0ww - the hijackers directory?

Submitted by Kai on Mon, 2007-04-16 12:01.

I went through my referers today, and came about the domain 0ww (the rest is left out to avoid you to click on it by accident...if you really want to see for yourself, just add .com. You HAVE been warned - it is a hijacking site!)

I went to the site for you. And it looked like a directory. Then out of the blue, a Java security warning poped in my face. As I am using tabed browsing, at first I was compelled to just hit OK - it just might have been on some of the other sites I was visiting. Then I took my own medicine. I examined the warning. As you can do in the picture attached.

A hijacking website tries to run a java applet

It does look good. It even shows information about Thawte, a well recognized CA. It did look good. But - I had a strange feeling, and looking at my tabs, I understood the only likely host for this applet could be 0ww. So I did a google, and found what I was looking for - the Hipoint Ltd is a name used by hijackers. This is not the first certificate they have forged.

The danger in this particular warning is that all the things I would check for looked ok. Had I not been aware, I would most likely just hit OK, and I know most users would do the same.

How can we help our users to avoid such trouble? Is there a mental fix available, or do we have to trust technology?

AttachmentSize
hijacker_java.PNG13.45 KB

Hi Ken,thank you for sharing

Submitted by Kai on Sun, 2008-03-02 13:12.

Hi Ken,thank you for sharing your experience!I think Thawte is aware of this - but I always suggest reporting such issues to the police. And reporting these things to Thawte is also worth it. They used to have a Report Abuse email - it is most likely still around.  They may not be able to do much at this point, but unless we let them know the extent of these episodes, they may never be getting the resources necessary to investigate. Thus, report it!   

One of our clients has

Submitted by Ken Favrow (not verified) on Thu, 2008-02-28 03:24.
One of our clients has become victim to 2 website hijackings that embedded an ieframe to redirect to one of those sites (a HIPOINT signed spyware infection along with it). We believe they got in with javascript injection, which we're sanitizing our input currently... Anyway, point being, you can get this warning from even reputable sites who're just careless with their form input (like us before today). I's say ALWAYS be wary of those certificates. Valid or not, and regardless of whether you're at a reputable site. If you don't know what the installer is for, DO NOT run it. Period. Mr. Roer: I'm curious if we can report these forged certificates to Thawte. Please contact me if you know how that can be done. I still have the links that the hijacker was embedding too... in case you're curious enough to install the spyware on a virtual machine (as I'm doing now) to help fully understand the inner-workings and hopefully a means to removing it.

Recent comments