Batu69 Posted February 5, 2016 Share Posted February 5, 2016 The same malvertising campaign we documented last week is still going unabated. The latest large publisher affected by it is celebrity gossip portal TMZ.com which brings in around 30 million visitors to its website every month. The same ad chain pattern from ContextWeb (PulsePoint) to Smarty Ads and eventually various rogue advertisers can be observed. The latter are leveraging cloud security provider CloudFlare’s infrastructure to hide their server’s real location as well as encrypt the ad delivery. The same malvertising campaign we documented last week is still going unabated. The latest large publisher affected by it is celebrity gossip portal TMZ.com which brings in around 30 million visitors to its website every month. The same ad chain pattern from ContextWeb (PulsePoint) to Smarty Ads and eventually various rogue advertisers can be observed. The latter are leveraging cloud security provider CloudFlare’s infrastructure to hide their server’s real location as well as encrypt the ad delivery. Malvertising flow: ads.contextweb.com/TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=557507&ct=363453&cwod=&epid=&esid=& tppg=%24%7BREFERER_URL%7D&brk=false&ccid=&wp=0&cf=300X250&asv=22&rq=1&dw=300&cwu=http%3A%2F %2Fwww.tmz.com%2F2016%2F02%2F01%2Fcrackhead-bob-dead-howard-stern-show%2F&cwr=&mrnd=97012589 &if=1&tl=-1&pxy=0,0&cxy=300,250&dxy=&tz=300&ln=en-US,en-US,en-US,en-US us-nj-e10.traffictradinghub.com/?t=s&winbid=0.19&k=1143fda55da87f8dedb1dcabc9195e5f 88.214.193.234/?t=s&winbid=0.19&k=e948430234aecc5af66228308711bd5c {redacted}.com/fill/activity/hurry.html?click=${CLICK_URL_ENC}&t=1454340922783 The malicious ad only cost $0.19 for one thousand user impressions (CPM), highlighting how cheap and effective malvertising can be. The good news is that if you are running Malwarebytes Anti-Exploit, the fake ad server will not deliver the redirection to the exploit kit (Angler) therefore not exposing you to various exploits and ultimately malware. While we did not collect the payload in this case, it is quite likely to be one of the many different strains of ransomware. CloudFlare has been very responsive to our reports and is taking a closer look at these recent events and abuses of their service. However, our outreach to ContextWeb has not yielded anything. Article source Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.