Pinterest is a fast-growing social network with a demographic that is of much interest to advertisers. Unfortunately, they are also of interest to malicious folks spreading malware and building botnets. Last night, my wife stumbled upon something that looked awfully suspicious while she was browsing Pinterest. With a bit of digging, I found an attempt to make the setup less conspicuous with the results redirecting to a similar-looking domain that said “You must install the Pinterest Tool to view this recipe. To continue, install the tool and enjoy more features of our site.”
From my novice investigation, the pins on Pinterest were all submitted within the last 24 hours by a single users. Some of those pinning were then repinned by others. This means those folks either repinned based on the picture alone or they clicked through, installed the “tool”, and are now infected.
This post contains unlinked URLs to suspicious sites and should not be visited manually.
The scheme starts off simple. A Pinterest user posts a good looking picture of a food item. If you hover over the image, you will see the URL it takes you to is a little weird but not that suspicious. In the case of these malware pins, the links went to a variety of blogspot blogs with a food blog sounding subdomain like icanhasrecipe.blogspot.com.
It then builds by passing two parameters, r and u. ‘R’ being a generated code and ‘U’ being the URL to the actual recipe at a site like TasteofHome.com. The url looks like icanhasrecipe.blogspot.com/?r=13498asd987149087&u=http://tasteofhome.com Nothing to conspicuous that a casual user would notice something wrong.
The blogspot sites then use Javascript to check for the parameters being passed in. If they exist, they redirect to the Pinterest typo domain site: pintrerets.com. If the r parameter does not exist in the URL, the browser loads the actual Blogger page – usually with one junk post of some keyboard mashing.
Once you are at the pintrerets site, it will determine your browser. If you are using Firefox, it will display the “Install the Pinterest Tool” site otherwise it will redirect to the actual Pinterest.com as seen when visiting the site with both IE and Chrome.
If you click to install the tool, it will try to load an add-on for Firefox coming from a cdn1dload.com domain.
Grabbing the 2KB .xpi addon file from another browser and examining it as I learned with updating Firefox addons, I was able to see that the addon monitors when you load a page and inserts information into the header. It also builds a random domain and runs a function with botnet in the name. The extension pulls more files from the cdn1dload.com site like /firefox/js.php.
This was not the first time that site has been analyzed with previous reports indicating a variety of browser exploits found on the site. The site was analyzed back in early May. The blogspot blogs were created in April. Most of the spreading Pinterest user’s activity was done in the past 24 hours. It seems like this scam has been long building and still going. It would be nice to take a more proactive attempt to stopping these things from spreading. I have reported the malware to Google and Pinterest. Hopefully they will be interested in removing this malicious activity from the growing Pinterest community.
With Pinterest’s high click-through rate, it is likely to continue being a target in the future for delivering malware and misleading users. Your browser’s status bar may continue to be your best tool to prevent visiting a suspicious site.