404 Tech Support

Where IT Help is Found

You are here: Home / Media / Follow-Up: Firefox Phishing Site Taken Down

Follow-Up: Firefox Phishing Site Taken Down

I got a lot of positive feedback on my article Is Your Firefox Genuine? Phishing at its Phinest! where I identified a site that had repackaged Mozilla Firefox and wrapped it up in a bunch of malware. The site was getting a decent amount of traffic, I suspect, because it was advertising itself well and was often the top sponsored result for Firefox-related searches on Bing. I tried multiple times to get a hold of Microsoft’s advertisement group to request that they drop the advertisement, but they were unreachable “for reasons beyond [their] control.” Little did I know, there was an easier way to prevent people from installing this malware all along…

About a week after my article was published, the advertisements on Bing were replaced with Mozilla’s own ads pointing to the correct site, but I still wasn’t satisfied that there was anything I could do. I added the URL to OpenDNS’s list and notified Mozilla about a problem I thought they would have been interested in. I’ve had practice taking down sites before that were infringing my copyright using DMCA claims but this kind of issue seemed more blatant, direct, and malicious. It annoyed me that there was nothing I could do.

A few days ago, that annoyance took action in the form of a single ping. I was wondering if the site was still up. Unfortunately, it was.

I received a response from the ping pointing me to an IP of 72.47.224.148. Out of curiosity, I did an NSLOOKUP to see what that IP address was registered to. It was going to a server on gridserver.com. That sounded oddly familiar.

Because the domain is .io, looking up the Domain registry information was a little different than the usual for .com, .net, or .org. Domains ending in .IO are controlled by the Indian Ocean Domain Registry. Looking up the offending site in their Whois results in gibberish (best guess, a person in Taiwan registered it):

The only discernable information is that the URL points to a MediaTemple server. MediaTemple? MediaTemple! Gridserver.com also resolves to the MediaTemple webpage!

Here I imagined that the site would be hosted on some random malicious server in China or Russia and it’s practically the server right next to the one my site is running on!

So, it starts with a Twitter tweet:

And, until the person responsible finds a different host, it ends with a blank page and no more serving up malware-ridden Firefox.

Props to MediaTemple for taking the content down. Though they’re likely to lose a customer, they’ve made the Internet a better place. Hopefully my efforts are also helping towards that goal. I know there are more malware-dealing sites out there, but let’s hope their days are numbered.

Elevator Pitch

404 Tech Support documents solutions to IT problems, shares worthwhile software and websites, and reviews hardware, consumer electronics, and technology-related books.

Subscribe to 404TS articles by email.

Follow Us

Recent Posts

FTC Disclaimer

404TechSupport is an Amazon.com affiliate; when you click on an Amazon link from 404TS, the site gets a cut of the proceeds from whatever you buy. This site also uses Skimlinks for smart monetization of other affiliate links.
Use of this site requires displaying and viewing ads as they are presented.