CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
December 11th, 2010

Scareware Malvertizements Approved By Google And Microsoft Ad Systems, Served On msnbc.com, mail.live.com

Malware distributors have managed to trick two large ad networks into delivering malvertizements that silently infected the visitors of large websites with fake scareware programs.

The attacks started on December 3 and were picked up by a cloud-based malware scanning service called HackAlert and operated by Santa Clara-based security vendor Armorize Technologies.

HackAlert is used by VeriSign Trust Services, now a division of Symantec, for its daily VeriSign Trust Seal malware scans. So when several high profile websites started being tagged as infected, Armorize was asked to check its platform for possible bugs. However, their investigation revealed that sites like realestate.msn.com, msnbc.com, scout.com or mail.live.com, were indeed inadvertently infecting their visitors with malware.

It appears that cyber criminals registered a domain called adshufffle.com (three “f”-s) and posed as a legit advertising company named AdShuffle. They somehow managed to get their domain accepted on both the Google-owned DoubleClick network and rad.msn.com, the server used by Microsoft to deliver ads of various sites, including Hotmail and MSN.

The rogue ads served from this domain were not regular scareware malvertizements (malicious advertisements) that falsely claim visitors are infected and offer them a program to fix it. They looked harmless, but loaded the Eleonore drive-by download toolkit in the background. This toolkit silently exploits vulnerabilities in outdated versions of popular applications like Java, Adobe Reader, Internet Explorer and even Windows.

“Users visit websites that incorporate banner ads from DoubleClick or rad.msn.com, the malicious javascript is served from ADShufffle.com (notice the three f’s), starts a drive-by download process and if successful, HDD Plus and other malware are installed into the victim’s machine, without having the need to trick the victim into doing anything or clicking on anything. Simply visiting the page infects the visitors,” notes Wayne Huang, chief technology officer at Armorize and member of the team who researched the attack.

HDD Plus is one of the recent pieces of scareware that pose as hard disk defragmentation utilities. The other malware downloaded by the malvertizements was a trojan downloader.

Credit: Softpedia.com News

Share this item with others:

More on CyberInsecure:
  • OpenX.org Used As An Intermediary For Malware, Possibly Spreading Exploits And Trojans
  • Tucows Falls Victim To OpenX-Based Malvertizing Attack After The Pirate Bay, eSarcasm And AfterDawn
  • Google Doodle Poisoned By Rogue Anti-virus Scareware
  • Microsoft Discovers Flaw In Google Plug-in For Internet Explorer
  • TweetMeme Hit By Malvertisement, Users Redirected To Fake Antivirus Pages

    • Posted in Breaches And Incidents, Cybercrime, Google, Malware, Microsoft | Print This Post Print This Post

    This entry was posted on Saturday, December 11th, 2010 at 9:17 am and is filed under Breaches And Incidents, Cybercrime, Google, Malware, Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Scareware Malvertizements Approved By Google And Microsoft Ad Systems, Served On msnbc.com, mail.live.com

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »