If my Ukrainian "fan club" can exploit weaknesses in the online ad publishing model for scareware serving purposes, anyone else could.
Yesterday, the NYTimes.com posted a note to readers, confirming that a malvertisement campaign somehow made on their web site, resulting in the automatic exposure of users to scareware:
"Some nytimes.com readers have reported seeing a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser."
Who's behind this malvertising campaign? Let the data speak for itself.
According to a published assessment of the campaign, the redirector and scareware domains involved in the malvertising incident are also in circulating in blackhat SEO campaigns courtesy of the Ukrainian gang (the post is updated daily with the very latest redirector and scareware domains pushed by the gang).
In the NYTimes.com malvertising attacks, that's sex-and-the-city .cn (parked at 94.102.48.29 where the rest of their redirectors are) acting as redirector leading to the protection-check07 .com scareware, parked on the very same IPs (91.212.107.5; 94.102.51.26; 88.198.107.25) like the rest of the new scareware domains systematically updated once or twice during a 24 hours period, again courtesy of the "fan club".
The last sample in circulation, phones back to windowsprotection-suite .net - Email: gertrudeedickens@text2re.com; mysecurityguru .cn - 64.86.16.170 - Email: andrew.fbecket@gmail.com also maintains secure-pro .cn; and to securemysystem .net - Email: gertrudeedickens@text2re.com
The NYTimes.com malvertisement assessment also highlights tradenton .com - 212.117.166.69 - Email: shawn@tradenton.com as the domain used in the ad rotation. Interestingly, related malvertisement domains managed by the same gang, have already been reported in related malvertising attacks, are also parked on the same IP:
relunas .com - Email: admin@relunas.com
kennedales .com - Email: admin@kennedales.com
harlingens .com - Email: admin@harlingens.com
newadsresults .com - Email: ritaj@gmail.com
waveadvert .com - Email: lindahg@yahoo.com
As always, what would originally seem as an isolated incident orchestrated by yet to be analyzed cybecrime gang, is in fact a great example of underground multitasking in action through the convergence of different attack tactics, courtesy of a single cybercrime enterprise.
Related malvertising posts:
Malicious Advertising (Malvertising) Increasing
MSN Norway serving Flash exploits through malvertising
Fake Antivirus XP pops-up at Cleveland.com
Scareware pops-up at FoxNews
This post has been reproduced from Dancho Danchev's blog.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Monday, September 14, 2009
Ukrainian "Fan Club" Features Malvertisement at NYTimes.com
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment