The malware was dropped by some fake AV website.
Injecting into the legitimate website some harvesting code as seen here is, I'm sure, exponentially more effective at harvesting credentials than redirecting to a fake banking site.
If I get time I'll follow up with some info about the fake AV site.
Cheers,
/dean
Comments
Hey Carlos, It was being
Hey Carlos,
It was being served up by a series of sites. The one that this came from is an-ty-spyware-sell.com. It's down now. I'll post some of the page contents, etc.. tomorrow if I get a chance.
Cheers,
Dean
hi dean can you tell me more
hi dean can you tell me more about the infection or the fake av site i would like to have fun with it, this entry makes me remember this websense post http://securitylabs.websense.com/content/Blogs/3133.aspx
Carlos
Thanks for the suggestion
Thanks for the suggestion Jay,
I spend pretty much all my time working with this sort of stuff now and I follow his blog pretty closely. I'd just posted that pic as the code behind it is pretty nice.
Cheers,
Dean
Dancho Danchev should be able
Dancho Danchev should be able to help you out in the realm of FakeAV stuff since he's pretty much made that his full time job.
http://ddanchev.blogspot.com/
-Jay
www.SecuraBit.com