Our systems at Barracuda Labs scan millions of websites every day to detect domains that are serving malicious content. Beginning on August 5, 2013, our systems detected a website from the Google app engine server providing drive-by download adware to its visitors: [http]://java-update.appspot.com, and on August 6, 2013, another similar website was found to serve the same adware: [http]://updateplayer.appspot.com. Both sites are still active as of today (August 19, 2013).
(Updates: As of August 20, 2013, Google engineers had noticed and blocked these two phishing sites. )
The first website java-update[.]appspot[.]com presented a well-crafted page for a free Java download–very similar to the official Java download page from Oracle's Java page. All links on this phishing website lead to a few redirects and finally trigger a download action for an executable file “Setup.exe”. If a user tries to install this 289Kb executable file, it will break immediately by saying you do not have the minimum requirements. But in fact, a “Solimba AdWare” has installed into the system. See the VirusTotal analysis for this executable file here: 9 (out of 46) anti-virus vendors say it is a Solimba Adware.
Picture of phishing site java-update[.]appspot[.]com
The path of redirections are:
Similarly, the other site with the Google app engine domain [http]://updateplayer.appspot.com hoaxed visitors to install a media player by displaying a message saying “A Media Player Update is Required to View this Content”. Once a user clicks the download button, a chain of redirects started and finally a “Setup.exe” is downloaded; again this executable file is a Solimba Adware. Its VirusTotal analysis is here: 7 (out of 46) anti-virus vendors say it is a Solimba Adware.
Interestingly, this phishing site had updated its page last week to be nicer and more real to attract additional downloads.
Picture of phishing page updateplayer[.]appspot[.]com on Aug 6th
Picture of phishing page updateplayer[.]appspot[.]com on Aug 10th
The path of redirections is similar but shorter:
Appspot.com is the domain for the Google App engine and customers can register and host their websites there. The involved domains – hs1dmr.com, hs4dmr.com and down324.com – were privately registered with GoDaddy very recently, created on June 14, 2013, June 20, 2013, and July 17, 2013, respectively. The associated IP address of down324.com is 18.104.22.168 (located in Amsterdam, Netherlands), which also hosts dl.flvplayer123.com and has been reported several times for serving this adware.
As always, Barracuda Labs suggests Internet users to be very careful when clicking links on any websites, and do not install executable files unless extremely necessary. If installing a software is unavoidable, install an anti-virus software before installing anything else. Meanwhile, when buying any anti-virus or other software, go to local office stores (such as Best Buy, Staples, etc.) to get hard copies, or download them from famous vendor websites, such as Microsoft.com, Adobe.com, McAfee.com, or oracle.com, etc.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. In this role, she helps bring Barracuda stories to life and facilitate communication between the public and Barracuda internal teams. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.
Connect with Christine on LinkedIn here.