Not content with serving up fake AVs and the likes, it seems one of the blackhat SEO gangs have one again, turned to serving up exploits instead. Obviously this leads to a fake AV infection aswell, but I thought this worth mentioning.
The story starts not surprisingly, at Google, where you're searching for your favourite TV show, news clip, or something completely random, such as why you always wake up on the right side of the bed when going to sleep on the left.
You find a result and go "Ooooh, that'll have my answer", and go clickity click - but woops! You find yourself going through the recognizable MITM (man in the middle), in this case, typeforman.net (126.96.36.199 - Failed resolution, AS48984 188.8.131.52/23 VLAF-AS Vlaf Processing Ltd), and on to an exploit (in this case, at splitssoft.com (184.108.40.206 - Failed resolution, AS6851 220.127.116.11/19 BKCNET _SIA_ IZZI) and vvvne.in (18.104.22.168 - Failed resolution, AS6851 22.214.171.124/19 BKCNET _SIA_ IZZI).
I've added the domains involved to MDL and hpHosts, and Malwarebytes AntiMalware users will be pleased to know, the IPs involved are already blocked by the IP Protection facility.
For those wanting samples, the headers are below.
These are only allowing access once per IP, so you'll find the vURL Online results for the doorway pages below (I don't have caching written in for vURL Online yet, but incase you'd like it, the URL to the vURL dissection for this is http://vurldissect.co.uk/?url=1355697).
The exploits they're using include;
Snapshot Viewer Control
MDAC (Microsoft Data Access Components)
Java Deployment Kit