Daily cyber threats and internet security news: network security, online safety and latest security alerts
December 11th, 2010

Scareware Malvertizements Approved By Google And Microsoft Ad Systems, Served On,

Malware distributors have managed to trick two large ad networks into delivering malvertizements that silently infected the visitors of large websites with fake scareware programs.

The attacks started on December 3 and were picked up by a cloud-based malware scanning service called HackAlert and operated by Santa Clara-based security vendor Armorize Technologies.

HackAlert is used by VeriSign Trust Services, now a division of Symantec, for its daily VeriSign Trust Seal malware scans. So when several high profile websites started being tagged as infected, Armorize was asked to check its platform for possible bugs. However, their investigation revealed that sites like,, or, were indeed inadvertently infecting their visitors with malware.

It appears that cyber criminals registered a domain called (three “f”-s) and posed as a legit advertising company named AdShuffle. They somehow managed to get their domain accepted on both the Google-owned DoubleClick network and, the server used by Microsoft to deliver ads of various sites, including Hotmail and MSN.

The rogue ads served from this domain were not regular scareware malvertizements (malicious advertisements) that falsely claim visitors are infected and offer them a program to fix it. They looked harmless, but loaded the Eleonore drive-by download toolkit in the background. This toolkit silently exploits vulnerabilities in outdated versions of popular applications like Java, Adobe Reader, Internet Explorer and even Windows.

“Users visit websites that incorporate banner ads from DoubleClick or, the malicious javascript is served from (notice the three f’s), starts a drive-by download process and if successful, HDD Plus and other malware are installed into the victim’s machine, without having the need to trick the victim into doing anything or clicking on anything. Simply visiting the page infects the visitors,” notes Wayne Huang, chief technology officer at Armorize and member of the team who researched the attack.

HDD Plus is one of the recent pieces of scareware that pose as hard disk defragmentation utilities. The other malware downloaded by the malvertizements was a trojan downloader.

Credit: News

Share this item with others:

More on CyberInsecure:
  • Used As An Intermediary For Malware, Possibly Spreading Exploits And Trojans
  • Tucows Falls Victim To OpenX-Based Malvertizing Attack After The Pirate Bay, eSarcasm And AfterDawn
  • Google Doodle Poisoned By Rogue Anti-virus Scareware
  • Microsoft Discovers Flaw In Google Plug-in For Internet Explorer
  • TweetMeme Hit By Malvertisement, Users Redirected To Fake Antivirus Pages

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Scareware Malvertizements Approved By Google And Microsoft Ad Systems, Served On,

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.