Sunday, November 27, 2016

IMDB Serving Up Malware?

This is the second time in less than a week where I was looking at a movie on IMDB and it suddenly redirected me to an obvious malware link. Every couple of months I get a popup from Frontier asking to complete a customer satisfaction survey. Big ISPs often use what would best be described as a Javascript injection attack for all sorts of reasons.

So, I looked on my machine for an infection--there was none--and wondered where it came from. But this time I was paying better attention. It redirected to the following URL when I was just sitting there looking at an Al Pacino movie. Exact same site, exact same screen.

My guess is that IMDB is serving up a shady ad from whatever ad network they use.

Doing some digging, it doesn't seem like anyone else is reporting this issue. There's no way for me to say definitively that this came from IMDB--there's lots of ways to attack a computer--but it sure looks like it!

Malware scans come back clean and I haven't had any issues or anything suspicious with this Windows 10 / Chrome install. Uh, yeah, don't think I'll be clicking on this.

A WHOIS search shows the domain to be registered in California.

Registrant ID: DI_49692548
Registrant Name: Chad N. Wessels
Registrant Organization: NA
Registrant Street: 4145 Diane Street
Registrant City: Atascadero
Registrant State/Province: California
Registrant Postal Code: 93422
Registrant Country: US
Registrant Phone: +1.8054618382
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:
Admin ID: DI_49692548
Admin Name: Chad N. Wessels
Admin Organization: NA
Admin Street: 4145 Diane Street
Admin City: Atascadero
Admin State/Province: California
Admin Postal Code: 93422
Admin Country: US
Admin Phone: +1.8054618382
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email:
Tech ID: DI_49692548
Tech Name: Chad N. Wessels
Tech Organization: NA
Tech Street: 4145 Diane Street
Tech City: Atascadero
Tech State/Province: California
Tech Postal Code: 93422
Tech Country: US
Tech Phone: +1.8054618382
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email:

The admin contact for this domain seems to be a German encrypted email service. Searching the email shows this person, Chad Wessels is associated with over 100+ domains, most of which look shady to me. But there's more. The email search also links to a discussion forum post about phony Firefox updates, so it seems like good ole Chad has been quite busy.

I'm a software engineer but security really isn't my specialty, so I'm interested to see how this plays out and whatever people have run into this phony Chrome update.

No comments:

Post a Comment