Malvertising hidden in a frame?

See: http://urlquery.net/report.php?id=41354
Now see: script source = htxp://cdn.dsultra.com/js/registrar.js
Read about this Joomla nalware (already known from 2009) here: http://forum.joomla.org/viewtopic.php?f=621&t=684752
an ad_frame’ provided by BlueBluehost Inc
Here it is the hoster - but on other sites it could come via redirects, see:
http://wordpress.org/support/topic/my-website-redirects-to-wwwbluehostcom

pol

Hi Pondus,

You alerted me to the fact that the main url does hide the malvertising → http://urlquery.net/report.php?id=208596
That is a clever trick so Google would not be alerted to their loss of revenue.
Kudos to you, as this was a very attentive observation of you, Pondus, to dig this issue up.
This could be rather important also for getting better detection of clickfraud also,
see: http://www.web-sniffer.me/en/sniffer/3566913-www.din-it-kunskap.com.html

polonus

Update -script very much alive and kicking here: http://killmalware.com/tosfos.org/#
See: https://www.virustotal.com/nl/url/c0d2172d6c72ea097f89511500592ab057864efde0a5a430a4d2728bf6bd300a/analysis/
Reported issue: https://wordpress.org/support/topic/header-problem-18
Defacement MW:DEFACED:01 htxp://tosfos.org
Defacement MW:DEFACED:01 htxp://tosfos.org/404javascript.js
Web site defaced. Details: http://sucuri.net/malware/entry/MW:DEFACED:01

hacked by GHoST61 Re: htxp://cdn.dsultra.com/js/registrar.js -> http://toolbar.netcraft.com/site_report?url=http%3A%2F%2Fcdn.dsultra.com%2Fjs%2Fregistrar.js uMatrix has prevented the following page from loading: http://cdn.dsultra.com/js/registrar.js

polonus (volunteer website security analyst and website error-hunter)

Scheme still very much alive as in this defacement: http://killmalware.com/dirklinderman.com/
See: https://www.virustotal.com/nl/url/c0d2172d6c72ea097f89511500592ab057864efde0a5a430a4d2728bf6bd300a/analysis/
Read: http://forum.joomla.org/viewtopic.php?f=621&t=684752
See: -http://www.domxssscanner.com/scan?url=http%3A%2F%2Fcdn.dsultra.com%2Fjs%2Fregistrar.js
→ -http://llse.net/www.on-state.com.ua
Template not playing nice -redirecting user back to order page.
Trustwave flags as malicious: https://www.virustotal.com/nl/url/27643ce68bffbb250e8d78e95675a05dd8f44ecae42ab5917e3df6ce4265b2b8/analysis/1441353025/
On AS IP: https://www.virustotal.com/nl/ip-address/91.200.40.51/information/
Web application version:
Joomla Version 1.5.18 - 1.5.26 for: -http://on-state.com.ua/media/system/js/caption.js
Joomla Version 1.5.18 to 1.5.26 for: -http://on-state.com.ua/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 2.5.28 or 3.4.3
Outdated Web Server Nginx Found: nginx/1.2.1

Joomla Security Analysis of -http://cdn.dsultra.com
Google safe browse check
WARNING
Google finds the site to be potentially dangerous
Netc raft risk for second site: http://toolbar.netcraft.com/site_report?url=http://on-state.com.ua
Tracking from -c.bigmir.net (blocked for me by DrWeb’s). -http://on-state.com.ua/ on PHP 5.2.17 & Nginx/1.2.1

Also consider: -http://www.domxssscanner.com/scan?url=http%3A%2F%2Fon-state.com.ua%2Fmedia%2Fsystem%2Fjs%2Fcaption.js

Adguard has blocked access to this page

This web page at wXw.poddebice.net.pl, has been reported as a phishing page and has been blocked based on your security preferences.

Adguard has found that this page may be a forgery or imitation of another website, designed to trick users into sharing personal or financial information. Entering any personal information on this page may result in identity theft or other abuse.

polonus