Blue Coat Labs

Labs Blog

Follow-up on Major Malvertising Network

Follow-up on Major Malvertising Network

Chris Larsen

Partly because the previous post got a bit of publicity, but mostly due to the fact that there were a lot more sites to research, I decided to do a follow-up post on the big malvertising network that's been running for months.

To begin with, I should answer the most-asked question, namely, "Is the LA Times still serving the malicious ads?"

As of last Friday, the answer was definitely "Yes". We were still seeing traffic from the various latimes.com subdomains to dlelead.com. It was down to a relative trickle in our logs, compared to what it had been, but this is only because all of our customer base (except a few K9 stragglers) had already checked in with WebPulse, and been told that it was Malware. So the actual level of exposure to the malicious ads was much higher than we were seeing.

Last Friday was also the day that I became much more proactive about reaching out to contacts in the WebAd industry and anti-malvertising groups, and sharing my lists with them. (This has gone really well, btw. I got some good lists back in return. Thanks to all who helped!)

 

Anyway, traffic to dlelead.com dwindled away, and it went silent on 9/06. After a short break, however, a new site from the same malvertising network (adprostats.com) appeared in the latimes.com traffic, beginning on 9/10, with thousands of hits in our logs. This continued into 9/11, but the traffic looked like it was dwindling away yesterday, so I'm guessing the Times cut this one off pretty quickly.

 

It's a similar story for the other most-asked-about victim site, salon.com. As of last Friday, I wasn't seeing salon.com any more in the traffic from its malvertising parasite (gerlead.com). The traffic from gerlead.com had switched -- it was mostly coming from kiplinger.com, ibtimes.com, and thefiscaltimes.com. But a lack of salon.com in this traffic chain isn't conclusive, for the reasons in the previous paragraph -- most of our users were already immunized against visiting gerlead.com, in short order. (And I'm pleased to report that there has been no traffic to gerlead.com this week.)

However, salon.com was showing up as a referrer to a new malvertising site -- ingidigital.com -- so they were definitely still running the malicious ads...

 

And there are lots of other sites involved; here's a sampling, adding on to the table from the previous post:

Domain Registration Date Traffic Began Primary Traffic Sources (Victim Sites)
ingidigital.com 9/17/2012 8/22/2013 dailycaller.com, salon.com, talkingpointsmemo.com
wotamedia.com 11/09/2012 8/23/2013 ad.doubleclick.net
neliserver.com 10/19/2012 8/08/2013 aimatch.com (a SAS web ad server)
presrotation.com 8/07/2012 8/07/2013 adnxs.com subdomains
admcfe.com 11/09/2012 7/15/2013 mamamia.com.au, ivillage.com.au, astrology.com, gardenweb.com
adproriva.com 11/08/2012 7/30/2013 optuszoo.com.au, eatability.com.au
votsmedia.com 10/19/2012 7/25/2013 globalpost.com
klipclick.com 8/07/2012 8/05/2013 photoclick.com
unteserver.com 8/07/2012 8/14/2013 drudgereport.com, startribune.com, autotrader.co.uk
idnserving.com 10/26/2012 4/02/2013 beyond.com, various job sites
adprostats.com 10/26/2012 9/10/2013 latimes.com (and subdomains), doubleclick.com
(and several more...)      

 

The importance of this story, however, is not "Which well-known sites were victimized?"

And it's not "Hey, look! It's also hitting Australian sites!" (Or French sites, as I pointed out last week.)

The significance is how patiently the Bad Guys wove their web: registering a ton of sites (mostly anonymously) last year; holding them in reserve for months; getting them trusted by various ad providers; targeting one or more popular sites; and hiding their true nature with layers of relays between them and the malware.

 

--C.L.

@bc_malware_guy

Share this: