Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malvertising. Show all posts
Phishing Attack
Cyber Fraud Data Leak Google Ads Malvertising Phishing Attack

Hackers are Using Fake PC News Website to Distribute Infostealers

 

Researchers made an effort to warn users last year not to click on Google Ads in search results, but it appears those warnings went unheeded, as hackers continue to use malicious ads to infect unsuspecting users with malware. 

Malvertising, or malicious advertising, has grown in popularity among cybercriminals as phishing attacks and malicious apps have become less effective. Instead, hackers are now purchasing advertising space on Google Search and other search engines in order to trick users into installing malware. 

One way they do this is by imitating well-known brands. So far, we've seen hackers pose as Amazon, USPS, CCleaner, Notepad++, and other prominent brands. According to a report from the email security firm Vade, Facebook and Microsoft continue to be the most impersonated brands since 2020. 

Unsuspecting PC users who click on an advertisement in this new campaign are led to a fake download portal that looks authentic to the unwary eye. Instead of CPU-Z, though, the website offers a digitally signed MSIX installer that includes a malicious PowerShell script for the FakeBat loader. 

Malware loaders, as their name implies, are similar to malware droppers on your smartphone in that they are used to infect your computer with malicious software. This loader downloads and installs the Redline stealer onto a targeted PC. The personal information of a victim can be acquired through this malware via the theft of credit card numbers, VPN passwords, saved passwords, system data, cryptocurrency wallets, browser histories, and cookies. 

Another intriguing aspect of this campaign is that not every user who clicks on these malicious CPU-Z advertisements is redirected to a fake download page. Those who aren't being targeted are instead directed to what looks to be a typical blog with several articles on it.
Read more »
MalwareBytes
AMOS Atomic Stealer Cyber Attacks CyberCrime Cybersecurity Google Google Ads Mac IOS Malvertising MalwareBytes

Mac Users Under Attack: Malvertising Campaign Distributing Atomic Stealer Malware

 


An updated version of macOS stealer malware called Atomic Stealer (or AMOS) is being distributed through a new malvertising campaign. The authors of the program appear to be actively maintaining and updating malware. 

When the creators of AMOS found a way to advertise this tool for $1,000 per month in the spring of 2023, they claimed that it would allow the theft of a wide range of data. It was not long after that that the wild was inundated with new variants of malware that were armed with a large number of new spying features, targeting gamers and cryptocurrency investors. 

According to the malware's authors, the malware can be used to steal keychain passwords, browser information, cryptocurrency wallets, and other files from a compromised device, among other things.  The company recently observed that although AMOS was originally distributed through cracked software downloads, it has now been discovered to have been delivered through a malvertising campaign, according to Malwarebytes. 

An unknown entity in Belarus appears to have hacked into a Google advertiser account and used it to advertise the TradingView financial market tracking app through a fake website for a real financial market tracking app. It has been reported that cybercriminals are increasingly deploying data-stealing malware against Apple computers in order to steal confidential information. 

Cybersecurity company SentinelOne reported Wednesday that it spotted a new version of one of the macOS infostealers, Atomic Stealer. The new version of Atomic Stealer is the third version of the malware that works on macOS in a variety of ways. 

According to SentinelOne, the latest version is really going after gaming and cryptocurrency users with a particular focus on the data that it's trying to obtain, which has not been described before in any detail. This infostealer, which is also known as the Atomic Stealer, or AMOS for short, was first described as macOS-based malware that focuses initially on cryptocurrencies, passwords, and important files that are encrypted. 

Throughout its evolution, it has become capable of grabbing more information and targeting a wider range of operating systems. As a result of such an advertisement, a user is directed to a site that offers a number of download options for NetSupport RAT for various operating systems, and while both the Windows and Linux download links direct users to download an MSIX installer that will install the NetSupport RAT on their computers. 

In a Malwarebytes report, clicking the macOS download link causes an Atomic Stealer to be downloaded and it attempts to exfiltrate data stored in iCloud Keychains, browsers, and user files. Several security experts have touted the new infostealer as having evasion capabilities to beat Gatekeeper protections, and this comes in the wake of increasing numbers of Mac OS X-targeted infostealer attacks. 

The criminals who purchase the toolkit are mainly distributing it via cracked software downloads, but they take the liberty to impersonate legitimate websites and to use advertising on search engines like Google to make their victims fall for their schemes. This attack attempts to bypass the Gatekeeper security mechanism in macOS in order to be able to exfiltrate the stolen data to a server under the attacker's control by bypassing Gatekeeper protections. 

As Mac OS continues to become a popular target for malware attacks, a number of new data-stealing apps targeting Mac OS have appeared for sale in crimeware forums over the past couple of months to take advantage of the wide availability of Apple systems in organizations as a target of malware attacks. When looking to download a new program, users are likely to turn to Google and run a search for the particular program that they require. 

As a result, threat actors are purchasing ads matching well-known brands and are tricking victims into visiting their site with the false impression that it is the official website of that brand. There are instructions in the downloaded file on how to open it so that it can bypass GateKeeper, Apple's built-in security system, to bypass the security lock. 

Further, according to the researchers, the malware is embedded in ad-hoc signed applications, which means that the revocation of the certificates used to sign the apps is not possible since they are not Apple certificates. The moment the victim runs the program, it immediately sends the stolen data to the attacker's C2 servers as soon as the data is stolen.

Passwords, information about users, wallets, cookies, keychains, and browser auto-fills are just some of the things that Atomic Stealer steals from users.  As a precautionary measure, Malwarebytes recommends that users check that any program they run on an endpoint is properly signed before running it. 

A further step that should be taken is to analyze the website from which the program was downloaded since it is possible that the address of the website has been typographical. In addition, it is possible that the content of the website reveals a scam.  

There has been increasing evidence that Google Ads are being used by spammers to spread rogue installers to victims looking for popular software, either legitimate or cracked, on search engines. The bogus Google Ads are shown to users searching for software on search engines that aren't securing legitimate software. 

An online campaign targeting the TradingView software was launched recently, featuring a fraudulent web page featuring a prominently displayed button for downloading the software for Windows, macOS, and Linux operating systems. 

The Stroz Friedberg Incident Response Services of Aon said last month that new versions of DarkGate have been used in attacks launched by threats employing tactics similar to Scattered Spider, which is a threat response technique used by cybercriminals.
Read more »
Vulnerabilities and Exploits.
Ad Blocking Artificial Intelligence ChatGPT Data Privacy Google Malvertising Vulnerabilities and Exploits.

Malvertising Gives Cybercriminals Access to Big Technologies

Malvertising has been a more popular tool employed by cybercriminals in recent years to exploit unsuspecting internet users. When people click on an infected ad, malware is transferred to their computers and mobile devices, which is known as malvertising. Sadly, some contend that Big Tech's corporate policies are facilitating hackers' use of malvertising as a means of infiltrating computer systems.

According to columnist Candice Rivera, "Big Tech's business model is dependent on targeted advertising, which means collecting data on users and their interests to serve them ads. However, this also means that ads can be targeted to specific users based on their vulnerabilities." Cybercriminals are taking advantage of this practice by purchasing ad space and using it to spread malware to specific groups of people.

In a recent article on Security Boulevard, the author suggests that one way to defeat malvertising-based phishing attacks is to 'use ad-blocking software, which can prevent ads from being displayed altogether.' While this may be an effective solution, it does not address the root cause of the problem, which is the business practices of Big Tech companies. 

The use of malvertising has become so widespread that even popular search engines like Google have become vulnerable to attacks. As reported by Ars Technica, "Google recently warned users to be cautious when downloading software from its search engine, as some downloads may contain malware." This highlights the need for users to exercise caution when browsing the internet, even when using well-known and trusted search engines.

CSO Online provides recommendations to internet users to protect themselves from malvertising-based attacks. They suggest keeping the software and operating systems updated, using antivirus software, and installing ad-blocking software. Moreover, it is essential to exercise caution while clicking on links or downloading files from unknown websites.  

While malvertising has become a serious threat to internet users, it is important to recognize the role that Big Tech's business practices play in enabling cyber criminals. As users, we must take responsibility for our own online security and take steps to protect ourselves from these types of attacks. 




Read more »
Phishing Attacks
1Password Manager Bitwarden Data Breach Google Ads Malvertising Phishing Attacks

Bitwarden Users Attacked via Malicious Google Ads

Utilizing Google to look up the vendor's official Web vault login page, several customers of Bitwarden's password management service last week reported seeing paid advertising to phishing sites that steal credentials.

Google ads targeting Bitwarden users

Several password managers are cloud-based, enabling users to access their passwords via websites and mobile apps unless they utilize a local password manager like KeePass. The industry has criticized KeePass for being less user-friendly than cloud-based alternatives, but technical users rely on its security because it encrypts all passwords and the entire database and is saved locally on a computer rather than in the cloud.

According to a revelation from last week, Google ads phishing efforts that sought to acquire user password vault credentials specifically targeted Bitwarden and 1Password. Malicious advertising that targets users of Bitwarden and 1Password indicates that threat actors have added a new method for breaking into password managers and compromising the accounts connected to those passwords.

When clients browsed for terms like 'bitwarden password manager' or '1Password's Web vault,' for example, the malicious advertising which customers of Bitwarden and 1Password reported seeing last week was near the top of Google's search engine results. Additionally, the landing pages are of a high caliber. One Bitwarden user discovered a phishing website that so convincingly resembled the vendor's official Site that it was difficult to distinguish the two.

Recent hacks show that a master password is a password vault's weak link. As a result that when they gain access to your login information and maybe authentication cookies, threat actors have been seen developing phishing pages that target one's password vault.

Safeguarding password storage 

It is crucial to protect password vaults since they store the most sensitive internet data. Verifying that you are entering your credentials on the right website is always the first step to take when it comes to safeguarding your password storage against phishing threats.

Attackers have been employing the vector to spread a variety of viruses or links to malicious or phishing websites in order to steal login information and other personal data. They started employing these advertisements to imitate well-known and well-liked firms more recently. 

Hardware security keys, authentication apps, and SMS verification are the three finest MFA verification techniques to utilize when securing your account, going from best to worst. The login form for a legitimate service, such as Microsoft 365, will be displayed to visitors to the phishing page using this technique. Their credentials and MFA verification codes are entered, and this information is also sent to the website. The threat actors can access your account without having to check MFA again thanks to these tokens, which have already undergone MFA verification.



Read more »
Windows
Botnet Data Safety Security ICedID Malvertising malware Windows

IcedID Botnet Distributors Abuse Google PPC to Disseminate Malware

 

To improve traffic and sales, businesses utilize Google Ads to deliver adverts to specific target populations. The IcedID botnet distributors have been using SEO poisoning, since the beginning of December to entice search engine users to visit phoney websites that result in the download of malware.
In order to display malicious ads above the organic search results, attackers are choosing and ranking keywords used by well-known businesses and applications in Google pay-per-click (PPC) ads.
  • Attackers are abusing terms used by organizations including Adobe, AnyDesk, Brave Browser, Chase Bank, Discord, Fortinet, GoTo, Teamviewer, Thunderbird, the US Internal Revenue Service (IRS), and others, according to Trend Micro researchers.
  • Attackers employ the official Keitaro Traffic Direction System (TDS) to duplicate the websites of reputable companies and well-known applications in order to filter researcher and sandbox traffic and direct potential victims there.
  • A malicious Microsoft Software Installer (MSI) or Windows Installer file will be downloaded onto the user's computer if they click the Download button.
  • The file serves as the bot's initial loader, obtaining the bot's core before releasing a backdoor payload.
 Escaping Detection:

IcedID operators have employed a number of strategies in malvertising attacks to make detection difficult. Libraries like tcl86.dll, sqlite3.dll, conEmuTh.x64.dll, and libcurl.dll, which are well-known and often used, are among the files updated to serve as IcedID loaders.

Since the genuine and modified versions of the MSI or installer files are so similar, machine learning detection engines and whitelisting systems have a difficult time identifying the modified versions.

In recent months, cybercriminals have utilised IcedID to establish persistence on the host, get initial access, and carry out other illegal activities. Attackers were seen utilising phishing emails in Italian or English in October to distribute IcedID through ISO files, archives, or document attachments that contained macros. The UAC-0098 group was observed in September using IcedID and Cobalt Strike payloads to target Ukrainian NGOs and organisations in Italy.

IcedID was being used by Raspberry Robin worm infestations in the same month. Recently, a wide range of distribution techniques has been used by the threat actors behind IcedID, as is to be expected as they test which tactics are most effective against certain targets. Users should be on the lookout for fraud or phishing websites and be cautious while downloading from websites.
Read more »
Remote Access Tool
Cyber Crime Email Frauds HTML keylogger Malvertising Phishing Attacks Remote Access Tool

Threat Advert is a New Service Strategy Invented by AsyncRAT

 

AsyncRAT is a Remote Access Tool (RAT) that uses a secure encrypted connection to monitor and control other machines remotely. It is an open platform distributed processing tool but it has the potential to be used intentionally because it includes features like keylogging, remote desktop command, and other functionalities that could destroy the victim's PC. Furthermore, AsyncRAT can be distributed using a variety of methods, including spear-phishing, malvertising, exploit kits, and other means. 

Morphisec has detected a new, advanced campaign distribution that has been successfully eluding the radar of several security providers, thanks to the breach prevention using Moving Target Defense technology.

Potential hackers are spreading AsyncRAT to targeted machines with a simple email phishing method with an Html attachment. AsyncRAT is meant to remotely monitor and manipulate attacked systems through a protected, encrypted connection. This campaign ran for 4 to 5 months, with the lowest detection rates according to VirusTotal. 

Victims received the email notification with an HTML attachment in the manner of a receipt: Receipt-digits>.html in many cases. When the victim opens the receipt, users are sent to a webpage where a user must store a downloaded ISO file. The user believes it is a routine file download that will pass via all port and network security scanning channels. Surprisingly, this is not true. 

The ISO download, in fact, is created within the user's browser by the JavaScript code hidden within the HTML receipt file, rather than being downloaded from a remote server. 

To reduce the possibility of infection by AsyncRAT, users must follow the following steps:
  • Updating antivirus fingerprints and engines is a must. 
  • Enable automatic updates to ensure that the operating system is up to date with the most recent security fixes. 
  • Email addresses should not be made public on the internet. 
  • Don't click email attachments with strange-looking extensions. When opening any email attachment, especially the one from unknown senders, proceed with caution.
  • Exercise caution while opening emails with generic subject lines. 
Read more »
Scams
Cybersecurity Malvertising Phishing Attacks Scams

Hackers Exploit Ad Networks to Launch Phishing Attacks against Android Users


The hackers are exploiting mobile ad networks that take the android users to malicious websites. After this, hackers can either steal personal user information or attack the victim's Android device with spams. The Google play store has more than 400 apps that come with ads as a means to generate money for app developers. But recently, the hackers are exploiting these ad networks with the help of an SDK (Software Development Kit). The SDKs help app developers earn money, and the hackers are inserting code to attack the ad network.


According to the research done by Wandera, which is a mobile security firm, the hackers send domain and URLs to the users via the ads. The distribution systems are called Startapp, that allows the hackers to swamp the android device with spams and malicious websites. Startapp isn't responsible for any of the malicious content distributed. However, it is funded by a few agencies that distribute its malicious content. Startapp hasn't responded to the questions of its involvement in this cyberattack. "Our researchers wanted to explore a service that wasn't associated with a single well-known advertiser, such as Google or Facebook, so they took a closer look at the framework from StartApp, which would presumably provide app developers with ads from a wider variety of advertising networks," says Wandera' research report.

It also says that more than 90% of the distributed through the Startapp framework originate from a single ad provider.  Wandera, however, didn't identify the provider's name, but Cyberscoop has identified it as "AdSalsa." AdSalsa is a digital marketing firm that operates from Spain and is responsible for ads that direct users to these malicious websites.

"We help app publishers and developers turn their apps into successful businesses by using advanced data insights to identify relevant campaigns across direct and programmatic channels for each publisher's unique users. Over 400,000 apps have already integrated our lightweight, easy to incorporate advertising SDK. When combined with our mediation options, you can begin earning revenue from your apps in minutes," says StartApp on its website.  Experts at Wandera found 700 apps on Google play store using StartApp's SDK feature. Google, however, has removed 47% of these SDKs, according to Wandera. The exploitation of this advertising, which has now become malvertising, is creating problems for the app developers to secure their apps.
Read more »
Malware Report
Malvertising Malware Report

Researchers detect Malvertising in PlentyOfFish

Photo Courtesy: Malwarebytes

Researchers from Malwarebytes Unpacked, a security firm, have detected a malvertising, which derived from “malicious advertising" uses online advertising to spread malware and it involves malware-laden advertisements into legitimate online advertising websites, in the PlentyOfFish, a Vancouver-based online dating service which makes money from advertising.

The researcher have warned the users not to click on the adverts as they are automatically targeted by using an attack that detects if their computer can be infected (via outdated software), and launches directly that way.

Soon after the flaw detected, they have contacted the company concerned to make them aware of this issue.

According to the researchers, the attack chain uses the Google URL shortener goo.gl as intermediary to load the Nuclear exploit kit.

“While we see this mechanism quite frequently within our telemetry, it is particularly difficult to reproduce it in a lab environment,” the researcher wrote in a blogpost. The ad network involved in the malvertising campaign (ad.360yield.com) was familiar and it turns out that we had observed it in a rare attack captured by our honeypots just one day prior.”

The sample was collected from the Tinba banking Trojan. Given that the time frame of both attacks and that the ad network involved is the same, chances are high that pof[dot]com dropped that Trojan as well.

According to a news report published in The Register, the attack against PlentyOfFish comes against the backdrop of the fallout from the data dump by hackers who breached cheaters’ hook-up website Ashley Madison, and the earlier attack against AdultFriendFinder.

 There’s nothing to link the three attacks directly, however it’s fair to say that dating and adult hook-up websites are very much in the firing line of hackers, so extra precautions ought to be applied.
Read more »
Malware Report
Malvertising Malware Report

Cyber Criminals abuse Yahoo's advertising network to spread malware


Cyber Criminals are targeting Yahoo’s advertising networks to deliver malware directly to the computers of users who is viewing the ads.

Security firm Malwarebytes, who discovered the attack on July 28, says that Yahoo is a victim of malvartising attacks in which exploit kits are used to redirect victims to the malware website.

The malvertising attack which does not require any user interaction, is believed to be one of the biggest in recent times due to the massive amount of traffic in Yahoo. 

In one of the campaigns, the attackers used the Angler Exploit Kit - This exploit kit usually infect victim's machine with annoying software and malware that forces victims to pay the money to unlock their system.

The security firm said that it had informed Yahoo about the attack the very same day. Yahoo said that the malware campaign has been stopped and that the company is investigating the matter.

Although it is not yet possible to determine exactly how many people have been affected by the hack, but it could be large as Yahoo gets 6.9 billion visits a month.
Read more »
Malware Report
Featured Malvertising Malware Report

Malicious Ad Network "Kyle and Stan" serves Windows and Mac Malware


Cyber Criminals have been placing malicious ads on a number of popular websites including YouTube, Yahoo that serves malicious software.  The campaign also targets Mac users.

The malicious network, uncovered by Cisco Researchers comprise of over 700 domains.  They observed nearly 10,000 connections to the malicious domains.

The operation has been dubbed "Kyle and Stan" because most of the domains used in this campaign for distributing malicious software contain "kyle" and "stan" strings in the sub-domain name.

The users website who visit the websites containing malicious ad will be redirected to another website.  Users will then be redirected to another page that will serve mac or windows malware based on their user agent.

"The attackers are purely relying on social engineering techniques, in order to get the user to install the software package. No drive-by exploits are being used thus far" Armin Pelkmann, Cisco researcher, wrote in a blog post.
Read more »
Malware Report
Banking Trojans Malvertising Malware Report

YouTube ads serve Banking Trojan Caphaw


Number of Malvertising attacks are appeared to be increasing day by day, even top websites fall victim to such kind of attacks - YouTube is to be the latest popular organization affected by malicious ads.

Security experts from Bromium have discovered that the cyber criminals were distributing a malware via YouTube ads.

According to researchers,  malicious ads attempt to exploit vulnerabilities in outdated Java.  It loads different malicious jar file, to ensure the exploit is compatible with the installed java version.

The Exploit kit used in this attack "Styx Exploit Kit" which was the same one used by cybercriminals to infect users of toy maker Hasbro.com.

If the user's machine is having vulnerable plugins, it will exploit the vulnerability and drops a Banking Trojan known as "Caphaw".  Researchers say they are working with Google Security team. 
Read more »
Malware Report
Google Safe Browsing IT Security News Malvertising Malware Report

Thousands of websites using MadAdsMedia ads blocked by Google Safe Browsing

Thousands of websites' owners using MadAdsMedia ads service became mad after Google Safe Browsing blocked their websites.

A number of users have reported in Google forums and Digital Point forums that their website is blocked by GSB and showing the following warning message "This web page at [site] has been reported as an attack page and has been blocked based on your security preferences."

Even after removing the MadAdsMedia script from their website, it is still showing the Malware warning.

"In my webmaster tools it lists the suspicious snippets as the links to madads. As I said before I removed them, then I tried to request a review in my webmaster tools but when I submit it I get: 'Your request can't be processed at this time because your site isn't currently flagged for malware. If you see a malware warning in your browser, it is likely a cross-site warning.' " One of the user posted in DigitalPoint forums.

It is still unknown whether Google mistakenly blocked those websites or the MadAdsWebsite is hacked to serve malicious ads.  We are not sure how many number of websites have been affected.

*Update:
According to fz6-forum, one of the MadAdsMedia advertising vendors' server was hacked and few ads have been injected with malicious code.

"This message is regarding the recent malware notifications that some of our publishers may have experienced. Just before noon today, our engineers discovered that one of our ad serving locations had been hacked."
 
"Since this attack was discovered, our engineering team worked diligently until 3:45pm EST to ensure that the appropriate action was taken to secure our ad server. Unfortunately during that time, this attack effected 7.8% of our publishers' domains. " Mail from MadMAdsMedia reads.
Read more »
Malware Report
Fake Antivirus Malvertising Malware Report

Malvertising on Aftonbladet news site targets IE users with Fake Antivirus

A largest Sweden Newspaper website Aftonbladet is found to be serving malicious ads that redirect users to a malicious website serving Fake Antivirus.

Security researcher at Kaspersky said the website was spreading malware not because they got hacked, but because cybercriminals compromised a third-party ads running on the site.

The malicious script used in the malvertising attack checks whether the user is using Internet Explorer browser or not.  Only IE users are being redirected to malware website.

The malware page is not exploiting any vulnerabilities but displays a fake virus alert message from Microsoft Security essential that it has detected potential threats in the user's computer and recommends to clean the malware.

Once user click on the picture, it will not clean any viruses, it will download a malicious obfuscated Visual Basic Executable file. 

"Large websites often include content from other websites, and if the bad guys compromise any of those websites they can also manipulate the content which is getting included by the large website." researcher said.
Read more »
Malware Report
Breaking News hacker news Malvertising Malware Report

Malvertising attack on South African Mail & Guardian website serves Fake AV


South African Mail & Guardian news portal is the latest victim of Malvertising attack.  This is third report on Malvertising attacks targeting top organizations in 2014.

A large number of visitors to the mg.co.za are being served a malicious ad that redirects to malicious page which is hosted in Server in Netherlands, according to Blue Coat, a California based security firm.

The landing page shows a fake malware infection alert saying "Microsoft Antivirus has found critical process activity on Your pc. you need to clean your computer to prevent the system breakage.".

Clicking the "OK" button downloads "setup.exe" file which is nothing other than Fake Antivirus. 

Few days back,  Users of Yahoo ads got redirected to a page hosting Magnitude Exploit kit.  Following that incident, Malicious ads in Daily Motion lead to Fake AV.
Read more »
Symantec
Anti Malwares AntiMalvertising Armorize Malvertising Malware Attack Malware Report Security News Symantec

Symantec AdVantage(Anti-Malvertising): Armorize and Symantec partnered and launched


Armorize Technologies(malware blog) and Symantec joined together to fight against Malvertisement. They launched a AdVantage(Anti-Malvertising) Technology, cloud based scanner to detect the malvertising(malware advertisement) in online.

“Malvertising poses a serious risk to online publishers and their customers, reputation and revenue. Highly publicized malvertising infections can damage the reputation of even the most trusted online sites. Symantec AdVantage will provide ad publishers the tools they need to protect their businesses by fighting back against these threats.”
– Fran Rosch, Vice President, Identity and Authentication Services, Symantec Corp.

 Symantec Advantage will scan, detect and report malvertising on websites by automatically alerting publishers and identifying the location of malicious advertisements so customers can remove malicious ads that may damage their business’ reputation. A real-time performance dashboard complements these automatic reports by providing essential insights. For example, Symantec AdVantage will enable customers to compare safe ads to malicious advertisements and discover how and when malvertising occurred by visually tracing and identifying the path and source of infected advertisements .

Symantec AdVantage is scheduled to be made available to publishers and ad networks through a free early access program beginning in November 2011.

The service will be available here:
http://advantage.symantec.com/

Reference:
Few days back, the famous site " KickAssTorrent(KAT.ph)" served malvertising, detected by Armorize.
Read more »
Server Compromise
Armorize Malvertising Malware Attack Malware Report Server Compromise

KickAssTorrents(Kat.ph) infected and serving malware through Malvertising

A Famous Torrent website's(alexa Rank:321) KickAssTorrents(kat.ph) OpenX platform compromised, and served a fake antivirus "Security Sphere 2012" through malvertising(stands for malicious advertisement),detected by armorize.When the user click the ad, it will redirect to fake page. This page infects users without their knowledge.


Coincidentally, KickAss Torrents published a blog post on Oct 10th in response to the website being flagged by antivirus vendor Avast. In it they said:
===================
Our users that are using the Avast anti-virus might have noticed that KAT.ph suddenly became labeled as a dangerous website for users that are not logged in. We want to assure our users that KickassTorrents has no malware or viruses of any kind and it is absolutely safe to use our website. We already contacted Avast and currently we are trying to find and fix the cause of this problem. You will help us if you choose the "Report the file as a false positive" option if you get the alert.
===================

In another thread, KickAss Torrents said:

===================
Now what the hell does this error mean?
First of all, don't flip out, don't go post on the KAT site, post down here if you experience the same problem.
Secondly, report down here if you experience this error.
Thirdly, add kat.ph to the safe URLs in your AV.
And lastly, please go to this site and report the problem (Avast! users only):
Avast! forum thread
Back on topic. What is this error? Does error roughly means that your anti-virus software has found some bad code in an iFrame. This could be from the site itself, or from advertisements. An iFrame is a piece of code that allows you to do several things. Embedding something to your site is a good example.
I hope this topic helps a little and I certainly hope the error is going to be fixed now.
Q&A:
Q: OMFG IS KAT HACKED?
A: Nope, just some error.
Q: Is it really safe to visit KAT?
A: Yes, it is.
===================
KickAss Torrents also referred to this discussion thread on Avast's forum. At the end of the forum it appears that Avast has acknowledged that it was indeed a false positive and have addressed the issue:

===================
Hello,

It should be solved, if not let us know please.

Miroslav Jenšík
AVAST Software a.s.
===================

Well, that time it might have been a false positive from Avast, but this time the website is absolutely infecting its visitors, as seen in our video.


The attacker injected the malicious script using the following url:
http://ad.kat.ph/delivery/ajs.php?zoneid=4&target=_blank&charset=UTF-8&cb=95920847237&charset=UTF-8&loc=http%3A//www.kat.ph/§ion=1939940

At the time of detection , only 2 out of 42 detected the malware in virustotal analysis.

According to Armorize,this attacker is responsible for speedtest.net incident.

Using DynDNS domains for their exploit server. Domain names are auto-calculated using Javascript. The algorithm used generates a (predicable) different dyndns.tv domain name every hour, in the format of roboABCD.tv, where ABCD are characters with a fixed seed and incremented by one character every different UTC hour.

The new dyndns domain for the next hour is generated every hour precisely at minutes 2 to 5, so this may be done by an automated mechanism.

All generated domains resolve to a single IP: 184.22.224.154 (AS21788, United States Scranton Network Operations Center Inc), located in the US.

The domain: obama-president.com resolves to this IP and is serving the same exploit pack. This domain was registered on Aug 4th through an Russian registrar, 1'ST DOMAIN NAME SERVICE www.1dns.ru. At this time the domain resolved to an Netherlands IP 85.17.93.9. The domain started to resolve to 184.22.224.154 on Aug 23rd. This IP and the president-obama.com domain are both currently still up and working.

This video show how the users infected:


Read more »
Subscribe to: Posts (Atom)