ALERT: malvertizement featuring cardstore.com
Edited to fix typos - changing cardshop to cardstore - (it had been a *long* day)
I finally got a sample of the malicious advertisement featuring cardstore.com:
Interesting points to bear in mind about this incident are:
- The malvertizement was received from the currently defunct trackstarmedia.com.
- The malvertizement passes preliminary security checks (including adopstools):
http://www.adopstools.com/index.asp?page=quicklink&id=a28IN1T1L0Y5EC2l
- www.mosessupposes.com/Fuse/ was used to create the malvertizement as you can see from the code revealed by the adopstools check.
- The campaign was live for a week before anything bad started to happen.
It is strongly recommended that any advertisement that has been created with Fuse be treated with extreme caution. In fact, let me go further - it may be worthwhile considering implementing a policy to refuse any advertisement that has been created using Fuse.
I also strongly recommend that you treat anybody who supplies such creatives with "extreme prejudice". Do everything you can to check into their bona fides. Complete not only the standard address, phone number and credit checks, but also undertake a comprehensive reputation check - look into the background and history of the advertiser and anybody providing a credit reference. Take a close look at their web sites - who hosts them, who shares their IP address, who shares their mail server and their name server - check what web sites are within the same IP range. If you have access to a domaintools.com Gold Membership take a close look at their hosting history. Check into their WHOIS history as well using the same service. Write to people such as myself and ask for advice and guidance.
I do not advise this course of action lightly. I ask that you seriously consider it unless and until we have found a reliable way to improve the detection of these newer types of malvertizements.
Even if an advertiser is not offering a Fuse creative, you should still exercise caution. If the advertiser is in a rush - if they want the ads to run as soon as possible - and if the advertiser is relatively unknown you have to ask yourself - how likely is it that such an unknown player would have been given a particular advertising campaign - especially if the advertisements feature well known brands. I find it amazing when we do not question how smaller advertising networks could end up with names such as Colgate in their stable of clients, or question why big names would have surprisingly small advertising budgets.
Follow your instincts people... if you smell a rat, or something just doesn't sit right, then proceed with extreme caution. And, be careful of any letter of mandate or authority that you may be given - back when the skyauction malvertizements were being distributed, the fraudsters pushing the advertisements were using a fake letter of mandate to convince victim sites of their bona fides.
Staff at the victim site commented that there is "a lot of action scripting for such a simple ad". I agree with their observation (hindsight is a wonderful thing). It is something to bear in mind when assessing a creative.