I got a lot of positive feedback on my article Is Your Firefox Genuine? Phishing at its Phinest! where I identified a site that had repackaged Mozilla Firefox and wrapped it up in a bunch of malware. The site was getting a decent amount of traffic, I suspect, because it was advertising itself well and was often the top sponsored result for Firefox-related searches on Bing. I tried multiple times to get a hold of Microsoft’s advertisement group to request that they drop the advertisement, but they were unreachable “for reasons beyond [their] control.” Little did I know, there was an easier way to prevent people from installing this malware all along…
About a week after my article was published, the advertisements on Bing were replaced with Mozilla’s own ads pointing to the correct site, but I still wasn’t satisfied that there was anything I could do. I added the URL to OpenDNS’s list and notified Mozilla about a problem I thought they would have been interested in. I’ve had practice taking down sites before that were infringing my copyright using DMCA claims but this kind of issue seemed more blatant, direct, and malicious. It annoyed me that there was nothing I could do.
A few days ago, that annoyance took action in the form of a single ping. I was wondering if the site was still up. Unfortunately, it was.
I received a response from the ping pointing me to an IP of 18.104.22.168. Out of curiosity, I did an NSLOOKUP to see what that IP address was registered to. It was going to a server on gridserver.com. That sounded oddly familiar.
Because the domain is .io, looking up the Domain registry information was a little different than the usual for .com, .net, or .org. Domains ending in .IO are controlled by the Indian Ocean Domain Registry. Looking up the offending site in their Whois results in gibberish (best guess, a person in Taiwan registered it):
The only discernable information is that the URL points to a MediaTemple server. MediaTemple? MediaTemple! Gridserver.com also resolves to the MediaTemple webpage!
Here I imagined that the site would be hosted on some random malicious server in China or Russia and it’s practically the server right next to the one my site is running on!
So, it starts with a Twitter tweet:
And, until the person responsible finds a different host, it ends with a blank page and no more serving up malware-ridden Firefox.
Props to MediaTemple for taking the content down. Though they’re likely to lose a customer, they’ve made the Internet a better place. Hopefully my efforts are also helping towards that goal. I know there are more malware-dealing sites out there, but let’s hope their days are numbered.