I received the following email today:

"I need to uninstall ie 8 beta it sucks ..

<<name removed>>

addressremoved@thevillages.net

Ie 8 is the worst program from Microsoft EVER"

Our (un)friendly correspondent doesn't seem to understand the implications of downloading and installing a BETA program - especially an early beta that is called Internet Explorer 8 for Developers.

The Internet Explorer 8 Web site's download page states that "This beta is aimed at web developers and designers to help them take advantage of new features in Internet Explorer 8 that will enhance their websites."  Not only that, the Download Centre itself warns that "This beta release is available to everyone, but is primarily for Web developers and designers to test the new tools, layout engine, and programming enhancements."

Assuming our (un)friendly correspondent is actually a web developer or designer, he seems to have failed to heed the suggestion on the IE8 web page that he check out the Internet Explorer 8 Readiness Toolkit which is a pity, because if he had looked at the Toolkit he would have found a link to the Internet Explorer 8 Release Notes which include removal information for Internet Explorer 8.

Perhaps availability of Internet Explorer 8 for Developers should have been restricted to Technet and MSDN subscribers and a limited pool of experienced beta testers - then I wouldn't be getting emails from people like our (un)friendly correspondent who want to install betas but can't be bothered with reading the documentation.

Oh well, I may as well answer the guy's question - here is a copy of the relevant segment of the Internet Explorer 8 Release Notes:

It's bad enough that the java setup window includes an in-your-face advertisement for OpenOffice.

It's bad enough that old versions of java are not removed automatically, nor is the user prompted to remove old versions.

It's bad enough that Java bundles the Google Desktop and Toolbar with new installs.

Today I saw a computer where the java setup had been stuck at "copying new files" for over 20 minutes.  The owner was in a panic because THERE IS NO CANCEL BUTTON.

His choices were:

1. Keep waiting
2. Force a halt to the install using Task Manager - which is a *bad* thing to do.
3. Turn of the power.

What on earth are Sun thinking?

You may recall that I theorised that the URLs for the malvertizements that were displayed at classmates.com may indicate that the malvertizements were supplied by Gemini Interactive (cite: http://msmvps.com/blogs/spywaresucks/archive/2008/03/23/1550951.aspx)  You may also recall that all of the malvertizements that I found at classmates.com featured myjewelrybox.com.

I have received, by email, a copy of an advertisement that was supplied by Gemini Interactive for display on several websites.  An analysis of the advertisement that I have received indicates that it contains malware actionscript code.  Also, the SWF features myjewelrybox.com (cite: http://www.adopstools.com/index.asp?page=richmedia&section=clickchecker&file=2-728x90_myjewelrybox.swf)

Please exercise caution when accepting advertising for your web sites. At the very least you should run each and every advertisement that you receive through the online click checker at adopstools.com and potentially save yourself a lot of grief.

This is an update to my article written on 5 March wherein I warned that Bucksbill.com overcharging for fraudware such as "MalwareAlarm and Registry Defragmentation".

It is worth pointing out that several readers have commented that they, too, have been overcharged by Bucksbill:

Tonya says "The same thing happened to me with malware. I agreed to the 39.99 and 79.99 was charged to my credit card"

Gonzalo says "I also got charged 79.99. If you have a phone number or email address I can try please send it to me."

Bhagwan D. Varma says "I am also a victim of this trap.  Why we all should not approach the "Bettter Business Bureau" of Pasadena, CA, and seek their intervention."

According to Quantcast, the bucksbill.com domain receives 69,419 U.S. monthly unique visitors per month - that's a scary number of potential victims. I'll be interested to see if some sort of class action or other lawsuit is triggered by the overchargings.

It is important to note that victims of overcharging and unauthorised charges can dispute the charge with their bank or building society and request that the charge be reversed.

The Federal Trade Commission has published an advisory for victims of credit card fraud or overcharging that can be seen here:
http://www.ftc.gov/bcp/conline/pubs/credit/fcb.shtm

I note that a purchase must be for more than $50 to fall within the ambit of the Fair Credit Billing Act... I wonder what the situation is if the *purchase* was for less than $50, but the amount actually charged was for more.

Today we are going to take a look at social engineering and other tactics used by the fraudsters that push malicious banner advertisements.  Heaven knows we have talked enough about what the malicious advertisements actually *do*; now it is time to talk about what the *fraudsters* do...

I cannot stress how important it is that we understand the social engineering tactics used by the fraudsters.

Now, the malicious advertisements that we are going to examine today feature FrontGate.  I received three different advertisement formats from the one potential victim, being:

The redirect works as follows.  We start at the SWF and then move through various URLs:

stat-diagnostic-imaging.com/crossdomain.xml

stat-diagnostic-imaging.com/c/index.php?id=aFlDm7NkiZXVjTVFQTFlUSmtLQ0FTYnloPTEyMDUyNTA4MDkmcG56Y252dGE9b2JhdnNucHJmYgYNkiDgNmYNkiDgNm

waytotheprofit.com/?cmpid=bonifaceso

prevedmarketing.com/?tmn=mwatmp&aid=bonifaceso&lid=&ax=1&ed=2&mt_info=5746_6350_2358

scanner2.malware-scan.com/18_swp/?tmn=null&aid=bonifaceso_ma18s_mb1t&lid=&affid=&ax=1&ed=2&mt_info=5746_6350_2358:3958_0_15359

waytotheprofit.com/?cmpid=bonifaceso

adnetserver.com/?tmn=mderon&aid=bonifaceso&lid=&3&mt_info=5746_6350_15099

waytotheprofit.com/?cmpid=bonifaceso

prevedmarketing.com/?tmn=mwatmp&aid=bonifaceso&lid=&ax=1&ed=2&mt_info=5746_6350_2358
scanner2.malware-scan.com/19_swp/?tmn=null&aid=bonifaceso_ma19s_mb1t&lid=&affid=&ax=1&ed=2&mt_info=5746_6350_2358:3958_0_15360

SOCIAL ENGINEERING AND FALSE INFORMATION

I think that my regular readers now understand what malvertisements are, and what they do - so, let's have a look at some "behind the scenes" activity, in the hope that all of you will learn what to watch out for, and what to check.  I will quote the gentleman who sent me the advertisements - he makes some very relevant observations - with only minor editing changes made to fix typographic errors or improve clarity...

"ForceUP found [us] through an 'advertise with us link' on our Company's corporate web site. ... From talking with the sales rep, it sounds like most of the sales process took place over e-mail with someone claiming to be Philip Norton (mailto:philip@forceup.com)

They were pretty smart about this (they even had us throw a frequency cap on the campaign, I am sure to help make it harder to track down the miscreant ad) and they are definitely monitoring the campaigns they place, a couple days after we took down the campaign they were contacting the sales rep asking about the status and why it wasn’t running.

There were pretty clear signs if anyone had been looking for them. Phone numbers mismatches, address mismatches etc."

My correspondent further observes....

"The phone numbers on their credit app don’t come even close to matching with the contact phone number’s on their supposed website.

The numbers from www.forceup.com are:

Phone number: +1(208) 629-3456 (208 is an Idaho area code)

Fax: +1 (443) 498-5395 (443 is a Maryland area code but that doesn’t mean much because this could be a fax service)

The numbers from their credit app are:

Phone: 905-448-4133 (905 is one of the area codes for Toronto, the city they said the company was based in)
Fax: 866-862-4692

A reverse phone number lookup on 905-448-4133 returns the name and address:

C Swatridge
533 Normandy St
Oshawa, ON L1H 5X4
(905) 448-4133

On the credit app they listed their bank as Citizens Bank of Canada, which is a real bank. But for the address they put down PO Box 13133, Station Terminal (they didn’t put down the city or province the bank was located in). Now, on Citizen’s website that address happens to actually be the address for the bank’s corporate headquarters in Vancouver, British Columbia address, not the address of a local branch.

The address they listed for their business on the credit app was 366 Ridelle Ave, Suite 866 Toronto, Canada M6B2N3. As near as I can tell from doing a reverse address lookup, 360 Ridelle Ave. and 370 Ridelle Ave. in Toronto are both legitimate addresses but 366 Ridelle is not. The postal code they provided ‘M6B 2N3’ is a valid postal code but is located about 8/10ths of a mile from 360 Ridelle Ave on a completely different street (Fraserwood Ave.)

The ‘forceup.com’ website is hosted in the Netherlands.

A Dunn & Bradstreet check returns no information about forceup."

Additional observations:

"It did seem like a very small company with only a small budget for online advertising should have raised a flag when the ads they sent us were from Frontgate, a major company that is unlikely to use a small agency to place a $3,100 advertisement buy. Combine that with the fact that Frontgate is a Cincinatti, Ohio based company and you start to question, why would they have a Canadian ad agency place an ad buy on a US based website? But you only start to question that if you are looking for problematic ads to begin with.  Further, Frontgate ... have a reputation of being very high-end and image conscious. Based on that another flag should have been raised by the relative low quality of the advertisements forceup sent to us."

Let's focus on a few important points:

1. Why would a major company like FrontGate use a small advertising agency???
2. Why would a major company like FrontGate allow "relative low quality" advertisements to be used??
3. Why would a major company like FrontGate place a $3,00 advertisement buy??

Yeah, I know, with hindsight the questions are a no-brainer, but reality is the fraudsters are experts at using social engineering.  They'll contact victim web sites right when the sales people are under pressure to meet sales targets.  They'll want the advertising campaigns to go live as soon as possible... urgent urgent... gotta get it live now...  they'll submit credit applications with addresses and phone numbers that don't add up... they'll provide referees whose email addresses use domains that are all associated (as a robtex.com or domaintools.com check will reveal).

Guy and gals... the fraudsters are *LAZY*, and at times we have been able to corral them into using the same service (Securehost) - aka putting all their eggs into the one basket - if you take a little time, dig a little, scratch below the surface, run the advertisements through an www.adopstools.com check, then you will nearly always see something that will give you reason to pause.  Maybe their name servers or mail servers are supplied by ESTHOST or SECUREHOST... maybe you can draw a connection between the applicant's domain and the domains used by the so-called referees... maybe you'll sit there and think "why the hell would FrontGate use a two bit Canadian advertising company anyway"....

More to come later....

Cite: http://www.theregister.co.uk/2008/03/26/apple_safari_eula_paradox/

Via: http://www.setteb.it/content/view/3647

According to the Register article, we can't be sued for not reading the EULA and installing Safari on Windows, but that doesn't make this slip up any less embarrassing for Apple.

The grumblings about the Safari push are getting louder; there is an interesting conversation on the patchmanagement mailing list with unhappiness being the order of the day - there are upset administrators out there who are having to deal with what, in reality, is unauthorised software on their networks that is only there because many of them felt that they had no choice but to allow the Apple Software Update mechanism to be installed on their users' computers when a critical security update for QuickTime could only be downloaded via that tool.  It is bad enough that we were forced to install the Update Mechanism so that we could get the security patch - now insult has been added to the injury by Apple using that security mechanism to introduce new, unauthorised, unwanted, software to our users.

We await Apple's reaction to all this unhappiness with bated breath - let's hope their response (assuming they make one) is not as badly thought out as their now infamous "Video iPod Virus" statement.

The Washington Attorney General’s Office is accusing a Scottsdale, Ariz., man of coercing consumers to buy software to block computer pop-ups by first bombarding them with ads for pornography and Viagra. In a civil lawsuit filed today in King County Superior Court in Seattle, the state alleges that consumers who downloaded the software were further victimized when the program caused their computers to stealthily blast messages to other PCs at a rate of one every two seconds.

Attorney General Rob McKenna said Ron Cook, owner of Messenger Solutions, LLC, violated Washington’s Computer Spyware Act and Consumer Protection Act while marketing programs under the names Messenger Blocker, WinAntiVirus Pro 2007, System Doctor and WinAntiSpyware.

“Our suit alleges that it wasn’t enough for Ron Cooke to manipulate consumers into buying his software,” McKenna said. “His program maliciously turns victims’ computers into spamming machines.”

The suit alleges that computers capable of receiving Windows Messenger Service pop-ups, also known as Net Send messages, were vulnerable to the attacks. Windows Messenger Service, not to be confused with the instant-messaging program Windows Live Messenger, is primarily designed for use on a network and allows administrators to send notices to users. It comes preinstalled with some versions of Windows. Service Pack 2 disables the feature in computers running Windows XP. Windows Vista users are not susceptible.

The suit accuses Cooke and Messenger Solutions of 10 specific violations of state law including transmitting malicious software, attempting to coerce consumers into purchasing software, misrepresenting the necessity of software for security purposes and deceptively causing consumers to violate the Computer Spyware Act.

The Attorney General’s Consumer Protection High-Tech Unit has brought a total of six lawsuits under Washington’s Computer Spyware Statute, RCW 19.270, since the law was approved by the Legislature in 2005.

Assistant Attorney General Katherine Tassi, who is overseeing the case, said the High-Tech Unit has seen a trend in deceptive advertising to sell software.

“We’ve seen individuals and companies inundate consumers with Internet pop-up ads and Net Send services that frequently resemble system alerts,” Tassi said. “Their intent is to pressure consumers to buy a product that will supposedly protect a computer from pop-ups, viruses or spyware. Many consumers wind up paying for a program that is essentially worthless or may even leave the computer more vulnerable to malware.”

The office began investigating the case in October 2007 after a computer in the High-Tech Unit’s lab received ads via Windows Messenger Service. The lab uses “honey pots” to detect hackers, spyware purveyors and other Internet mischief.

The state’s complaint alleges Cooke uses Windows Messenger Service to initially bombard consumers with a continuous stream of pop-ups advertising porn and sexual-enhancement products.

Next, he uses Windows Messenger Service to send those same consumers another bout of pop-ups intended to simulate system warnings. The warnings claim that the consumer’s computer is vulnerable to security attacks and direct the user to a Web site to buy software to supposedly block pop-ups.

“The pop-ups persistently appear anytime the consumer is connected to the Internet,” Tassi said. “A consumer could simply be typing a letter using a word-processing program and the pop-ups crop up again and again, sometimes covering the entire computer screen.”

Consumers who visit the Web site are offered the opportunity to download Messenger Blocker, a program Cooke sells. In some cases, consumers are offered a free seven-day trial. On other sites, the product is available for $19.95 without the trial.

The Attorney General’s complaint alleges that the pop-ups stop during the trial period. But once the trial expires, the consumer’s computer is bombarded with additional pop-ups that resemble those sent by Messenger Service but, in fact, are generated by Cooke’s software.

The complaint further alleges that the software installed during the trial or purchase causes a consumer’s computer to secretly send out more ads to other computers, disables Windows Task Manager and adds a bookmark to the defendant’s Web site. The software is difficult, if not impossible, to uninstall.

The Attorney General’s Office believes Cooke transmitted the messages and marketed his software from his home and that potentially hundreds of consumers in Washington state received the deceptive pop-up ads. Officials weren’t sure today how many people outside the state received the ads or how many consumers actually downloaded software in response to an ad.

The state’s complaint requests injunctive provisions to stop the deceptive behavior, civil penalties and refunds for consumers.

Messenger Solutions/Cooke Complaint:
http://www.atg.wa.gov/uploadedFiles/Home/News/Press_Releases/2008/MessengerSolutionsComplaint032508.pdf

Wow... I just saw one outta control copy of Internet Explorer ...

As near as I can tell, youhide.com, a web proxy service for anonymous web surfing, has been infiltrated by malicious banner advertisements.. again...

But this time, so many MalwareAlarm windows opened, the situation could not be controlled. Nor was Task Manager accessible to shut down the iexplore.exe process.  The only option - pull the power.

I'll be taking a close look at youhide.com tonight from the safety of a virtual machine - it's not the first time that that service has had a problem.

Boyd Anderson posted this comment tonight:

"What can Classmates do about xponlinescanner.com/2008/1/freescan.php?aid=77011807?"

This was my response:

@BoydAnderson,

What can classmates.com do?

First, source reliable instructions and advice on how to get rid of xponlinescanner from any reputable anti-spyware advisory forum, and get that information out to their clients.

Second, conduct more comprehensive checks into the background and bona fides of those they accept advertising from - see these links for advice:

Avoiding the bad guys - detecting potentially malicious advertising campaigns
http://msmvps.com/blogs/spywaresucks/archive/2008/01/16/1465721.aspx

Winfixer hide 'n' seek: explaining why some people see the ads, and some people don't
http://msmvps.com/blogs/spywaresucks/archive/2007/08/24/1134527.aspx

Third, run advertisements that they receive through services such as www.adopstools.com to check for malicious code.

Sandi &c.

Adopstools.com provides a service called an Online Click Checker.  The Online Click Checker nearly always detects malicious or suspicious code in Flash based advertisements.  On those rare occasions that the Online Click Checker has failed to detect that an advertisement is malicious (which I have only seen happen a couple of times), the site's owner has been very fast to respond to my email approach by updating his scanner to catch what was previously missed.

The email said (my comments are in bold):

"Thank you for contacting Classmates. I can understand your frustration and will do my best to address your concerns.

Thank you for letting us know that your experience on Classmates.com was interrupted. We always want to know if someone abuses the trust you have in Classmates so that we can remedy the situation as soon as possible.

We’re continuing to investigate this incident. Here’s what we know to date:

One of the advertisements on Classmates.com included some hidden code that allowed a deceptive ad to piggyback along with it. When someone clicked a link on Classmates.com or in an email from Classmates, the deceptive ad imitated their computer’s functionality, trying to mislead them into downloading some software.

Sandi: There was not one advertisement - I identified three distinct advertisements being:

nztv.prod.untd.com/RealMedia/ads/Creatives/ISP/CM_GeminiIntera_FPWS_5_10179/160x600
nztv.prod.untd.com/RealMedia/ads/Creatives/ISP/CM_GeminiIntera_LB_1_10179/728x90.swf
nztv.prod.untd.com/RealMedia/ads/Creatives/ISP/CM_GeminiIntera_FPR_4_10179/300x250.swf 

It was **NOT** necessary for somebody to "click[ed] a link on Classmates.com".  The hijack occurred immediately one of the malicious advertisements was displayed on a victim's computer (assuming the computer met certain country, IP and timezone requirements as set by the fraudsters) and no user interaction was required.

If a user was hijacked by clicking on a link in a classmates.com email, I can only assume that clicking on that link loaded a classmates.com web page which then displayed the malicious advertisement.

Again, NO USER INTERACTION IS REQUIRED to trigger a redirect - all that is necessary is for the advertisement to be displayed on a victim's computer (assuming the computer met certain country, IP and timezone requirements as set by the fraudsters).

Classmates did not send you a virus or try to mislead you into downloading anything. The advertiser in question violated our terms of service and we have removed the ad from our site.

Sandi: I can only hope that all *three* advertisements were removed, not just one.

I also hope that they (as in United Information) also removed:

nztv.prod.untd.com/RealMedia/ads/Creatives/ISP/MWS_Getfreecar_LBLINT_2_8671/gfc_728x90.swf

and

nztv.prod.untd.com/RealMedia/ads/Creatives/ISP/MWS_GetFreeCar_LBLINT_6_8671/getfreecar728x90_REVISED_07052006.swf

Because the deceptive ad popped up after clicking a link in an email from Classmates, some users believed they received a virus from our email. This is not the case. None of our email products included a virus.

Classmates.com should now function normally for you. We’re sorry if this caused you any inconvenience.  We’re doing everything possible to keep this from happening again.
 
Thank you for your cooperation and patience. As always, please let me know if I can be of further help.

Sincerely,

Laurie
Classmates Member Care Lead
www.classmates.com"

The site referrer report for this blog has revealed reports of malicious banner advertisements appearing on not only classmates.com, but also the StarTribune National News site, cincinnati.com, news.enquirer.com, NYPost and cincymoms.com (and who knows how many more).

I'm seeing a common theme in many recent outbreaks - far too often victim web sites are managing their own advertising content and, when this happens, the advertising network that the website is using is unable to shut down a malicious campaign, instead having to wait until the victim site shuts down the malvertisement at their own behest.

This is a situation that requires discussion and thought.  For example, is it acceptable for an advertising network to be in a situation where their software or infrastructure is being used to distribute malvertisements, yet be unable to remove the malvertisements because they don't have primary control?

I remember back when blich.ch was hit by the skyauction malvertisement, it was nine.ch that was in the hotseat.  Eventually nine.ch "firewalled" the malicious advertisement but in the interim who knows how many thousands, or tens of thousands, of people were exposed to a malvertisement which we knew was there, but were unable to immediately shut down.

cite:  http://msmvps.com/blogs/spywaresucks/archive/2008/01/09/1450217.aspx

My personal opinion is that advertising networks must maintain the right to immediately block malicious advertising content as soon as it is reported to them, because it is of critical importance that malvertisements as shut down as soon as possible.  Far too often I have seen delays of hours, days or even weeks while advertising networks try to contact website administrators, or convince recalcitrant administrators to act.

Your thoughts?

Cite: http://www.theregister.co.uk/2008/03/18/ebay_scripting_malfeasance/

Interesting - this is the first time that I have heard about Shockwave being used to redirect victims to a malicious site.