NEWS FROM THE LAB - Friday, December 14, 2012

Joulupata Action Posted by Mikko @ 14:39 GMT

It's Christmas time! Time for charity!

In Finland, the most popular Christmas charity is run by the local salvation army. Their campaign is called Joulupata. And as you might expect, they have a website at www.joulupata.fi.

Earlier today, if you googled for "joulupata", the first search result looked unusual:


Looks dangerous. So let's visit the site with wget and set the http referer to www.google.com so the site believes we arrived via Google.


/tds/in.cgi - this sounds like the Sutra TDS (Traffic Distribution System). This kit is often used to distribute malware and spam via hacked websites. In this case, there was no malware, just a redirect to a website called Replicavips.

If you would have visited the site without having google.com as the referer, you would just end up on the unmodified joulupata.fi frontpage.

And what's on Replicavips? It's a site where you can purchase counterfeit watches. Don't go there.


The TDS site has been blacklisted by F-Secure and relevant parties have been notified. Be careful out there.

Thanks to tpaavola for the tip.