Blue Coat Labs

Labs Blog

When in Rome... Malvertise!

When in Rome... Malvertise!

Chris Larsen

I took a short break from programming today to poke through our traffic logs (that's how malware research engineers relax), and came across an interesting malvertising attack.

The attack traffic is coming through an innocent-but-hacked site, roma-online.com, which has been around for years. It's a travel site focusing on hotels in Rome, but recently a group of Bad Guys have taken up residence.

Our traffic logs don't show any legitimate traffic in the last few days, only a banner ad that the site is serving into the adnxs.com network (a major Web advertising company):

image of hijacked banner ad

 

Unfortunately, this ad leads not to a nice Rome vacation, but to a couple of evil networks.

One of these is the initial lead I followed into all of this, a group of junk domains in the .ML (Mali) namespace:

  • retsuaifoa.ml
  • pqosidyai.ml
  • nayduakdad.ml
  • laoakdiy.ml
  • yrtesuayd.ml

(These are from the past three days, and were being caught by a Traffic Cop module that watches for CyptoWall traffic.)

Today, the majority of the traffic is heading to a new domain: flashmem.biz, which we rated as Malware due to its behavior and its place in the attack chain.

Going a bit further back in the logs, I can see that a week ago, the traffic from roma-online.com was leading into a network of sites flagged as running the Angler exploit kit by our Malnet Tracker, so the Bad Guys are getting good mileage out of this site.

Note that the registration for roma-online.com goes back about 14 years, so they've got a long, clean reputation -- highlighting the challenges faced by the ad networks in knowing who to trust, and when not to trust them any longer...

 

--C.L.

Share this: