GraphJam Vulnerable to Some Kinda Injection (NOT)

A friend of mine’s daughter was surfing around this evening when her computer popped up a warning, saying it had a virus on it! A very authentic-looking Windows Security Alert popped up, telling her that her system was infected with malware. She was promptly presented with what appeared to be a standard Windows Explorer screen, which showed a hard drive being scanned for viruses, like this:
Alleged Virus Infection Screenshot
The astute observer will see that I was, for purposes of documenting this malware, visiting the site using Mozilla Firefox on my Ubuntu Linux system, as opposed to Windows. This let me get a closer look at the beast without endangering my system. I also attempted to look at it in Opera for Mac OS X, but the page refused to load. Once the alleged “scan” was completed, I was presented with the following screen:
What was nice about this was I could drag the alert window (seen above with the blue title bar) around and realize that it was really just some fancy JavaScript on the web page. Moments after it popped up, a download dialog was presented, telling me to download a Windows executable file which, I’m sure, would have really hosed the system, had I downloaded and installed it.
While I’m sure the folks at GraphJam are not intentionally behind this, it would appear that their site has been compromised, possibly with a scripting attack or SQL injection, and made to host malware, or possibly something is slipping in through an ad network they subscribe to. I did try to contact them, and sent an email to the domain’s technical contact.
Fortunately, the twelve-year-old girl who found it had the sense to stop what she was doing and call for help before any harm was done.
UPDATE: I received this response from GraphJam:

Hi Peter,
Thanks for the details. We traced the problem with a rogue advertiser being served through another advertising network. It’s not a SQL injection or any kind of code hack aside from an advertiser. Our site code has not been compromised.
Also, we found the offending ad network and have stopped using them.
Sorry about the scare and that’s one smart 12-year-old. 🙂

UPDATE: She’s actually 11.

Leave a Reply