I’ve written earlier about Spyware Quake, a nasty rogue antispyware program that runs a protection racket on people’s PCs, forcing them to buy the product in order to get rid of “fake spyware”.
There is a growing number of sites in the
All these site are part of security scam hijackers we know of well, and have the same script in common in the head of their site code:
The basic look of all the sites is something like this:
They are using both the old Javascript and WMF (css.wmf) exploits to install themselves:
(Javascript exploit)
Server for the IPs
OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 1333 North Stemmons Freeway
Address:
City:
StateProv: TX
PostalCode: 75207
Country: US
(Data provided by Sunbelt senior researcher Patrick Jordan)