14 DAY TRIAL // Security researchers warn that various domains in the .gov space had their DNS hijacked and are hosting pages that redirect users to adult websites. The hijacking seems to be part of a scheme to push FLVDirect adware.
Apparently, FLVDirect affiliates are abusing several government domains, including, but not limited to yanceycountync.gov, uppersiouxcommunity-nsn.gov, woodfin-nc.gov, dumontnj.gov and emporia-kansas.gov to trick users into downloading and installing adware on their computers. The attackers have managed to create sub-domains of the form tubes-####.* (where # is a single digit) on all of the affected domains.
“It looks like their DNS has been hijacked and those sub domains point to servers that are not under their control,” researchers from Sunbelt Software, who analyzed the attack, write. Pages hosted on the rogue sub-domains are riddled with keywords and being used in a black hat search engine optimization (BHSEO) campaign to poison search results for queries related to adult content. Such techniques are commonly employed by cyber crooks to infect unsupecting users looking for information on current events with scareware.
Visiting any of the pages hosted on the rogue sub domains redirects users to either a FLVDirect affiliate site promising hundreds of hours of adult videos for free or an adult dating community. FLVDirect is well known piece of adware – an application designed to display unsolicited ads once installed on a computer.
“Adware:Win32/FlvDirect is the detection for a file that installs the program 'FlvDirect Media Player'. This program is usually bundled with another adware program detected as Adware:Win32/LoudMo. These installers contain an ID, which can be monitored; the more installers are deployed, the more an affiliate company is paid for deploying the installer,” Microsoft explains.
All the sub-domains appear to be hosted on a server responding to 66.49.238.80. This IP address belongs to a company called Canaca-com Inc, which sells Web hosting and VPS hosting services.
You can follow the editor on Twitter @lconstantin