My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Simple Javascript Extortion Scheme Advertised via Bing

Published: 2014-07-02. Last Updated: 2014-07-02 20:49:25 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

Thanks to our reader Dan for spotting this one.

As of today, a search for "Katie Matusik" on Bing will include the following result. The rank has been slowly rising during the day, and as of right now, it is the first link after the link to "Videos" 

Once a user clicks on the link, the user is redirected to http://system-check-yueedfms.in/js which loads a page claiming that the user's browser is locked, and the user is asked to pay a fine via "Moneypak", a Western-Union like payment system. Overall, the page is done pretty bad and I find it actually a bit difficult to figure out how much money they are asking to ($300??).

extortion web page
(click on image for full size)

The user is no not able to close the browser or change to a different site. However, just rebooting the system will clear things up again, or you have to be persistent enough in clicking "Leave this Page" as there are a large number of iframes that each insert a message if closed.

The link was reported to Bing this morning but the result has been rising in Bing's search since then. Respective hosting providers for the likely compromised WordPress blog have been notified. 

Quick update: For "katie matysik" (replace 'u' with 'y', the correct spelling of the ), Bing now returns the malicious site as #1 link. Both spellings are valid last names, so either may be the original target of the SEO operation.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

7 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

Damn! This is the second time I have seen this in as many days.. (thanks kids :/) Fortunately there were things that saved my bacon.. 1. The kids stopped and yelled for me, 2. Running the latest no-script, MalwareBytes 2.X Pro on FF 30 (with other add-ons) so with all that yelling going on, NS, MB, kids and me, I killed the PID and was fine.

However, this did NOT come from BING-A-DING but someone else and they do not remember where. I do not use BING, GOOGLE but DDG or Startpage and >90% of the time on TOR. However I was lucky, even though I have full BU.. I would have scorched the earth and we know how much fun that isNOT!


Oh.. and since you can't stop kids even know they are not to play on my system, now the keyboard and rodent are locked in the safe when I leave.
Since this is spread via Bing, should we now go and seize their domains to stop the malware? ;-)
Removing the keyboard and mouse will have one obvious consequence: your children will now bring home random other keyboards and mice and plugin these in. You just "trained" your kids to use untrusted hardware... So now you have to worry about USB threats too... :)
[quote=comment#31363]Removing the keyboard and mouse will have one obvious consequence: your children will now bring home random other keyboards and mice and plugin these in. You just "trained" your kids to use untrusted hardware... So now you have to worry about USB threats too... :)[/quote]


Alas Mr. Anonymous.

Your post brought me a plethora of edification.. I shall elucidate.

Contemporaneously my children ages 4 and 5 could go out and purchase a wireless USB keyboard or mouse, however care to place odds on that happening? It is almost as off base as your myopic analogy of what I have "trained" my children to do. Maybe you toss "sardines" to your kids for rewards, or have them sit on a stool staring @ two converging angles or lines (corner) that is your privilege, I do not.

Oh, and so this post does not look too “snarky” let me toss some of these in. :) :)

Have a productive day.

To all others, forgive me diverging off the theme of the post for this retort, gotta love the "drive by" Anonymous, as they post a wealth of <input here>.
Instead of rebooting, won't Alt-F4 work? That should close the browser's .exe.
It's still there and it's been 24 hours. I think we should get a judge to to seize bing.com, just think of how many computers have been affected because they've obviously ignored the abuse report.
While I wasn't the Anonymous poster (this is my first post) I would ask why not just require a password to access the system instead of physically locking up the peripherals. Maybe I took your post too literally. Unless the 4 and 5 year olds are familiar with live-booting or are really good at guessing passwords. Whatever works for you though. Your house your rules.

Diary Archives