Colorado College Website Hacked for Redirection to Virus-Distributing Website Hosted in Ukraine
TOKYO (MacHouse) - Founded two years even before Colorado became a state, according to its website, The Colorado College is a relatively small, private college, located in Colorado Springs, Colorado. There are only about 2,000 undergraduate students enrolled. Its website can be found at http://www.coloradocollege.edu. (See Screenshot 01.)
 Screenshot 01 - Source: The Colorado College |
 Screenshot 02 - Source: MacHouse |
 Screenshot 03 - Source: The Colorado College |
So why are we talking about this college today? That’s because one of their subdomain websites has possibly been hacked and used to redirect Internet users to a virus-distributing website hosted in Ukraine. About 11 hours ago, a pharmacy spammer circulated at least one comment around blogs to advertise web content hosted at Colorado Cellege’s subdomain of acad. (See Screenshot 02.) More precisely, ill content is hosted under an online journalism course directory. (See Screenshot 03.)
There are at least two destinations for this redirection operation. One is an online pharmacy store. The other destination is a fake photo collection website of some sort and hosted at the domain of hqpicts.com. Once redirected, you will be welcomed by an error page title. If you don’t shut the web page within a few seconds, you will be prompted with a dialogue that says Image ActiveX Object Error. (See Screenshot 05) If you see this dialogue, you won’t be able to close the web page until you press the Okay button. And if you do, you will be forced to download a file. One of them is a disk image titled 1023.dmg. And this disk image contains a trojan derivative, which Symantec calls OSX.RSPlug.A.
 Screenshot 04 - Source: hqpicts.com |
 Screenshot 05 - Source: hqpicts.com |
 Screenshot 06 - Source: WhoIs.Net |
So what do we know about the virus-distributing website hosted at the domain of hqpicts.com? Checking its domain registration, it appears that it has an anonymous domain. So registrant’s identity is protected. (See Screenshot 06.) But we know where the website is hosted. The IP address of the web server is 85.255.115.178. It’s hosted by a disgraced, Ukrainian web hosting company called Ukr TeleGroup Ltd. We have seen this name behind several virus-distributing operations this year, right?
Click on the button to watch a documentation video. 
Click on the button to watch more documentation videos.
References:
Beware of SCANNER.VAV-SCANNER.COM: Attack on Microsoft Visual Studio 2005 Vulnerability (2)
Fake PornTube Website With Computer Virus Targeting Mac Users
Redirection of 16 Blogspot Porn Websites to Boomgirltv.com in Ukraine
********** ********** ********** ********** ********** ********** ********** **********
MacHouse is not funded by tax payers' money. We have limited resources. We also need time to sleep and eat just as others. So we will not act as the International police to contact all victims of website abuse. All you have to do is to subscribe to spam messages and spam posts. If we can, why don't you?
Leave a Reply
You are prohibited from posting comments merely to advertise your website. Please read Rules and About This Blog at the top menu bar for more information.
Because of spam-comment criminals, we are forced to manually moderate every comment that you may post. Your comment will appear only after we review and then approve it. It will take us several hours at most to review it.
Please note that all one-sentence comments will be automatically rejected as an anti-spam measure.