Forever searching for new ways to accost naive shoppers, fake and/or illegal on-line pharmacy sites have lately taken to forcing their ads on unsuspecting forum visitors.
Lenny Zeltser, malware analyst at SANS Institute, had his attention drawn to one of them by a reader that thought that that particular discussion thread (on social.technet.microsoft.com) had been defaced:
It might have seemed that way, but the advertisement had actually eclipsed the content of the forum completely – it was still there, but hidden from view.
How was that possible? It seems that the HTML code responsible for inserting the ad was actually posted into the discussion thread. Let’s have a look at it:
It has actually created a white DIV region positioned at the top and tall and wide enough to cover all the content.
It is a mystery why the HTML tags haven’t been filtered out by the forum software when were submitted for posting, but it is probably an input-scrubbing bug.