Classmates.com has become the latest in a series of well-known brands to be abused by a particular gang of malware distributors. The similarities to other outbreaks include:
- Linking to multiple compromised sites which then redirect to the malware hosting sites
- Favoring WordPress sites (that can be exploited)
- Hosting the malware on various .ru domains
- Showing simple messages on the malware page such as “Please Wait – Loading” (black text on white)
- Using the same Flash exploits in the malware
Previous attacks use well known brands such as Amazon.com, LinkedIn, Verizon Wireless and AT&T Wireless.
The Classmates.com email thanks the recipient for joining and provides links to confirm the user or make corrections.
Once again the initial link is to a compromised WordPress site. A script hidden on this site dynamically builds a redirect to a forum site. Here, a second script embedded in a forum post directs to the final .ru domain which displays the expected “Loading” message. This “double-hop” is a slight change from previous similar attacks.
The malware on the final site checks for PDF and Flash versions on the target PC.
- If an appropriate version is found it then redirects to a malicious SWF flash file.
- If not it redirects to google.de