Friday, January 04, 2008 7:38 AM sandi

Malicious skyauction banner ad at blick.ch

Blick is an extremely popular German language website, and it has been infiltrated by a malicious Skyauction banner advertisement.  My husband was redirected by the malicious banner advertisement, and phoned me at work in a less than happy state of mind.

So, let's have a look at the guilty parties this time, working backwards from the final fraudware destination.

-----
scanner2.malware-scan.com/3_swp/?tmn=null&aid=&lid=&affid=&ax=&ed=&aid=orlapidary_ma3_mb1&lid=728&affid=&ax=1&ed=2&mt_info=3958_0_11471

Referrer:
akamahi.net/swf/gnida.swf?campaign=orlapidary&u=1197898069

-----
prevedmarketing.com/?tmn=mwatmp&aid=orlapidary&lid=728&ax=1&ed=2&mt_info=5130_3563_2358

Referrer:
akamahi.net/swf/gnida.swf?campaign=orlapidary&u=1197898069

-----
blessedads.com/?cmpid=orlapidary&adid=728

Referrer:
akamahi.net/swf/gnida.swf?campaign=orlapidary&u=1197898069

-----
akamahi.net/swf/gnida.swf?campaign=orlapidary&u=1197898069

Referrer:
akamahi.net/statsg.php?u=1197898069&campaign=orlapidary

-----
akamahi.net/statsg.php?u=1197898069&campaign=orlapidary

Referrer:
ch.p-digital-server.com/RealMedia/ads/Creatives/web2com/blick-skyauction-5207//728x90.swf

-----
ch.p-digital-server.com/RealMedia/ads/Creatives/web2com/blick-skyauction-5207//728x90.swf

Referrer:
blick.ch/news/schweiz/toedlicher-sesselllift-unfall-im-berner-oberland-79762

-----

So, once again it is time to get in touch with the victim networks, including Blick, and Real Media, and probably MediaConnect (ch.p-digital-server.com) as well.  As always, a network capture is available for review by the appropriate parties.  I haven't been able to track down contact information for Akamahi.

This game of whack-a-mole with the bad guys is never ending.

Screenshot of malicious advertisement in situ below - my apologies for the blurring, the screenshot was captured mid-change:

Filed under: , , ,

# re: Malicious skyauction banner ad at blick.ch

Friday, January 04, 2008 8:13 AM by C0ntr0ller

Why aren't you using Firefox with Adaware activated?

# re: Malicious skyauction banner ad at blick.ch

Friday, January 04, 2008 8:39 AM by sandi

@C0ntr0ller

Re "Why aren't you using Firefox with Adaware activated?"

Just how would I find things so fast if I did that?  The Sensis infiltration was discovered and shut down very quickly because we surf like the majority of the world does.  The blick infiltration was discovered because we surf the way the majority of the world does.

I work to find, analyse, document and shut down malicious banner advertisements, not hide from them - and my family works under the same banner.  My husband, and my kids, benefit from seeing what the "average user" is experiencing, and it helps them understand what I am fighting and why I fight so hard.

If we don't live in the "normal" internet world, we forget what is out there.  What my hubby and kids see happening on their machines they learn from, they have me for technical support, and they then pass on what they have learned.

# re: Malicious skyauction banner ad at blick.ch

Friday, January 04, 2008 8:41 AM by C0ntr0ller

Errm, sorry, i meant of course  "Adblock Plus". I agree that malicious banners on popular webpages like that one are highly annoying (btw. it's a Swiss newspaper, not a German one). For cases like that, a flexible adblocker is highly recommended.

# re: Malicious skyauction banner ad at blick.ch

Friday, January 04, 2008 5:38 PM by sandi

@C0ntr0ller

I believe I said it was a "German language" site, not a German site.

BTW, I am Swiss - in fact, I was in Switzerland only a couple of months ago, and am aware that Blick is Swiss, not German ;o)

# re: Malicious skyauction banner ad at blick.ch

Sunday, January 06, 2008 10:35 PM by mac12255

Hello.  Is there anyone who has had an impression that they used dottunes.net's orange Flash ad as a medium to redirect Internet users to malware-scan.com?

Thanks.

Tom

# re: Malicious skyauction banner ad at blick.ch

Sunday, January 06, 2008 11:29 PM by sandi

@mac12255

I haven't seen an unauthorised and/or malicious advert touting dottunes.net, but that doesn't mean they're not doing so.

Do you know of a site that is running the ad? I'm more than happy to take a look.

Sandi

# re: Malicious skyauction banner ad at blick.ch

Sunday, January 06, 2008 11:50 PM by sandi

@mac12255,

I just caught the redirect using a (fake) dottunes ad.  Will reproduce tonight and blog :o)

Sandi

# re: Malicious skyauction banner ad at blick.ch

Monday, January 07, 2008 12:19 PM by Mike

nice work!

How did u track that? I mean, are you surfing in a normal way and just track your networkconnections manual or is there a kind of software/tool to help you automatic?

# re: Malicious skyauction banner ad at blick.ch

Monday, January 07, 2008 10:16 PM by sandi

@Mike

How about we allow some stuff to remain secret ;o)

Sandi

# re: Malicious skyauction banner ad at blick.ch

Monday, January 21, 2008 10:33 AM by surfer

nobody should surf the WWW without an active & updated antivir scanner..

its suicide if not

# re: Malicious skyauction banner ad at blick.ch

Monday, February 04, 2008 4:15 AM by Mr X

This is the storm worm....

watch out for the hurricane...

Leave a Comment

(required) 
(required) 
(optional)
(required)