Heise.de hit by malicious banner advertisement
This one was reported and removed before I had a chance to analyse and report, which is a good thing.
If you can read German, you'll find the report interesting:
Heise.de is one of the biggest IT news servers in Germany (and they've linked to me a few times).
Basically, the advertisement touted was "SysKontroller", aka Downloader.Win32.WinFixer. traffalo.com was involved in the malicious incident, and Heise.de are questioning whether the latest Flash vulnerabilities that were fixed had a part to play in the incident. The answer to that question is *NO*. Believe it or not, Flash was behaving as it was designed to, and it is a point of contention of me and several other security professionals that there is no way for the end user to turn off such behaviour. If you have Flash, you have to put up with what's happening.
I am going to try and get in contact with the appropriate parties at Heise.de, and offer my assistance in analysing the incident, and share other information in my possession.
BTW, traffalo.com's IP address is 184.108.40.206 (GrafiX Internet B V). Their name servers (220.127.116.11 and 18.104.22.168) are hosted by the now infamous SecureHost in the Bahamas that has been implicated in so much malicious activity, as is traffalo's mail server (22.214.171.124).
A check of 84.243.192.* reveals a slew of fibernet.nl entries.
A check of 190.15.73.* reveals a slew of well known names including adtraff.com, bucksbill.com, forceup.com, newbieadguide.com, netmediagroup.com, proximogroup.com, uniqads.com, windefender.com, winfixer.com, workhomcentre.com and quite a few other known fraudware or malicious domains.
Here are my suggestions for the checks that advertising networks should make when deciding whether to accept content from anybody.
Don't just do a credit check. Don't just run a WHOIS. Don't just make sure that they respond to emails and that the phone number is not disconnected. Check who hosts their mail servers. Check who hosts their name servers. It's amazing how often you will find a connection between a particular domain or IP address and known bad guys every single time we run an analysis of an advertising campaign. Proximogroup is one in particular that keeps on popping up, as did netmediagroup.com for a while there.
For example, let's pretend that you are contacted by somebody at wearegoodguyshonest.com - the whois may look ok. They may pass a credit check. But then, when you look at the name servers for wearegoodguyshonest.com you may discover that the name server is in an IP range that is associated with many bad names. In such circumstances it would be wise to decide it is safer not to do business with wearegoodguyshonest.com.