I was a bit intrigued by a certain referrer in my log file who has been drifting at the bottom for the past week+ but suddenly shot up into the top 5 yesterday. The link ostensibly goes to http://tvsetmp3.com/ but gets redirected to http://ismymovies.com/. The page is constructed to look like it throws a system dialog box—if one were running XP in the default blue theme.
The dialog box asks you to download a codec to view the movie. The image is dressed up like a dialog box even going so far as to enabling you to drag it around. The ultimate clue being you cannot drag it outside the browser window’s boundaries. Clicking the “Cancel” area on the image map throws a Javascript dialog asking you to click “OK” to download the exe file. Clicking “Cancel” here throws another dialog that insists you click “OK” to download the exe file. Clicking “OK” brings you back to the previous “Click OK to download the codec” pop-up.
Clever. I never did go so far as to try to view the embedded Flash Video file underneath. I mean, it’s likely that there has to be a video file to cover the social engineering that just occurred if they did manage to get the fake codec installed on you machine. Still, they steer really hard to get you to the place where you download that putative codec.
Like I said. Clever. The social engineering continues to get better.
I found the same thing on my site logs and started hunting, thats how I ended up here.
The German ISP Keymachine.de seems to figure in this malware site promotion maybe just one of their users.
I sent an abuse report to abuse@keymachine.de
Wonder if that will get a response?