If my Ukrainian "fan club" can exploit weaknesses in the online ad publishing model for scareware serving purposes, anyone else could.
Yesterday, the NYTimes.com posted a note to readers, confirming that a malvertisement campaign somehow made on their web site, resulting in the automatic exposure of users to scareware:
"Some nytimes.com readers have reported seeing a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser."
Who's behind this malvertising campaign? Let the data speak for itself.
According to a published assessment of the campaign, the redirector and scareware domains involved in the malvertising incident are also in circulating in blackhat SEO campaigns courtesy of the Ukrainian gang (the post is updated daily with the very latest redirector and scareware domains pushed by the gang).
In the NYTimes.com malvertising attacks, that's sex-and-the-city .cn (parked at 94.102.48.29 where the rest of their redirectors are) acting as redirector leading to the protection-check07 .com scareware, parked on the very same IPs (91.212.107.5; 94.102.51.26; 88.198.107.25) like the rest of the new scareware domains systematically updated once or twice during a 24 hours period, again courtesy of the "fan club".
The last sample in circulation, phones back to windowsprotection-suite .net - Email: gertrudeedickens@text2re.com; mysecurityguru .cn - 64.86.16.170 - Email: andrew.fbecket@gmail.com also maintains secure-pro .cn; and to securemysystem .net - Email: gertrudeedickens@text2re.com
The NYTimes.com malvertisement assessment also highlights tradenton .com - 212.117.166.69 - Email: shawn@tradenton.com as the domain used in the ad rotation. Interestingly, related malvertisement domains managed by the same gang, have already been reported in related malvertising attacks, are also parked on the same IP:
relunas .com - Email: admin@relunas.com
kennedales .com - Email: admin@kennedales.com
harlingens .com - Email: admin@harlingens.com
newadsresults .com - Email: ritaj@gmail.com
waveadvert .com - Email: lindahg@yahoo.com
As always, what would originally seem as an isolated incident orchestrated by yet to be analyzed cybecrime gang, is in fact a great example of underground multitasking in action through the convergence of different attack tactics, courtesy of a single cybercrime enterprise.
Related malvertising posts:
Malicious Advertising (Malvertising) Increasing
MSN Norway serving Flash exploits through malvertising
Fake Antivirus XP pops-up at Cleveland.com
Scareware pops-up at FoxNews
This post has been reproduced from Dancho Danchev's blog.
No comments:
Post a Comment