Malicious advertisement at diepresse.com
Yet another non-English language web site has been targeted by a malicious advertising campaign. I'm beginning to wonder if it is simply becoming to hard for the fraudsters to sell their wares to English language web sites because of the persistent attention we have been focusing on this problem, and the publicity that has resulted, and that they are therefore shifting their attention to European countries in the hope that victims there have not seen the publicity that has been so prevalent in English speaking countries.
I'm going to expand on the new table format for this blog entry, in the hope that it will make the information easier to read and understand (and take up less space). I'll be interested to hear if you like the idea of placing all of the information in tables, and if you like the idea of a summary at the beginning of each report.
| Victim site |
diepresse.com (194.232.116.3, 194.232.116.7)
|
| SWF host |
diepresse.com (using RealMedia software)
|
| SWF Source |
|
| Target fraudware domain |
performanceoptimizer.com
|
| Banned cities, countries and IPs |
193.16.0.0-193.16.255.255, 194.232.0.0-194.232.255.255 (Note, the banned range includes the IPs for diepresse.com)
wien, vienna (note: diepresse.com is in Austria)
|
| SWF URL |
werbung.diepresse.com/RealMedia/ads/Creatives/diepresse/dp1509_frontgate_fb_050208/diepr468x60.swf
|
| Special notes |
The malicious advertisement looks identical to the one that infiltrated washingtonpost.com.
In this case the web site owner is directly hosting the malicious SWF and therefore it is up to the site owner to pull the advertisement.
|
| Incident reported to |
diepresse.com
RealMedia
|
| Resolution |
Campaign suspended |
As always, let's work backwards from the final target site.
| URL |
Referrer |
|
performanceoptimizer.com/.landing/index.php?cmp=tmsmsposl&poa=usundulate&pol=intl&apo
=1&epo=1&edpo=2&mt_info=5312_4080_2759
traveltray.com/?cmpid=usundulate&adid=intl
traveltray.com/statss.php?campaign=usundulate&u=
1200497755
traveltray.com/statsg.php?u=1200497755&campaign=usundulate |
traveltray.com/swf/gnida.swf?campaign=usundulate&u=1200497755 |
traveltray.com/statsg.php?u=1200497755&campaign=usundulate
traveltray.com/statsa.php?u=1200497755&campaign=usundulate
|
werbung.diepresse.com/RealMedia/ads/Creatives/diepresse/dp1509_frontgate_fb_
050208/diepr468x60.swf?clicktag=http: // werbung.diepresse |
werbung.diepresse.com/RealMedia/ads/Creatives/diepresse/
dp1509_frontgate_fb_050208/diepr468x60.swf?clicktag=
http: // werbung.diepresse.com/RealMedia/ads/click_lx.ads/
diepresse.com/home/2103686827/Top/diepresse/
dp1509_frontgate_fb_050208/dp1509_frontgate_fb_
050208.html/33616131643462393437393133663530? |
diepresse.com/ |
Malicious behaviour
The diepresse.com page begins to load. If the malicious advertisement is displayed, and the computer displaying the advertisment is not captured by the banned cities and IP list mentioned above, the web browser is redirected to the malicious domain.
Here is the malicious advertisement in situ:
First the victim will see this:
as well as this small window which will be in the corner of the monitor screen - yes, this is the actual size of the window as it appears:
As always, do not click on the OK or Cancel button. As always, click on the close (X) button. When we do that, we see the following - yes, that's right, the Performance Optimizer web site opens regardless of which option is selected. Note that the info bar has appeared in IE7 warning that the site has tried to install an ActiveX control - older web browsers, or web browsers with lowered security settings, may automatically install the fraudware at this time.
Ok, so the next thing we try to do is close the Web page using the red close (X) button. When we do that, we see the following. Note that the OK button has focus.
Again, we ignore the OK and Cancel buttons and install use the red close (X) button. When then see the following. Note that there is no Cancel button this time - the site's owners are trying to trick visitors into thinking that they have no choice but to select OK.
Again, do not click on the OK button, instead click on the red close (X) button. Once we do that, we see the following (persistent bastards, aren't they). Note the info bar warning that the Web site in question has tried to download files to the target computer. Simply click on the red close (X) button. Once you do that, you have finally escaped from the tentacles thrown out by the PerformanceOptimizer site.
