funsec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: More info on malware-scan.com ads on newspaper Web sites

From: rms () computerbytesman com
Date: Sun, 11 Nov 2007 09:33:25 -0500 (EST)
Hi Larry,

I packet sniffed the loading of the Boston Herald article and found that
the following Internet advertising/marketing companies are involved
somehow in showing banner ads at the Herald Web site:

    mediaplex.com
    247realmedia.com
    advertising.com
    zwire.com
    google.com

Ad networks have complicated relationships.  I don't know where the bad
guys were able to place their ad originally and how the ad has been traded
around among the various companies listed above.

The bad guys appear to be bouncing around also between some of their own
servers at these domains:

    mysurvey4u.com
    blessedads.com
    prevedmarketing.com
    malware-scan.com

I'm pretty sure that this situation is different than other cases where
the bad guys have added malicious code to the back-end content database of
a Web site.  The Bank of India break-in was a recent example of this other
kind of attack:

    http://www.pcworld.com/article/id,136666-page,1/article.html

Richard




Let me be more general here. I'm writing on this again and if you can give
me references to other examples I'd appreciate it

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
larry.seltzer () ziffdavisenterprise com


-----Original Message-----
From: Larry Seltzer
Sent: Sunday, November 11, 2007 8:00 AM
To: 'rms () computerbytesman com'; 'funsec () linuxbox org'
Subject: RE: [funsec] More info on malware-scan.com ads on newspaper Web
sites

(resending without the "*SPAM*" that I think my spamassassin put into the
subject line.)

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
larry.seltzer () ziffdavisenterprise com


-----Original Message-----
From: Larry Seltzer
Sent: Sunday, November 11, 2007 7:59 AM
To: 'rms () computerbytesman com'; funsec () linuxbox org
Subject: RE: *SPAM* [funsec] More info on malware-scan.com ads on
newspaper Web sites

You mentioned the Herald. There was a malware ad on them? I don't see a
reference

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
larry.seltzer () ziffdavisenterprise com


-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of rms () computerbytesman com
Sent: Saturday, November 10, 2007 8:44 PM
To: funsec () linuxbox org
Subject: RE: *SPAM* [funsec] More info on malware-scan.com ads on
newspaper Web sites

At the Boston Herald, the Russian malware ad seemed to come from a Flash
ad which was originated from advertising.com, an ad network, and not the
Herald themselves.  I will be checking with advertising.com to see what
they know.

Richard



I'm not sure why the ad networks would need to do anything. You'd
think, OTOH, that publishers like YNet would drop ads that included
the redirects, especially since they're taking the user away from the
publication. At this point I blame Ynet more than the ad network. It's
sort of like the womany who refuses to leave the husband who's beating
her.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
larry.seltzer () ziffdavisenterprise com


-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of rms () computerbytesman com
Sent: Saturday, November 10, 2007 8:09 PM
To: funsec () linuxbox org
Subject: RE: *SPAM* [funsec] More info on malware-scan.com ads on
newspaper Web sites

Yep, looks like the same sleazebags.  Any idea what the ad networks
are doing about this problem?

Richard


I reported on something similar at Ynetnews (see
http://blogs.pcmag.com/securitywatch/2007/11/and_suddenly_some_strang
e
_site.php) about a week ago. I wonder if it's the same ad network.

The Ynet attacks persist. They knew about it probably at least 10
days ago and I saw it again yesterday, this time in Firefox.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
larry.seltzer () ziffdavisenterprise com

---------------------------------------------------------------------
-
----------
From: funsec-bounces () linuxbox org
[mailto:funsec-bounces () linuxbox org]
On Behalf Of rms () computerbytesman com
Sent: Saturday, November 10, 2007 6:38 PM
To: funsec () linuxbox org
Subject: *SPAM* [funsec] More info on malware-scan.com ads on
newspaper Web sites


Holy sh**.

Richard


http://www.azstarnet.com/business/209714

Maliciously coded online ad caused Star's Web site problems

By Jack Gillum

ARIZONA DAILY STAR

Tucson, Arizona | Published: 11.03.2007

advertisement



A maliciously coded online advertisement was responsible for causing
problems for Tucson Newspapers' Web sites this week, the company said
Friday.



The ads, which the company said were purchased with a fraudulent
credit-card number, directed some Web visitors to sites that could
have installed harmful software, or "malware."



The problem was reported Wednesday by the Pima County Department of
Environmental Quality, which advised its employees not to visit the
Arizona Daily Star Web site over computer-safety concerns. When their
employees visited the Star's site, anti-virus software alerted them
of trouble.



The fraudulent ad purchase was discovered Wednesday and the ad was
removed Thursday, said Susan Hardin, director of online for Tucson
Newspapers, which is jointly owned by the Arizona Daily Star and
Tucson Citizen newspapers.



Hardin said the ads in question were bought by a company called
ForceUp, which could not be reached for comment because a phone
number for the company at an Idaho area code was disconnected, and an
e-mail contact form was inaccessible.



Affected users were redirected to a different site and then presented
with fake virus-scanning software that was itself malicious software.



Hardin recommends that users block access to malwarealarm.com,
newbieadguide.com, and malware-scan.com, and delete infected files
from a computer's PC and Windows registry.



Tucson Newspapers previously said that some video advertisements may
have been the problem. But as of Friday, the company narrowed down
the problem to the suspect ads, which Hardin said were up in the
morning hours for the last 10 to 18 days.



"This hasn't happened before, and our people reacted very quickly,"
said Tucson Newspapers President and CEO Mike Jameson. "We'll just
have to be more vigilant in the future about these things."



The ad, Tucson Newspapers said, circulated to other newspaper sites
across the country.



â- Contact reporter Jack Gillum at 573-4178 or at
jgillum () azstarnet com.



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: