CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 15th, 2010

TweetMeme Hit By Malvertisement, Users Redirected To Fake Antivirus Pages

A malvertising attack targeted TweetMeme.com users today after a rogue advertiser made its way onto the website. The malicious advertisements directed user to third party websites displaying fake malware alerts with the purpose of convincing users to install scareware.

Malvertising (malicious advertising) is a type of attack where cyber crooks manage to insert rogue ads that lead users to malicious content into a legit website. The practice is commonly employed by scareware pushers to distribute their fake antivirus products.

According to StopMalvertising, a website dedicated to researching and stopping such attacks, TweetMeme users were targeted via malicious advertisements served by a rogue advertiser at y5-media.com. An investigation of the incident revealed that the threat distributed through these malvertisements was a fake antivirus called Security Threat Analysis.

The researchers explain that requests to y5-media.com bounce through two other websites before landing on the scareware domains. In order to fly under the radar the cyber crooks tried to make the attack as subtle as possible.

“Both domains perform various checks to see whether you’re a bot, a search engine, a proxy … as in those cases the redirect to the scareware will not happen,” the researchers explain. Also, if a user visits the malicious websites once, a cookie is added in his browser to prevent him from being targeted again.

The landing websites at www3.luckfind42td.in and www2.guardhere5.in, display the typical fake malware scans associated with scareware scams. When these scans are “done” the users are taken to another domain called www1.wareforyou10.in, which serves a file called packupdate107_302.exe for download. This is a program in the FakeAV family of malware, which currently has a very low AV detection rate.

Malvertisements can be very dangerous, because unlike black hat search optimization campaigns that poison search results with malicious links, they can are a lot harder to detect, and abuse the trust that users put into legit websites. Popular websites that were previously affected by similar attacks include the New York Times, Gizmodo or Digital Spy.

Credit: Softpedia.com News

Share this item with others:

More on CyberInsecure:
  • Mass SQL Injection Attack Infects Over 28,000 Pages, Including iTunes Podcast
  • Japanese Earthquake And Tsunami Searches Infect Users With Malware
  • Current List Of Zlob Distributiuon Sites And Rogue “Anti-virus” Products Domains
  • Fake YouTube Pages Getting Popular, New Tool Released Allows Fake Pages Creation In Seconds
  • Kaspersky Website Infected, Redirects Visitors to Fake AV Download

    • Posted in Breaches And Incidents, Malware, Scams, Software, Targeted Attacks | Print This Post Print This Post

    This entry was posted on Thursday, July 15th, 2010 at 6:40 am and is filed under Breaches And Incidents, Malware, Scams, Software, Targeted Attacks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: TweetMeme Hit By Malvertisement, Users Redirected To Fake Antivirus Pages

    One Response to “TweetMeme Hit By Malvertisement, Users Redirected To Fake Antivirus Pages”

    1. Sarah Says:
      July 16th, 2010 at 1:34 am

      This issue was resolved yesterday and the advertisement causing the issue removed. We have spoken with the advertising supplier to ensure this does not happen again.

      Many thanks
      Sarah

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »