Update on the malicious advertisements appearing on Excite and Blick
Wow, it's been a busy few days, but I really do need to bring all of my readers up-to-date about what's about been going on with the malicious banner advertisements that hit Excite and Blick.
First, let's look at the problem at Excite. I am pleased to report that I have been advised that the advertising campaign that was displayed on Excite has been removed from rotation, although the SWF is still viewable via the direct link, being:
ak.imgfarm.com/images/ads/ProximoGroup/skyauction_728x90.swf?clickTag=http://c4.excite.com/adclick/
CID=00018f6b4ec51d4300000000/AREA=
Now to Blick. That advertising campaign, being ch.p-digital-server.com/RealMedia/ads/Creatives/web2com/blick-skyauction-5207//728x90.swf, has not only been pulled from circulation, it is no longer accessible via the URL. I have been advised that under no circumstances will that be creative be used again.
Thanks to the above two incidents I now have several new names in my little black book of people who can kick less than reactive staff in the rear end as needed and get dangerous adverts pulled real fast. I now have contacts at Microsoft/MSN, AOL and Google, at Doubleclick and RealMedia, at Sensis and Valueclick, and at a smattering of smaller firms as well as quite a few security professionals and online personalities with an interest in malware and malicious advertisements who have their own group of contacts to bolster mine.
As the saying goes, "knowledge is power", and it is only by all of us sharing what we know about what is going on, where, how and why, and who is involved, that we can best fight back against the fraudsters and frustrate their attempts to fool advertising networks and web sites into buying their wares. Once the word is out the bad adverts are shut down, the bad guys are avoided, and nobody in the know who is reputable will have anything to do with the malicious creatives or the companies that are selling them - all it takes is a quick Google search or email query and alarm bells can be set ringing. Now, if only more people conducted a web search and credit checks to confirm the bona fides of people/companies/advertising networks that have approached them before purchasing what proves to be malicious advertising...
Actually, while we're on the topic of data sharing, I will share that was given a list of malicious domains today in txt format, so I decided to copy the content over to a Word document and Excel, because I find it easier to search and sort the data in those programs. I couldn't help but laugh when pasting the content of the malware domain list into Word triggered a "you have exceeded the maximum number of pages that Word can handle" error (or words to that effect). Also, when I tried opening the file with Excel the program collapsed and gave up on trying to import any more data when it hit over 1,004,000 rows!! So, it seems I'm stuck with the txt file for now. I just have to work out how best to disseminate this information without overwhelming all and sundry. To be honest, it's probably best shared only with other security professionals - there is such a thing as too much information.
What can we do if we discover a malicious advertisement?
If you find a web site that is the victim of a redirecting Flash advert, please download and install FIDDLERCAP , and use it to record what is happening. Delete all cookies and temporary internet files, and delete all sites from your Flash cache by using the Flash Player Settings Manager then return to the victim site with Fiddler running and no other pages open. Then CONTACT ME for further instructions after saving the entire capture as a SAZ file.
If you are experienced enough to be able to understand the network capture, and identify the network hosting the malicious site, then of course you can and should contact them yourself, although I would like you to get in touch with me as well. Unfortunately, for the most part, you will be stuck with whatever public contact addresses you can find, although I can tell you that when it comes to Doubleclick, they have made available a special web page via which you can report malicious advertising content and be sure that your report will trigger immediate attention. You can report suspiciou Doubleclick content at this URL:
http://ad.doubleclick.com/
Use the "Click here to report suspicious phishing activity" link (don't worry - the link text is going to be changed within the next month or so to more accurately reflect it's purpose).
It really does worry me when I hear and read about how hard it is for victims to report a problem to web sites and advertising networks. Web site technical support will invariably assume that the complainant's computer has a virus, and the online "contact us" forms are pretty much useless. It's ok for me, with my little black book of names, I have pretty much all of the major advertising networks covered in one way or another, but that doesn't help the average person who has never heard of me, or my blog, and is stuck listening to some Level 1 Joe-Smarts Help Desk staffer telling him that what he is seeing can't be a problem with the web site.
Web sites
If somebody contacts you to complain that they are being hijacked at your site, or that their antivirus is warning them that your web site is trying to download a trojan, virus or whatever - DO NOT IGNORE THE WARNING and do not assume that the complainer's computer is infected. Ask them to use Fiddler to capture proof and, then, get in touch with me. Of course, you can contact your advertising network as well if you wish, but if they are the guilty party (for example, if you're dealing with somebody like the becoming-infamous "Jim Burch" or other company that is knowingly spreading malicious advertising, well, then they'll just pull the advert from your site and continue to use it elsewhere. Even the more reputable networks sometimes take the easy way out and will only stop displaying the advertisement on your site while continuing to use it elsewhere, when in fact what we want is for the network to remove the advertisement from all rotations and campaigns, and never use it again AND undertake an audit of any other content that may be been submitted by the same source - sometimes, that will only happen when the big guns get involved. We also want the advertising network in question to receive some succinct education about how and why they were tricked, how to avoid being tricked again, and most importantly WHO to avoid.
Advertising networks
Make it easier for people to contact you - online query forms are not good enough - have an emergency contact facility available.
Train your front line technical support staff about the realities of malicious advertisements. I've lost count of the number of times a web site or advertising network's technical support has said to me "but we're looking at the ad/web site right now and can't see anything wrong". Teach your staff about the tricks that the bad guys use to avoid detection such as timezone checks, IP blocking, geo-fencing and the like. Get them to read blogs like mine, regularly, so that they can remain informed
I have an actual email from the original seller of a malicious banner advertisement that has been sent to me as an attachment by the victim site. The email was sent to a USA based web site, and the email specifically says that the advertisement being provided is to be displayed only to visitors in the UK, Australia and several other countries. Now, what does that little gem of information tell you? It tells you that your technical support staff, if based in the USA, are not going to see the malicious behaviour unless they jump on a plane and fly to the UK or Australia or find some other way to trick the advertisement into thinking that the computer they are using is in that country.