or people created an HTML file that loads someone else&#8217;s graphic, which happens to be a warning about an outdated version of Flash, that is located elsewhere. Specifically, they load a graphic that just happens to be hosted on <a href=\"http:\/\/www.thecoca-colacompany.com\/\" target=\"_blank\">the Coca-Cola company<\/a>&#8216;s Web server. This isn&#8217;t a site hack against the Coke people &#8212; the graphic is probably legitimate, considering how Flash-heavy the Website is &#8212; just an example of how pathologically lazy or incompetent some malware distributors can be.<\/p>\n<p><!--more--><br \/>\n<a href=\"http:\/\/webrootblog.files.wordpress.com\/2010\/07\/20100723_coke_source.jpg\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-medium wp-image-3094\" title=\"20100723_coke_source\" alt=\"\" src=\"http:\/\/webrootblog.files.wordpress.com\/2010\/07\/20100723_coke_source.jpg?w=300\" width=\"300\" height=\"88\" \/><\/a><\/p>\n<p>The hack itself was pretty rudimentary: You visit a page on <a href=\"http:\/\/brightcloud.com\/support\/lookup.php?endpoint=idea-net.com.au\" target=\"_blank\">the malicious domain<\/a>, the graphic appears, and if you click the graphic, it starts the browser downloading a file called <strong>adobe_flash_update.exe<\/strong>. Never mind the fact that the real <a href=\"http:\/\/get.adobe.com\/flashplayer\" target=\"_blank\">Adobe Flash<\/a> updater doesn&#8217;t use a file with this filename to perform its updates.<\/p>\n<p><a href=\"http:\/\/webrootblog.files.wordpress.com\/2010\/07\/20100723_coke00_crop.jpg\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-3095\" title=\"20100723_coke00_crop\" alt=\"\" src=\"http:\/\/webrootblog.files.wordpress.com\/2010\/07\/20100723_coke00_crop.jpg\" width=\"600\" height=\"111\" \/><\/a><\/p>\n<p>Oh, and if you don&#8217;t click the graphic, it doesn&#8217;t matter: The page also\u00a0 loads a one-pixel-square iFrame from a Web server running on port 8080\u00a0 on a different domain, named <a href=\"http:\/\/brightcloud.com\/support\/lookup.php?endpoint=lunchstroke.ru\" target=\"_blank\">Lunchstroke.ru<\/a>, registered in Russia. That site performs a drive-by download of a different malware payload.<\/p>\n<p>Both payloads in this scenario are the ubiquitous <strong>Trojan-Backdoor-Zbot<\/strong>, a comprehensive password stealer and botnet client. It&#8217;s a nasty piece of malware delivered by a haphazard, cruddily built, halfhearted attack which, sadly, probably worked on at least some of its targeted victims&#8212;proving once again that social engineering remains the king of the malware jungle.<br \/>\n<a title=\"wordpress blog stats\" href=\"http:\/\/www.statcounter.com\/wordpress.com\/\" target=\"_blank\"><img decoding=\"async\" alt=\"wordpress blog stats\" src=\"http:\/\/c.statcounter.com\/4868061\/0\/92d716bc\/1\/\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>As recently as a few months ago, malware distributors went to what looked like great lengths to craft complex, sophisticated Web pages designed to trick visitors into believing they were visiting a page with an embedded video and &#8212; oops! &#8212; you need to update your copy of Adobe Flash in order to view it. [&hellip;]<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[3915,4997,4985,3563,7743,4895,3619,4999,7747,3477,4909,3919,4647,3629,7745,3471,4161,4313,3901,5947],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/3090"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=3090"}],"version-history":[{"count":1,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/3090\/revisions"}],"predecessor-version":[{"id":23821,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/3090\/revisions\/23821"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=3090"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=3090"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=3090"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=3090"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}