So the little BLEEEEEEEEEP left some BLEEEEEEEEP behind.

He was a little sneaky this time. He left a javascript behind which pulled a javascript file which in turn pulled still another javascript file. He used a URL for his jumping off point that looks legit but wasn’t.

Since he has a server that responds to the request for the third javascript file he was randomly returning redirect code. So sometimes you could go to a page and it would redirect you to the phishing site and sometimes it wouldn’t. And he could look for clues that said if it was coming from a browser or a developer.

Sneaky little BLEEEP left his calling card at the end of posts that already existed. Thus we weren’t seeing the issue on new posts but if you were to look at older posts, there was a random chance of being redirected.

We’ve cleaned his latest BMs from the database. No promises that we got it all.

On the down side, we’ve had to send a bill to Miguel for this work. Trying to clean up everything has cost us over 40 man hours. That includes research, security evaluations, custom database work and a host of other things to protect this blog. We are eating most of that because of the value the blog provides to the community, but he is getting a bill for part of it.

We hope all of you take the time to click on the donate button on the right to help Miguel out.

AWA

Spread the love

By awa

5 thoughts on “About those redirects…”
  1. This is starting to look less like an opportunist and more like something personal, I must say…

    1. There would seem to be a number of possibilities, including among other things that GFZ has crossed some threshold of popularity that’s getting it more “attention” from whatever group(s).

Login or register to comment.