Jump to content

Gossip Site TMZ, Latest Victim of Malvertising Campaign


Batu69

Recommended Posts

uJnL3eW.png

 

The same malvertising campaign we documented last week is still going unabated. The latest large publisher affected by it is celebrity gossip portal TMZ.com which brings in around 30 million visitors to its website every month.

 

The same ad chain pattern from ContextWeb (PulsePoint) to Smarty Ads and eventually various rogue advertisers can be observed. The latter are leveraging cloud security provider CloudFlare’s infrastructure to hide their server’s real location as well as encrypt the ad delivery.

 

The same malvertising campaign we documented last week is still going unabated. The latest large publisher affected by it is celebrity gossip portal TMZ.com which brings in around 30 million visitors to its website every month.

 

The same ad chain pattern from ContextWeb (PulsePoint) to Smarty Ads and eventually various rogue advertisers can be observed. The latter are leveraging cloud security provider CloudFlare’s infrastructure to hide their server’s real location as well as encrypt the ad delivery.

 

Malvertising flow:

  • ads.contextweb.com/TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=557507&ct=363453&cwod=&epid=&esid=&
    tppg=%24%7BREFERER_URL%7D&brk=false&ccid=&wp=0&cf=300X250&asv=22&rq=1&dw=300&cwu=http%3A%2F
    %2Fwww.tmz.com%2F2016%2F02%2F01%2Fcrackhead-bob-dead-howard-stern-show%2F&cwr=&mrnd=97012589
    &if=1&tl=-1&pxy=0,0&cxy=300,250&dxy=&tz=300&ln=en-US,en-US,en-US,en-US
  • us-nj-e10.traffictradinghub.com/?t=s&winbid=0.19&k=1143fda55da87f8dedb1dcabc9195e5f
  • 88.214.193.234/?t=s&winbid=0.19&k=e948430234aecc5af66228308711bd5c
  • {redacted}.com/fill/activity/hurry.html?click=${CLICK_URL_ENC}&t=1454340922783

The malicious ad only cost $0.19 for one thousand user impressions (CPM), highlighting how cheap and effective malvertising can be.

 

The good news is that if you are running Malwarebytes Anti-Exploit, the fake ad server will not deliver the redirection to the exploit kit (Angler) therefore not exposing you to various exploits and ultimately malware. While we did not collect the payload in this case, it is quite likely to be one of the many different strains of ransomware.

 

CloudFlare has been very responsive to our reports and is taking a closer look at these recent events and abuses of their service. However, our outreach to ContextWeb has not yielded anything.

 

Article source

Link to comment
Share on other sites


  • Views 480
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...