EITest Gate at Leads to Angler EK at

I found these GET requests in our customers traffic:



Unfortunately for our analyst we don’t always get packets so we can’t easily locate the referer in every case. Typically the GET request for the compromised site is in the traffic surrounding the event. As you can see from the HTTP requests surrounding the events the user was searching for plastic surgeons in Scottsdale Arizona:


After going through each page I found the compromised site to be:


Here is the injected script:

Here is the HTTP traffic:

TCP stream showing call for the Flash file (redirector):

This is used to redirect visitors to the Angler EK.

According to VirusTotal the .swf file has a current detection ratio of 5/54.

Gate showing JavaScript (window.self.location.replace) loads EK landing page:

HTTP request for the Angler EK landing page:

While this led to the Angler EK I haven’t yet had any success in getting my test environment infected. I will be switching my version of Flash Player for more runs at the EITest gate in the near future.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: