Coolwebsearch (“The Search Engine you Trust”) posted on their website a list of affiliates that have been terminated. One of them was infoglobus.com.
Coolwebsearch (aka CWS) has been fairly vehement on clearing its name, so this is of interest.
A few days ago, Senior Spyware Researcher Patrick Jordan ran across some stuff which I’m posting today as a “Seen in the Wild”.
It starts with a known CWS infester using files from another site that will hijack users to win-eto.com. The known CWS infester has links that will open to coolwebsearch.com, but it is the path it passes through before it opens Coolwebsearch.com that is unusual.
The above links show the following transmissions before opening to Coolwebsearch.com.
Notice the second entry: infoglobus.info.
Notice the URL: 220.127.116.11 has always been one of the IP ranges to open to Coolwebsearch.com. But the last transmission to get to Coolwebsearch.com is infoglobus.info, which uses a Coolwebsearch template that matches the one above.
Now in the hijacking page at Coolwebsearch.com we can see the entry where infoglobus.info is on the list.
Now, infoglobus.com is listed on their website. However, infoglobus doesn’t seem to care. They just use infloglobus.info to get around the whole thing, while using a CWS template.
Tut tut tut.