Daily Mail Serves Malicious Ads, Readers Redirected To Malware Installing Server
Accordging to SophosLabs, Daily Mail website is being used to serve up malware. A strain of the Mario family of worms was being offered by redirection script injected into the Daily Mail website.
Code injected into the wesbite is being used to serve up content for a malware-harbouring website located in Russia. This site uses vulnerabilities in browser software to download malicious code onto unpatched Windows PCs, a classic drive-by-download attack.
Analysis of the attack is ongoing and it’s not clear what other sites might be affected.
Sophos investigation revealed suspicious behavior when at the beginning Internet Explorer loads its default homepage and then access the affected webpage. After half a dozen refreshes it attempted to connect to http://77.221.133.xxx, IP known for hosting malware in the past. Further investigation shows that the site anm.co.uk was hosting the malicious code and legitimate adverts.
Doing a WHOIS lookup on this IP shows its hosted in Russia. Recently, Sophos has seen IPs in this network range associated with W32/MarioF-Gen.
Daily Mail has been informed of the attack but it’s unclear how far Associated Newspaper technicians have gone in blocking the attack.
UPDATE (December 11): The infected ads were served from the servers of the publisher of the Mail, not from the actual ad serving network. In some cases malware served through hijacked ad networks accounts and during the initial investigation it was unclear whats the origin of malware.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.