Sneaky Redirect to Exploit Kit
While I was testing a Pinpoint update, I found a sneaky method to redirect unsuspecting users to Neutrino EK. This one was interesting to me so I thought I would document it here.
Here's the website I visited...looks suspicious already:
There was a reference to an external Javascript file:
The file is obfuscated Javascript which is a red flag:
I found the malicious redirect, or so I thought...
Long story short, this led nowhere. Going back to the main page, there is a call to a Flash file at the bottom.
Reviewing the ActionScript reveals something interesting. It reads in a PNG file called "gray-bg.png", extracts every other character, then evals it.
The "PNG file is not a graphic file but a renamed text file.
I used Converter to extract one character every two positions and got this:
The URL leads to the Neutrino landing page.