Last Updated: 2015-10-26 21:24:07 UTC
by Johannes Ullrich (Version: 1)
Joe wrote this weekend that:
A customer called me yesterday to make me aware of their computer that was compromised by one of those scam websites, that pops up an 800 numbers and tells them to call. Against her knowing better, she STILL called in.... <ugh>.
The site, I wanted to make you aware of was amvets.COM She wanted to make a donation, but the real website is amvets.ORG
It is always sad to see how people with good intentions, willing to donate to a deserving cause, are being taken advantage of. So I took a bit time to investigate this particular case.
First of all: I do NOT recommend you go to the ".com" version of the site above. I didn't see anything outright malicious, other then popups advertising the fake tech support service, but you never know what they are going to send next.
The content returned from the page is very variable. Currently, I am getting "index pages" linking to various "veterans" related pages. Typically these pages are auto-created using key words people used to get to the page, or keywords entered in the search field on the page. So no surprise that this page "knows" it is mistaken for a veteran charity.
When it does display the "Fake Virus Warning" page, then it does so very convincingly:
- the lok and feel is adapted to match the users OS and browsers
- even on mobile devices, like my iPad, the page emulates the browser used
After a couple of visits to the site, it no longer displayed the virus warning to me, even if I changed systems and IPs. So I am not sure if they ran out of ad impressions or if they time them to only show up so often.
According to Farsight Security's DNS database, 10,000 different hostnames resolve to this one IP address. Most of them look like obvious typo squatting domains:
www.googele.be, besbuy.ca, wwwhockey.ca.
For some of them, I still get ads for "do nothing ware" like Mackeeper. (looking at the page from a Mac)