Errata: In the original blog, credit was accidently given to the incorrect person for providing us with the info that Exfol was using this exploit. Correct credit goes to Dan Hubbard/WebSense. And thanks, Gadi Evron.
Exfol/WebExt is a piece of adware that is often offered through popup ads at various sites. This means they buy advertising through an advertising network (a “third party ad network”) which then places Exfol’s ads on various websites.
We originally saw mention of Exfol hoisting off this exploit on a private expert spyware discussion list, and knowing Exfol’s behaviour (we had been researching them earlier), we went to a site where we knew their popup ads were often placed. Well, there was an Exfol pop spawning exploit.
Ok, here is why this is bad. You don’t have to go to a crack site or a porn site. You go to any site that is using rotational popups from a third party ad network that is spawning Exfol popups, you get exploited.
I have a video taken by Sunbelt Researcher Patrick Jordan to show the point here.. The exploit is not coming off of Wallpapers4u(dot)com. It’s coming from a popup generated by a third party ad network.
As an aside, we also were provided a link to a place where you can see how well Exfol is doing. Busines looks good (note that this is not installs only using the WMF exploit, they are just general Exfol download stats):
1/4 Update: The Wallpapers4u(dot)com site no longer appears to have this popup. But it does try to push you to install adware… Exfol has also disappeared…