Back in July, I already posted on the subject (Who needs .info/.biz, anyway?), and it turns out that the same scam is still in operation today. By putting too much trust into the topmost result returned by a search engine, a user of mine ended up ringing quite a few bells on the IDS and AV late yesterday night. Turns out the page the user got redirected to was hxxp://iframebiz.biz/dl/adv443.php (DONT click).
Yes. A bunch of malware, no doubt, and trying to exploit quite a number of recent and not-so-recent vulnerabilities commonly found on a badly patched Windows workstation. The Trojans it tries to download are by now pretty well known and recognized by most of the anti virus software. What irks me most, though, is that this sort of thing has been around for months. Checking with a DNS cache, I found that no less than nine different DNS names have been used for this scam within the past week alone.
traffsale.biz 22.214.171.124; iframesite.biz 126.96.36.199; iframetraff.biz 188.8.131.52; toolbartraff.biz 184.108.40.206; buytraff.biz 220.127.116.11; iframecash.biz 18.104.22.168; toolbarurl.biz 22.214.171.124; iframebiz.biz 126.96.36.199; toolbarbiz.biz 188.8.131.52;
And guess what country 184.108.40.206 resides in ? Yes, one of the CWIIAC, country-where-ISPs-ignore-all-complaints. I'm about to send them one more.