Beware the phony Classmates.com email

Classmates.com has become the latest in a series of well-known brands to be abused by a particular gang of malware distributors. The similarities to other outbreaks include: 

  • Linking to multiple compromised sites which then redirect to the malware hosting sites
  • Favoring WordPress sites (that can be exploited)
  • Hosting the malware on various .ru domains
  • Showing simple messages on the malware page such as “Please Wait – Loading” (black text on white)
  • Using the same Flash exploits in the malware

Previous attacks use well known brands such as Amazon.com, LinkedIn, Verizon Wireless and AT&T Wireless.

The Classmates.com email thanks the recipient for joining and provides links to confirm the user or make corrections.

 

Once again the initial link is to a compromised WordPress site. A script hidden on this site dynamically builds a redirect to a forum site. Here, a second script embedded in a forum post directs to the final .ru domain which displays the expected “Loading” message. This “double-hop” is a slight change from previous similar attacks.

 

The malware on the final site checks for PDF and Flash versions on the target PC.

  • If an appropriate version is found it then redirects to a malicious SWF flash file.
  • If not it redirects to google.de