Sunday, November 27, 2016

IMDB Serving Up Malware?

This is the second time in less than a week where I was looking at a movie on IMDB and it suddenly redirected me to an obvious malware link. Every couple of months I get a popup from Frontier asking to complete a customer satisfaction survey. Big ISPs often use what would best be described as a Javascript injection attack for all sorts of reasons.

So, I looked on my machine for an infection--there was none--and wondered where it came from. But this time I was paying better attention. It redirected to the following URL when I was just sitting there looking at an Al Pacino movie. Exact same site, exact same screen.

My guess is that IMDB is serving up a shady ad from whatever ad network they use.

https://uhaveluntan168.org/834841460074/9ff358f33e0552e52d2072a4c8dcfde9/3503343a651c74f2e814aed5ef3affe9.html

Doing some digging, it doesn't seem like anyone else is reporting this issue. There's no way for me to say definitively that this came from IMDB--there's lots of ways to attack a computer--but it sure looks like it!

Malware scans come back clean and I haven't had any issues or anything suspicious with this Windows 10 / Chrome install. Uh, yeah, don't think I'll be clicking on this.


A WHOIS search shows the domain to be registered in California.

Registrant ID: DI_49692548
Registrant Name: Chad N. Wessels
Registrant Organization: NA
Registrant Street: 4145 Diane Street
Registrant City: Atascadero
Registrant State/Province: California
Registrant Postal Code: 93422
Registrant Country: US
Registrant Phone: +1.8054618382
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: wesselsch@tutanota.com
Admin ID: DI_49692548
Admin Name: Chad N. Wessels
Admin Organization: NA
Admin Street: 4145 Diane Street
Admin City: Atascadero
Admin State/Province: California
Admin Postal Code: 93422
Admin Country: US
Admin Phone: +1.8054618382
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: wesselsch@tutanota.com
Tech ID: DI_49692548
Tech Name: Chad N. Wessels
Tech Organization: NA
Tech Street: 4145 Diane Street
Tech City: Atascadero
Tech State/Province: California
Tech Postal Code: 93422
Tech Country: US
Tech Phone: +1.8054618382
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: wesselsch@tutanota.com
Name Server: NS1.EUROPEDNS.NET
Name Server: NS2.EUROPEDNS.NET

The admin contact for this domain seems to be a German encrypted email service. Searching the email shows this person, Chad Wessels is associated with over 100+ domains, most of which look shady to me. But there's more. The email search also links to a discussion forum post about phony Firefox updates, so it seems like good ole Chad has been quite busy.


I'm a software engineer but security really isn't my specialty, so I'm interested to see how this plays out and whatever people have run into this phony Chrome update.

No comments:

Post a Comment