This is a strange one.
Avast EndPoint Protection 8.x (program 8.0.1609) and the most current pattern file, running on Windows 7 Ultimate, with management by SOA. User has local administrator rights on the machine, via AD domain user credentials (that account is added to the local administrators group).
Avast Web Shield reported several suspect websites visited on a single workstation within about 60 seconds. According to the Web Shield, the first one, “leadgagmedia.com”, was accessed at about 12:59 pm USA EDT October 4. At about 1:00 pm (1 minute later), that site was accessed again, and then, within a total time of approximately 10 seconds, each of the following sites was visited twice:
casinoonlinemaxbet.com
emrsesp.com
chilicothevets.com
Don’t bother trying to evaluate these sites; they’ve all been taken down or blocked by Google or other systems.
The user was present at the time, but says she was on a New York State government website, while simultaneously talking on the phone. She did not recall seeing any warnings pop up or anything else unusual.
When I inspected her Firefox browser history, there was an access to an Avast warning page concerning leadgadgetmedia.com–the kind you get if you click the link for more information on the Avast “toaster” pop-up warning.
Unfortunately, the Firefox history (52.1.1 ESR) doesn’t display date/times for access events, it just lists them with the most recent at the top.
At some point after this event (and it could have been the next day), there were several accesses to the website for Lowes hardware; they were all search results for glass block window and quick-setting concrete products.
The user does not report having done any shopping for such products, and she was not in the office on the day after avast issued the warnings.
The user does have a habit of leaving her office unattended with her door open and her computer running, but other people in nearby offices did not report seeing anyone near her office later on October 4. She was not present on October 5 and her door was locked–except–
My IT tech was in her office on October 5 running scheduled maintenance scans. The full-disk avast scan did not report any active issues, or anything unusual in her email attachments, at that time. Neither the full MalwareBytes nor SuperAntiSpyWare scans that he also ran reported anything unusual (several hundred tracking cookies, which is typical).
So it is certainly possible that somebody went into her office at some point after avast detected suspicious websites to do hardware shopping–though it seems extremely unlikely, since any other employee in the building could have used his or her own computer to do that, and any non-employee in the building would have likely just used his or her phone.
What’s really concerning is how the chain of multiple hijacked web page accesses occurred within the space of one minute while the user was sitting at the computer, viewing a completely different, state government website (I saw that in the browser history as well), and she did not see anything usual happen during that time.
The user does not have a perfect memory, but if she can’t remember anything about such a big event, then either something has suddenly gone wrong with her brain, or nothing was actually displayed in the browser or on the desktop while the event was taking place.
I ran a couple other free scans on the computer a few days after the event: Sophos Virus Removal Tool and Emsisoft Emergency Kit. I ran Sophos first; it found, and claimed to remove “Mal Phish-A”. This is apparently a program that can generate bogus web pages that resemble real ones. An internet search did not find any instances of it creating bogus avast or Lowes pages; it apparently mostly attacks banks. After running Sophos and letting it remove what it found, Emsisoft found nothing.
Do you folks have any specific thoughts? I am especially concerned that after avast popped up a warning on a web page, some automated process on that web page was still able to jump to another website in a way that was detected, but not blocked, by avast. I am also concerned that what should have been several pop-up warnings were not seen by the user.
Thanks for any ideas.