AgeisLab found a URLwww.hv20.com/payroll/djia-finance.php was posioned by Blackhat SEO.

The attack scenario as following:

Google search -> djia finance

-> hxxp://www.hv20.com/payroll/djia-finance.php

-> hopping site -> hxxp://78.159.118.51/in.cgi?10

-> the final download site -> hxxp://proddingappsumo.info/guaranteeing/means_phone- pool_occurs.php?tjn=33:2v:1h:2w:1m&wrgglxs=38&ciooh=33:30:32:2w:30:1n:31:1f:1m:1i&zuhy=1n:1d:1g:1d:1h:1d:1f

!! (attempt to download a malicious pdf file) !! 

Virustotal scan result (3/44): 

https://www.virustotal.com/file/e7c42a18ff9a8acdd4eb9f5808ec5bd5cafac1cd8ca6ac1ef6b71cdfe2106f67/analysis/1352442238/ 

 

As our analysis and observation, this download site format made by Blackhole Exploit Kit 2.0.

So far, this "djia finance" Blackhat SEO poisoning still keep alive and no any warning message in Google search results. 

 

 

 

AegisLab urge our customer to keep WG signature in latest version.


by AegisLab WG Team