Blog de Zscaler

Reciba en su bandeja de entrada las últimas actualizaciones del blog de Zscaler

Suscríbase
DreamHost: Hijacked Websites Redirect To Russian Scam
Security Research

DreamHost: Hijacked Websites Redirect To Russian Scam

image
JULIEN SOBRIER
febrero 03, 2012 - 2 Min de lectura
Following the Dreamhost hack, that was revealed this week, many websites hosted by the company have been hijacked to redirect users to a Russian scam page.

I've identified hundreds of websites hosted by DreamHost that contained a PHP page redirecting to hxxp://www.otvetvam.com/. Here are a few examples:
  • http://www.lciva.com/wp-content/plugins/extended-comment-options/gyrewnv.php
  • http://honorboundphoto.net/photos/10007-mankato_habitat_for_humanity_golf_tournament/agtruje.php
  • http://ryanmasters.ca/wp-content/gallery/our-kingdom/thumbs/tyiueg.php
  • http://treatmentofpanicattacks.com/wp-content/cache/supercache/www.treatmentofpanicattacks.com/category/anxiety-support/polzin.php
  • http://r4theband.co.uk/content/wp-content/themes/agregado/includes/cache/gyrewnv.php 
  • http://dedehaluk.com/cache/hakkinda/fgjke.php
  • http://www.agustindondo.co.uk/yellowbrick/wp-content/files_flutter/modules/fgjke.php 
  • http://dcstavclub.org/wp-content/themes/newzen_2.0_build_105/images/fgndnju.php 
  • http://camtarn.org/gizmoblog/content/06/03/entry060305-180312/comments/fgjke.php 
  • http://derek.hinchy.org/MT-5.031-en/mt-static/support/theme_static/professional_website/themes/professional-green/polzin.php
  • http://ojosdelmundo.dreamhosters.com/images/comprofiler/gallery/tghreig.php

otvetvam.com promotes a common "get rich working from home" scam. On the left side, all links point to the same collection of fake testimonies from people purporting to have made plenty of money using the system.

 
Image
hxxp://www.otvetvam.com/
 
The right side of the page, looks like Adsense ads from Google (same font, same colors, layout, etc.), but they are all links to www.tvoitube.com. This is a YouTube look-alike site, which contains a video shown promoting an online gambling site (www.cristal-casino.com).
 
Image
Fake Russian YouTube site http://www.tvoitube.com/

www.otvetvam.com copied the layout of the popular Russian site, mail.ru. The source code actually reveals that the page was created from http://otvet.mail.ru/question/59882991/, which has now been blocked by mail.ru.


The hijacked sites now redirect to other websites including ru-0tveti.com, ru-0tveti1.com, etc. These domains were registered on 01/25/2012, but no websites are yet hosted at the domains.

I'm sure this is just the beginning of massive abuses on websites hosted by DreamHost.
form submtited
Gracias por leer

¿Este post ha sido útil?

Exención de responsabilidad: Este blog post ha sido creado por Zscaler con fines informativos exclusivamente y se ofrece "como es" sin ninguna garantía de precisión, integridad o fiabilidad. Zscaler no asume responsabilidad alguna por cualesquiera errores u omisiones ni por ninguna acción emprendida en base a la información suministrada. Cualesquiera sitios web de terceros o recursos vinculados a este blog se suministran exclusivamente por conveniencia y Zscaler no se hace responsable de su contenido o sus prácticas. Todo el contenido es susceptible a cambio sin previo aviso. Al acceder a este blog, usted acepta estas condiciones y reconoce su responsabilidad exclusiva de verificar y utilizar la información según sea precisa para sus necesidades.

Reciba en su bandeja de entrada las últimas actualizaciones del blog de Zscaler

Al enviar el formulario, acepta nuestra política de privacidad.