Java Download and FLV Player Phishing Websites Serve Adware on Google App Engine

Our systems at Barracuda Labs scan millions of websites every day to detect domains that are serving malicious content. Beginning on August 5, 2013, our systems detected a website from the Google app engine server providing drive-by download adware to its visitors: [http]://java-update.appspot.com, and on August 6, 2013, another similar website was found to serve the same adware: [http]://updateplayer.appspot.com. Both sites are still active as of today (August 19, 2013).

 

(Updates: As of August 20, 2013, Google engineers had noticed and blocked these two phishing sites. )

The first website java-update[.]appspot[.]com presented a well-crafted page for a free Java download–very similar to the official Java download page from Oracle's Java page. All links on this phishing website lead to a few redirects and finally trigger a download action for an executable file “Setup.exe”.  If a user tries to install this 289Kb executable file, it will break immediately by saying you do not have the minimum requirements. But in fact, a “Solimba AdWare” has installed into the system. See the VirusTotal analysis for this executable file here: 9 (out of 46) anti-virus vendors say it is a Solimba Adware.

Picture of phishing site java-update[.]appspot[.]com

The path of redirections are:

=> [http]://java-update.appspot.com

==>[http]://quercus-redirect.appspot.com/?id=eT2QmzjMIWuXeW4ueRjMIWuXeTbQmG-0N-0N

===> [http]://flv.hs4dmr.com/aff_c?offer_id=44&aff_id=1002&url_id=76&aff_sub=1928984742

====> [http]://flv.hs1dmr.com/aff_c?offer_id=44&aff_id=1002&url_id=76&aff_sub=1928984742

=====> [http]://dl.down324.com/n/8326f16e-dd66-11e2-a752-00259033c1da/Setup.exe?tid=102f3b55dccc5eeceff5af6d1e9825

Similarly,  the other site with the Google app engine domain [http]://updateplayer.appspot.com hoaxed visitors to install a media player by displaying a message saying “A Media Player Update is Required to View this Content”. Once a user clicks the download button, a chain of redirects started and finally a “Setup.exe” is downloaded; again this executable file is a Solimba Adware. Its VirusTotal analysis is here: 7 (out of 46) anti-virus vendors say it is a Solimba Adware.

Interestingly, this phishing site had updated its page last week to be nicer and more real to attract additional downloads.

Picture of  phishing page updateplayer[.]appspot[.]com on Aug 6th

Picture of phishing page updateplayer[.]appspot[.]com on Aug 10th

The path of redirections is similar but shorter:

=> [http]://updateplayer.appspot.com

==> [http]://flv.hs1dmr.com/aff_c?offer_id=44&aff_id=1002&url_id=38&aff_sub=1849995996

===> [http]://dl.down324.com/n/88593b14-d4e3-11e2-a752-00259033c1da/Setup.exe?tid=102c03024d15eaf0195abe7f680a25

Appspot.com is the domain for the Google App engine and customers can register and host their websites there. The involved domains – hs1dmr.com, hs4dmr.com and down324.com – were privately registered with GoDaddy very recently, created on June 14, 2013, June 20, 2013, and July 17, 2013, respectively. The associated IP address of down324.com is 95.211.134.97 (located in Amsterdam, Netherlands), which also hosts dl.flvplayer123.com and has been reported several times for serving this adware.

As always, Barracuda Labs suggests Internet users to be very careful when clicking links on any websites, and do not install executable files unless extremely necessary. If installing a software is unavoidable, install an anti-virus software before installing anything else. Meanwhile, when buying any anti-virus or other software, go to local office stores (such as Best Buy, Staples, etc.) to get hard copies, or download them from famous vendor websites, such as Microsoft.com, Adobe.com, McAfee.com, or oracle.com, etc.