Monday, September 14, 2009

Ukrainian "Fan Club" Features Malvertisement at

If my Ukrainian "fan club" can exploit weaknesses in the online ad publishing model for scareware serving purposes, anyone else could.

Yesterday, the posted a note to readers, confirming that a malvertisement campaign somehow made on their web site, resulting in the automatic exposure of users to scareware:

"Some readers have reported seeing a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser."

Who's behind this malvertising campaign? Let the data speak for itself.

According to a published assessment of the campaign, the redirector and scareware domains involved in the malvertising incident are also in circulating in blackhat SEO campaigns courtesy of the Ukrainian gang (the post is updated daily with the very latest redirector and scareware domains pushed by the gang).

In the malvertising attacks, that's sex-and-the-city .cn (parked at where the rest of their redirectors are) acting as redirector leading to the protection-check07 .com scareware, parked on the very same IPs (;; like the rest of the new scareware domains systematically updated once or twice during a 24 hours period, again courtesy of the "fan club".

The last sample in circulation, phones back to windowsprotection-suite .net - Email:; mysecurityguru .cn - - Email: also maintains secure-pro .cn; and to securemysystem .net - Email:

The malvertisement assessment also highlights tradenton .com - - Email: as the domain used in the ad rotation. Interestingly, related malvertisement domains managed by the same gang, have already been reported in related malvertising attacks, are also parked on the same IP:
relunas .com - Email:
kennedales .com - Email:
harlingens .com - Email:
newadsresults .com - Email:
waveadvert .com - Email:

As always, what would originally seem as an isolated incident orchestrated by yet to be analyzed cybecrime gang, is in fact a great example of underground multitasking in action through the convergence of different attack tactics, courtesy of a single cybercrime enterprise.

Related malvertising posts:
Malicious Advertising (Malvertising) Increasing
MSN Norway serving Flash exploits through malvertising
Fake Antivirus XP pops-up at
Scareware pops-up at FoxNews

This post has been reproduced from Dancho Danchev's blog.