But here is the dirty little secret of browser security: Even if every Internet browser made today were completely bug-free, it wouldn't stop malicious hackers and malware. Why? Because the vast majority of successful malicious exploits today don't exploit buggy browsers, but rather unwitting end-users. That is, Web-based malware is successful because end-users are intentionally installing it! Most exploit code doesn't search for an unpatched vulnerability, but simply asks the user to install. - Roger Grimes, Infoworld "There is no magic fairy dust protecting Macs" - Dai Zovi, security researcher and co-author of The Mac Hacker's Handbook.
Spyware Sucks is accepting donations, with thanks.
Help us catch the bad guysUse Fiddler to capture evidence of browser hijackings
Get Safe Online will help you protect yourself against internet threats.
The site is sponsored by government and leading businesses working together to provide a free, public service.http://www.getsafeonline.org/
Edited to fix title...
Hi Sandi--
I just came across this on your site, and I wanted to possibly provide more information on this. We were just hit with a malicious E*TRADE campaign. They were running a set of swfs just fine since 8/13, but on 8/21 they sent a new 250x250 swf unit to replace the ad that was running, and it was during this week that we started getting reports from users being hit with fake virus scans. I placed the 250x250 on the following test page for review:
www.usatoday.com/.../life-front_0508.htm
We also reviewed the SWF, and found the same batch of coding we discovered in the 4CETERA (ebooks) campaign, the first Malware campaign we were ever hit with:
if (!btn)
{
var_reg1=(_global.gtn=function()
}
).prototype:
_reg0.main=function (mc)
_root.clickTarget="_blank";
;
ASSetPropFlags(_reg1,null,1);
I'm not sure exactly what that action script is calling for, but it a perfect match to the coding in our other batch of Malware, so I think it's our 'smoking gun'.
The campaign was sent to us from Olympicmedia.net. A quick WHOIS shows www.who.is/.../olympicmedia.net
The red flags are that the IP location is the Netherlands, but the agency is in Ontario. The domain was also created on 6/12/08. All suspicious information, but we had out IT team monitoring the ad on the test page on outside internet connections and no one was able to get the virus pop-up. We suspended the campaign anyway, and I wanted to give you a heads up so you could investigate and warn the community.
If you'd like me to send you the swf, or any additional information, please let me know.
Thank you!
Heather
hzeman@usatoday.com