Coolwebsearch (“The Search Engine you Trust”) posted on their website a list of affiliates that have been terminated. One of them was infoglobus.com.

Coolwebsearch (aka CWS) has been fairly vehement on clearing its name, so this is of interest.

A few days ago, Senior Spyware Researcher Patrick Jordan ran across some stuff which I’m posting today as a “Seen in the Wild”.

It starts with a known CWS infester using files from another site that will hijack users to win-eto.com. The known CWS infester has links that will open to coolwebsearch.com, but it is the path it passes through before it opens Coolwebsearch.com that is unusual.

1_2342a

The above links show the following transmissions before opening to Coolwebsearch.com.

2_234234

Notice the second entry: infoglobus.info.

3_234adfasdf

Notice the URL: 195.225.177.28 has always been one of the IP ranges to open to Coolwebsearch.com. But the last transmission to get to Coolwebsearch.com is infoglobus.info, which uses a Coolwebsearch template that matches the one above.

4_32452987

Now in the hijacking page at Coolwebsearch.com we can see the entry where infoglobus.info is on the list.

5_2342fad

6_sdfasdfads

Now, infoglobus.com is listed on their website. However, infoglobus doesn’t seem to care. They just use infloglobus.info to get around the whole thing, while using a CWS template.

Tut tut tut.

Alex Eckelberry