Blaze’s Security Blog

Malicious advertisement/click systems and ad scams are not entirely a new trend, but it is important to realize the type or kind of threat it may pose. Is it a common, or forgotten threat? In this website post, we’ll take a look at how a seemingly innocuous click network and advertiser, is showing some rather harmful behavior actually. A ‘critical Firefox update’ must be downloaded and run, with the resulting file having multiple layers of obfuscation. While I had been struggling to reproduce what occurred soon after at time of writing, it could fetch another greatly obfuscated JavaScript likely, for clickjacking purposes (and this behaviour may also be deduced from Figure 1, as it continues in the browser).

Basically, what you observe is not what you get. In this case, a Firefox update is not said update. 157, which has a lot of other domains, with the majority of them appearing arbitrary. COM. This has now been transformed, and however I was unable to take a screen capture at that time. Passive DNS data reveals that the email address mentioned previously, has links to other domains, and specifically to a person or persona called ‘Mohammed Farajalla’.

This at first lead me to believe that Abdelrahman and Mohammed are the same person, and is merely an alias. Abdelrahman Farajallah’ as domains owner. Brothers or not, it appears that Mohammed is the ‘public face’ of the company, and Abdelrahman works in the background, registering domains. A well-oiled business scheme, apparently. In Figure 5 above, you can see a specific post from ‘mhmadfarajalla’, hereafter known as Mohammed, explaining how he joined Goldenclixx from 2013 onwards, and made quite some ventures.

This is posted in 2015 on the eMoneySpace forum, which really is a website created to ‘promote or talk about internet money related subjects’. Basically, how to make money online using advertisements, which is completely legal.

  1. Best LinkedIn Company Pages
  2. Exact match domain names
  3. Free soft drinks, coffee, tea and fruit baskets
  4. Life ratings bonus from good jobs vs. great careers
  5. First, click and choose on Start Menu

It appears Abdelrahman and Mohammed have been involved with this system for a prolonged time frame.

While they may have initially started their project or business as a legitimate way to make money, this has definitely shifted. They tend located in Palestine. Earlier, I pointed out that domains involved seemed arbitrary. If not, think about the following domains? To clarify, the two 2 first individuals are the same for a whole set of domains, as the rest does look like (at least semi-)random. I question an actual Ms. Quinn would use this email address. It might try to convince users of its legitimacy, alluding it is part of Bank of America’s website.