Sorry, I'm confused because you started this thread ("More info") and spoke of
the Herald attack in the past tense but I never saw any real description of it
other than that you thought it came from advertising.com. Was it the same kind
of malware-scan.com attack where the browser gets redirected, turned into a
phony dialog box and then you're forced into a fake "scan" of your local system?
Was there a thread on this that I missed?
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Sunday, November 11, 2007 9:33 AM
To: [email protected]
Subject: RE: [funsec] More info on malware-scan.com ads on newspaper Web sites
Hi Larry,
I packet sniffed the loading of the Boston Herald article and found that the
following Internet advertising/marketing companies are involved somehow in
showing banner ads at the Herald Web site:
mediaplex.com
247realmedia.com
advertising.com
zwire.com
google.com
Ad networks have complicated relationships. I don't know where the bad guys
were able to place their ad originally and how the ad has been traded around
among the various companies listed above.
The bad guys appear to be bouncing around also between some of their own
servers at these domains:
mysurvey4u.com
blessedads.com
prevedmarketing.com
malware-scan.com
I'm pretty sure that this situation is different than other cases where the bad
guys have added malicious code to the back-end content database of a Web site.
The Bank of India break-in was a recent example of this other kind of attack:
http://www.pcworld.com/article/id,136666-page,1/article.html
Richard
> Let me be more general here. I'm writing on this again and if you can
> give me references to other examples I'd appreciate it
>
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blogs.pcmag.com/securitywatch/
> Contributing Editor, PC Magazine
> [EMAIL PROTECTED]
>
>
> -----Original Message-----
> From: Larry Seltzer
> Sent: Sunday, November 11, 2007 8:00 AM
> To: '[EMAIL PROTECTED]'; '[email protected]'
> Subject: RE: [funsec] More info on malware-scan.com ads on newspaper
> Web sites
>
> (resending without the "*SPAM*" that I think my spamassassin put into
> the subject line.)
>
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blogs.pcmag.com/securitywatch/
> Contributing Editor, PC Magazine
> [EMAIL PROTECTED]
>
>
> -----Original Message-----
> From: Larry Seltzer
> Sent: Sunday, November 11, 2007 7:59 AM
> To: '[EMAIL PROTECTED]'; [email protected]
> Subject: RE: *SPAM* [funsec] More info on malware-scan.com ads on
> newspaper Web sites
>
> You mentioned the Herald. There was a malware ad on them? I don't see
> a reference
>
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blogs.pcmag.com/securitywatch/
> Contributing Editor, PC Magazine
> [EMAIL PROTECTED]
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> On Behalf Of [EMAIL PROTECTED]
> Sent: Saturday, November 10, 2007 8:44 PM
> To: [email protected]
> Subject: RE: *SPAM* [funsec] More info on malware-scan.com ads on
> newspaper Web sites
>
> At the Boston Herald, the Russian malware ad seemed to come from a
> Flash ad which was originated from advertising.com, an ad network, and
> not the Herald themselves. I will be checking with advertising.com to
> see what they know.
>
> Richard
>
>
>> I'm not sure why the ad networks would need to do anything. You'd
>> think, OTOH, that publishers like YNet would drop ads that included
>> the redirects, especially since they're taking the user away from the
>> publication. At this point I blame Ynet more than the ad network.
>> It's sort of like the womany who refuses to leave the husband who's
>> beating her.
>>
>> Larry Seltzer
>> eWEEK.com Security Center Editor
>> http://security.eweek.com/
>> http://blogs.pcmag.com/securitywatch/
>> Contributing Editor, PC Magazine
>> [EMAIL PROTECTED]
>>
>>
>> -----Original Message-----
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED]
>> On Behalf Of [EMAIL PROTECTED]
>> Sent: Saturday, November 10, 2007 8:09 PM
>> To: [email protected]
>> Subject: RE: *SPAM* [funsec] More info on malware-scan.com ads on
>> newspaper Web sites
>>
>> Yep, looks like the same sleazebags. Any idea what the ad networks
>> are doing about this problem?
>>
>> Richard
>>
>>> I reported on something similar at Ynetnews (see
>>> http://blogs.pcmag.com/securitywatch/2007/11/and_suddenly_some_stran
>>> g
>>> e
>>> _site.php) about a week ago. I wonder if it's the same ad network.
>>>
>>> The Ynet attacks persist. They knew about it probably at least 10
>>> days ago and I saw it again yesterday, this time in Firefox.
>>>
>>> Larry Seltzer
>>> eWEEK.com Security Center Editor
>>> http://security.eweek.com/
>>> http://blogs.pcmag.com/securitywatch/
>>> Contributing Editor, PC Magazine
>>> [EMAIL PROTECTED]
>>>
>>> --------------------------------------------------------------------
>>> -
>>> -
>>> ----------
>>> From: [EMAIL PROTECTED]
>>> [mailto:[EMAIL PROTECTED]
>>> On Behalf Of [EMAIL PROTECTED]
>>> Sent: Saturday, November 10, 2007 6:38 PM
>>> To: [email protected]
>>> Subject: *SPAM* [funsec] More info on malware-scan.com ads on
>>> newspaper Web sites
>>>
>>>
>>> Holy sh**.
>>>
>>> Richard
>>>
>>>
>>> http://www.azstarnet.com/business/209714
>>>
>>> Maliciously coded online ad caused Star's Web site problems
>>>
>>> By Jack Gillum
>>>
>>> ARIZONA DAILY STAR
>>>
>>> Tucson, Arizona | Published: 11.03.2007
>>>
>>> advertisement
>>>
>>>
>>>
>>> A maliciously coded online advertisement was responsible for causing
>>> problems for Tucson Newspapers' Web sites this week, the company
>>> said Friday.
>>>
>>>
>>>
>>> The ads, which the company said were purchased with a fraudulent
>>> credit-card number, directed some Web visitors to sites that could
>>> have installed harmful software, or "malware."
>>>
>>>
>>>
>>> The problem was reported Wednesday by the Pima County Department of
>>> Environmental Quality, which advised its employees not to visit the
>>> Arizona Daily Star Web site over computer-safety concerns. When
>>> their employees visited the Star's site, anti-virus software alerted
>>> them of trouble.
>>>
>>>
>>>
>>> The fraudulent ad purchase was discovered Wednesday and the ad was
>>> removed Thursday, said Susan Hardin, director of online for Tucson
>>> Newspapers, which is jointly owned by the Arizona Daily Star and
>>> Tucson Citizen newspapers.
>>>
>>>
>>>
>>> Hardin said the ads in question were bought by a company called
>>> ForceUp, which could not be reached for comment because a phone
>>> number for the company at an Idaho area code was disconnected, and
>>> an e-mail contact form was inaccessible.
>>>
>>>
>>>
>>> Affected users were redirected to a different site and then
>>> presented with fake virus-scanning software that was itself malicious
>>> software.
>>>
>>>
>>>
>>> Hardin recommends that users block access to malwarealarm.com,
>>> newbieadguide.com, and malware-scan.com, and delete infected files
>>> from a computer's PC and Windows registry.
>>>
>>>
>>>
>>> Tucson Newspapers previously said that some video advertisements may
>>> have been the problem. But as of Friday, the company narrowed down
>>> the problem to the suspect ads, which Hardin said were up in the
>>> morning hours for the last 10 to 18 days.
>>>
>>>
>>>
>>> "This hasn't happened before, and our people reacted very quickly,"
>>> said Tucson Newspapers President and CEO Mike Jameson. "We'll just
>>> have to be more vigilant in the future about these things."
>>>
>>>
>>>
>>> The ad, Tucson Newspapers said, circulated to other newspaper sites
>>> across the country.
>>>
>>>
>>>
>>> â- Contact reporter Jack Gillum at 573-4178 or at
>>> [EMAIL PROTECTED]
>>>
>>>
>>>
>>> _______________________________________________
>>> Fun and Misc security discussion for OT posts.
>>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
>>> Note: funsec is a public and open mailing list.
>>>
>>
>> _______________________________________________
>> Fun and Misc security discussion for OT posts.
>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
>> Note: funsec is a public and open mailing list.
>>
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
>
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
