Drive-by scareware malvertisements served up by major ad networks

According to Wayne Huang, founder and CEO of California-based Armorize Technologies, the attacks started on December 3, since when they were picked up by his company's HackAlert cloud-based malware scanning service.

The HackAlert service, says Armorize's CEO, is being used by a number of clients, including VeriSign Trust Services, now part of Symantec, for its daily Trust Seal malware scans.

And when several high-profile websites started being tagged as infected, Armorize was asked to check its platform for possible bugs, he said, adding that the investigation revealed that sites like realestate.msn.com, msnbc.com and mail.live.com, were indeed inadvertently infecting their visitors with malware.

Huang says that cybercriminals appear to have registered a domain called ADShufffle.com – with three fff's, Infosecurity notes – and posed as a legitimate advertising company of the same name.

What appears more worrying is that the hackers managed to get their domain accepted on the DoubleClick ad network, operated by Google, as well as rad.msn.com, the Microsoft-owned platform that serves up adverts to Hotmail, MSN and other popular web portals/services.

The good news is that, as soon as Armorize contacted DoubleClick, they responded in a couple of hours to arrange a meeting with a group of their experts on anti-malvertising and incidence response.

"We were very surprised and impressed with the speed that DoubleClick acted. We provided details, and DoubleClick said they were already on top of the issue", he said in his security blog.

In parallel with the contact with DoubleClick, Armorize's CEO Caleb Sima received a private email indicating that mail.live.msn, together with a number of other major websites, were serving up drive-by downloads using malvertising.

"We started to investigate other ad exchanges, because it was apparent that ADShufffle.com was able to trick multiple ad exchanges into serving their malicious javascript. We started to investigate this", he said, adding that Sima and his team confirmed that ADShufffle.com was serving up malvertising through rad.msn.com.

Exploits used on the malvertising, he explained, included Java web start CLI injections, Microsoft MDAC RDS.Dataspace ActiveX and various Adobe security flaw subversions.

Commenting on the revelations, Lucian Constantin of Softpedia said that the rogue ads served from the domains were not regular scareware advertisements that falsely claim visitors are infected and offer them a program to fix it.

"They looked harmless, but loaded the Eleonore drive-by download toolkit in the background" he said, adding that the toolkit silently exploits vulnerabilities in outdated versions of popular applications like Java, Adobe Reader, Internet Explorer and even Windows.

What’s hot on Infosecurity Magazine?