Blue Coat Labs
Big Malvertising Attack in South Africa
Big Malvertising Attack in South Africa
One of the malvertising gangs we track has a track record of showing up in different countries. In checking the logs to see where they're active this week, we found a lot of traffic coming from visitors to a major South African news media site, the Mail and Guardian (www.mg.co.za).
A large number of visitors to the site are being served an ad that sends their browser to a server in The Netherlands (currently at 188.8.131.52 *).
This site forwards the victims to a variety of junk subdomains on gooway.info (such as kanplnv., ltute., utxq., vrsfylj. -- there is pretty rapid turnover: typically just one or two requests to each one).
The gooway.info sites, in turn, are relaying the traffic to a family of "Fake Antivirus" sites with names like webantivirusprorv.pl, which use scare tactics like this to convince people that their computer is infected, and to download the Fake-AV software to "clean" it.
Clicking the "OK" and "Clean computer" buttons yields a setup.exe program that was rather poorly detected in a quick VirusTotal check (just 3/47 engines). Which is the kind of situation we built WebPulse for...
[Update 1/10/2013]: The Mail and Guardian security team reached out to us immediately, and we sent them some additional details about the attack traffic (which ceased a few days ago). They reported this morning that they believe they have identified the offending ad service. We would like to publicly commend them for the speed and thoroughness of their response; they're the type of security staff every company needs. (In contrast, we have yet to hear from yourtango.com, and the malvertising traffic from them to adopexpro.com is continuing.) Malvertising is a very tricky beast: even when you think it might be happening on your web site, it is hard to verify; and even when you know that a particular IP address or domain is evil, it can be very difficult to pin down exactly where it is coming from in an advertising ecosystem. [/Update]
Bonus Notes on the Yahoo.com Malvertising Attack
And while we're on the topic of malvertising, the big news last week was a malvertising campaign that hit ads.yahoo.com, which was nicely covered by the Fox-IT blog. As defensive suggestions they recommended blocking two different IP address blocks:
This would work, but it's a fair amount of overkill. The first range (the malvertising servers) had a total of 47 addresses in use by this gang in the past, with some other shady-but-different traffic on some others, and most of the rest lying fallow.
The second block contains the single address (184.108.40.206) identified by Fox-IT as the host of the exploit kit domains in the attack. (The exploit kit level is where we were blocking.) This address was the 15th (all in this block) used by this gang, beginning on December 19th.
Most interesting to me is that this gang is not exclusively a malvertising operation. In the first two days of operation (12/19 - 12/20), their Magnitude exploit kit domains were receiving traffic from injected subdirectories on hacked sites, with page names showing that at least some of the traffic was coming from poisoned searches, on such terms as:
- mexican strawberry tamales
- honda fit wiper blades
- calories in publix chocolate chip cookie cake
- how to become a mechanical engineer technician
- call of duty 4 modern warfare pc controller
- what is the next american girl doll of the year 2014
- what is mama d's recipe for pink sauce
...and the other gloriously random stuff people search for that the Bad Guys target in Search Engine Poisoning attacks.
* As a footnote, a rogue ad domain (adopexpro.com) that we've had rated as Malware in our database for several months, is also showing up on that IP now, although that's not the traffic we're talking about in this post. The adopexpro.com traffic is coming from ads served to yourtango.com, which needs to work with its ad provider to at least eliminate traffic to long-time malvertising sites.