Re: Industry Site delivering malware targeting students

[Morrow Long <morrow.long () YALE EDU>]

Bob and Barbara --

The top level page on the site isn't necessarily malicious (unless you
click on the link which will take you away to a different site).

The top page just sends out one line of non-conforming HTML with an
link linked to the text "Carter" .

See below (the URLs have been defanged).

I don't know about any of the other pages on the site though as Google
appears to have marked the entire site as potentially harmful
(if you 'google' "link:going2college.org" all of the pages on the site
are marked by Google as "This site may harm your computer.").

Morrow

$ curl going2college.org
Hello, welcome to <a href="hxxp://www3.mapping-your-
future.org">Carter</a>!
$


$ telnet going2college.org 80
Trying 66.179.80.168...
Connected to going2college.org.
Escape character is '^]'.
GET / HTTP/1.1
Host: going2college.org

HTTP/1.1 200 OK
Connection: close
Date: Wed, 12 Aug 2009 00:49:45 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

Hello, welcome to <a href="hxxp://www3.mapping-your-
future.org">Carter</a>!
Connection closed by foreign host.
$



$ telnet going2college.org 80
Trying 66.179.80.168...
Connected to going2college.org.
Escape character is '^]'.
GET / HTTP/1.1
Host: going2college.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2a)
Gecko/20020910
Referer: http://www.google.com/

HTTP/1.1 200 OK
Connection: close
Date: Wed, 12 Aug 2009 00:54:10 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

Hello, welcome to <a href="hxxp://www3.mapping-your-
future.org">Carter</a>!
Connection closed by foreign host.
$




On Aug 11, 2009, at 7:12 PM, Bob Bayn wrote:

> I hope this security list is well read.  A google search for
> "going2college.org site:.edu" has lots of hits of higher ed pages
> recommending this service.
>
> Bob Bayn        (435)797-2396      Security Team coordinator
> Power off your desktop after hours to thwart network probes.
> Office of Information Technology   at  Utah State University
> ________________________________________
> From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU
> ] On Behalf Of McCrary, Barbara [bmccrary () OGSLP ORG]
> Sent: Tuesday, August 11, 2009 4:34 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Industry Site delivering malware targeting
> students
>
> FYI,
>
> The site going2college.org IS AN ACTIVE ATTACK SITE. DO NOT GO HERE.
> Users have been trying to go to going2college.com but using .org
> instead.  (.com vs. .org)  The .com site is OK the .org site IS AN
> ACTIVE ATTACK SITE, DO NOT GO THERE.
>
> Barbara McCrary
> Chief Information Security Officer
> MCSE, MCSE:Security, +Messaging, CompTia:Security+
>
> bmccrary () ogslp org<mailto:bmccrary () ogslp org>
>
> Oklahoma State Regents for Higher Education
> 421 NW 13th, Ste 250
> Oklahoma City, OK  73103
> 405 234.4316 office
> 405 234.4321 cell
> 405 234.4588 fax
>
> Note:  This communication and attachments, if any, are intended
> solely for the use of the addressee hereof.  In addition, this
> information and attachments, if any, may contain information that is
> confidential, privileged and exempt from disclosure under applicable
> law, including, but not limited to, the Privacy Act of 1974.  If you
> are not the intended recipient of this information, you are
> prohibited from reading, disclosing, reproducing, distributing,
> disseminating, or otherwise using this information.  If you have
> received this message in error, please promptly notify the sender
> and immediately, delete this communication from your system.