Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Simple Javascript Extortion Scheme Advertised via Bing - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Simple Javascript Extortion Scheme Advertised via Bing

Thanks to our reader Dan for spotting this one.

As of today, a search for "Katie Matusik" on Bing will include the following result. The rank has been slowly rising during the day, and as of right now, it is the first link after the link to "Videos" 

Once a user clicks on the link, the user is redirected to http://system-check-yueedfms.in/js which loads a page claiming that the user's browser is locked, and the user is asked to pay a fine via "Moneypak", a Western-Union like payment system. Overall, the page is done pretty bad and I find it actually a bit difficult to figure out how much money they are asking to ($300??).

extortion web page
(click on image for full size)

The user is no not able to close the browser or change to a different site. However, just rebooting the system will clear things up again, or you have to be persistent enough in clicking "Leave this Page" as there are a large number of iframes that each insert a message if closed.

The link was reported to Bing this morning but the result has been rising in Bing's search since then. Respective hosting providers for the likely compromised WordPress blog have been notified. 

Quick update: For "katie matysik" (replace 'u' with 'y', the correct spelling of the ), Bing now returns the malicious site as #1 link. Both spellings are valid last names, so either may be the original target of the SEO operation.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS Brussels September 2019

Johannes

3608 Posts
ISC Handler
Damn! This is the second time I have seen this in as many days.. (thanks kids :/) Fortunately there were things that saved my bacon.. 1. The kids stopped and yelled for me, 2. Running the latest no-script, MalwareBytes 2.X Pro on FF 30 (with other add-ons) so with all that yelling going on, NS, MB, kids and me, I killed the PID and was fine.

However, this did NOT come from BING-A-DING but someone else and they do not remember where. I do not use BING, GOOGLE but DDG or Startpage and >90% of the time on TOR. However I was lucky, even though I have full BU.. I would have scorched the earth and we know how much fun that isNOT!


Oh.. and since you can't stop kids even know they are not to play on my system, now the keyboard and rodent are locked in the safe when I leave.
ICI2Eye

52 Posts
Since this is spread via Bing, should we now go and seize their domains to stop the malware? ;-)
Visi

41 Posts
Removing the keyboard and mouse will have one obvious consequence: your children will now bring home random other keyboards and mice and plugin these in. You just "trained" your kids to use untrusted hardware... So now you have to worry about USB threats too... :)
Anonymous
Quoting Anonymous:Removing the keyboard and mouse will have one obvious consequence: your children will now bring home random other keyboards and mice and plugin these in. You just "trained" your kids to use untrusted hardware... So now you have to worry about USB threats too... :)



Alas Mr. Anonymous.

Your post brought me a plethora of edification.. I shall elucidate.

Contemporaneously my children ages 4 and 5 could go out and purchase a wireless USB keyboard or mouse, however care to place odds on that happening? It is almost as off base as your myopic analogy of what I have "trained" my children to do. Maybe you toss "sardines" to your kids for rewards, or have them sit on a stool staring @ two converging angles or lines (corner) that is your privilege, I do not.

Oh, and so this post does not look too “snarky” let me toss some of these in. :) :)

Have a productive day.

To all others, forgive me diverging off the theme of the post for this retort, gotta love the "drive by" Anonymous, as they post a wealth of <input here>.
ICI2Eye

52 Posts
Instead of rebooting, won't Alt-F4 work? That should close the browser's .exe.
Tri0x

17 Posts
It's still there and it's been 24 hours. I think we should get a judge to to seize bing.com, just think of how many computers have been affected because they've obviously ignored the abuse report.
Greg

25 Posts
While I wasn't the Anonymous poster (this is my first post) I would ask why not just require a password to access the system instead of physically locking up the peripherals. Maybe I took your post too literally. Unless the 4 and 5 year olds are familiar with live-booting or are really good at guessing passwords. Whatever works for you though. Your house your rules.
WhiteWizard

1 Posts

Sign Up for Free or Log In to start participating in the conversation!