Over the Christmas break I have received reports of malicious banner advertisements hitting espn.com, Lycos mail and usatoday.com, as well as smaller sites such as adrants.com, marketingvox.com, minnesparare.com, all of which I am investigating.
The above reports are bad enough, but by far the most worrying report that I received was the one alleging that visitors to MLB.COM were being redirected to a pornographic web site - of course, this one is going to get my immediate attention.
Sadly, I can confirm that this hijack is occurring - a quick analysis of what is happening is as follows.
Let's work backwards from the end pornographic site, and trace our steps back to MLB.COM.
The target pornographic site is (URL mangled for obvious reasons):
hq tube . com
The referrer for hq tube . com was:
ad.doubleclick.net/1674952/mlb_chanel.swf?clickTag=http%3A//ad.doubleclick.net/click%253Bh%3Dv8/3639/3/0/%252a/p%253B167905078%253B0-
0%253B0%253B5683346%253B4307-300/250%253B24079572/24097425/1%253B%253B%257Eaopt%253D3/1/ff/0%253B%257Esscs%253D%253fhttp%3A//
chanel.com/wfj-global/en-us/index.php%3Ffullscreen%3D1%26x%3D-4%26y%3D-4%26width%3D1288%26height%3D778
(Thanks Kimberley for the screenshot of the SWF in question)
Each and every attempt to load the URL above immediately redirects me to the pornographic site. If we clean things up even further and simply load the URL ad.doubleclick.net/1674952/mlb_channel.swf? I am still redirected to the pornographic site.
We step back one further - the referrer for the doubleclick URL is:
mlb.mlb.com/news/article.jsp?ymd=20071219&content_id=2333449&vkey=news_mlb&fext=.jsp&c_id=mlb
Ok, so now we have evidence that the malicious advertisement is ad.doubleclick.net/1674952/mlb_channel.swf, and that it is being displayed on the MLB.COM web site. As always, a Fiddler capture (in fact several captures) are available to the appropriate authorities, as well as authorized representatives of MLB.COM and Doubleclick. I also have a video capture of the redirect in AVI format.
The first appearance of Doubleclick ID 1674952 is this URL:
ad.doubleclick.net/adi/mlb.mlb/homepage;;pos=1;sz=300x250;tile=1;ord=274715194
Whatever you do, don't try to load that URL as it appears above - it will send your web browser into an uncontrollable loop of new windows being opened. I had to pull the plug on internet access and wait several minutes for the test system to stabilisz before I could close the browser windows and continue my investigation.
So, let's clean up the above URL so that it can be loaded safely, and have a look at this URL:
ad.doubleclick.net/adi/mlb.mlb/274715194
As you will see, there are several different advertisements that appear in rotation. So, which one is the culprit? That is not something that I can answer, but I can promise you that I will be passing this information on to people far brainier than me.
This is a very frightening development. The fact that fraudware such as winfixer and its ilk is using malicious coded banner advertisements to hijack visitors to legitimate sites is bad enough - now that the porn pushers are getting involved surely it will force the advertising industry to act - not to mention the governmental authorities that are going to be extremely concerned that anybody, no matter what their age, may be involuntarily exposed to hard core pornography.
Watch this space for developments. Below are screenshots that capture the fact of the redirect - you'll see that mlb.com content is still being displayed, but that we've been redirected to the porn site, which is in the midst of being loaded. Note the addressbar URL, the title of the tab, and the status bar information "waiting for http://..."
Doubleclick and MLB are being contacted.
