Big Malvertising Network Update, part 2
Continuing to dig into the recent activity of the big malvertising gang we've covered several times in recent months, I decided there's enough material for a "part two" follow-up to last week's post...
As mentioned in that post, they've largely switched from using long-dormant domains registered last year to simply using IP addresses as the malvertising "sites" that begin the process of relaying victims down to the attack sites. Here is the next batch of evil relays, and the sites they're plaguing. The big names being victimized this time around are the UK's Mirror and Daily Record sites, although there is plenty of variety, as usual...
|Malvertiser||Primary Referrer(s), Notes|
|184.108.40.206||mostly mirror.co.uk and dailyrecord.co.uk, but several other news sites were also involved: (liverpoolecho.co.uk, manchestereveningnews.co.uk, chroniclelive.co.uk, gazettelive.co.uk, birminghammail.co.uk, etc.)|
|220.127.116.11||relestar.com (Web ads)|
|18.104.22.168||political commentary sites: pjmedia.com, volokh.com, and several others|
|dableserver.com||music and entertainment sites: hulkshare.com, cracked.com, etc., and a Web ad site (admarvel.com)|
Although down from its heyday, this network still generates thousands of hits a day in our logs.
The attack sites at the end of the relay chain were serving the same "Fake AV" attack as in the previous batch.