SQL attacks: now using .MOBI domains and installing Scamware
Everyday, I look through the domains we detect as Troj/Iframe-AG because they are the domains associated with the SQL injections that have been plaguing the web over the last few months (1, 2, 3 and 4). This morning I saw three domains making use of the .MOBI TLD. The use of a .MOBI TLD is unusual and I was going to talk about all the possible new TLDs that people could use in the future (following the ICANN meeting last week). However, something more interesting was spotted.
Quickly visiting these sites to see is they were legitimate, we (Fraser and I) noticed that the root of each site attempted to load a script ?AD.JS?. This in turn attempted to load another website - a fake AV install site. The site pretends to do an online virus scan: