ALERT: malvertizement at newsweek.com (hosted by washingtonpost.com)
Edit: Please review this article re Fuse:
http://msmvps.com/blogs/spywaresucks/archive/2008/08/19/1644991.aspx
Once again, it is a malvertizement created using Fuse Kit. Again, there are signs that the malvertizement came from the now defunct trackstarmedia.
Kimberley has all the details at her forum. The advertisement is still live at time of writing.
It is quite obvious that the bad guys are going to take as much advantage as they can of the fact that their current malvertizements are extremely difficult to detect (malvertizements created using Fuse Kit). They are going to hit every site that they can, as often as they can, for as long as they can. It worries me that I am seeing complaints about malvertizing-like symptoms all over the net implicating - not only newsweek, but at other big name sites like MSNBC, Facebook, lime.com, Hotmail, MySpace and Yahoo.
I am seeing reports of the malicious redirects remaining dormant for a week before visitors to victim web sites are hijacked and redirected to fraudware sites. Web sites simply *must* increase their due diligence checks with any new advertiser. It is going to take time, and it is going to cost money, but what alternative do web sites have if they want to protect and keep their readership, and if they want to avoid the inevitable end result of malvertizing, which is that more and more of visitors to their sites are going to block all advertising.
That being said, it is not all doom and gloom - not yet. There is something that you can watch out for, even if a particular advertisement passes the adopstools test, and passes other security tests. You see, even if the hijacking behavior of a malvertizement is "dormant" there are still subtle hints of trouble ahead that you can see if you know where to look.
For example, in the case of the newsweek malvertizement, by leaving network traffic capture software (or Fiddler) running when the advertisement displays on a web page, we see that the following URL is touched - adoptserver.info/state_.gif?url=[removed] and that the malvertizement is the referrer. adoptserver.info is a known "bad actor". Its name servers are supplied by the now infamous "estboxes". Any advertisement that leads to such a domain being touched should be suspended, no questions asked. Don't wait for the complaints to start.
If the bad guys want to continue to use the type of controls that they currently use to manipulate the behavior of malvertizements, then such tell tale signs in network captures are pretty much unavoidable, but the person examining the captured data needs to know what to look for, and needs to be familiar with the bad domains, and, sadly, needs a finely tuned "gut instinct" to be able to spot suspicious URLs. The bad guys use myriad "bad actor" domains, and they can register new names very quickly and easily, and sometimes they can hide for a while before we work out who/what they are. Even as I write, I can think of ways that they may change the way they do things to try and avoid even the tiny indication of trouble that is a single call touching a single bad URL. So, let me stress, once more, what I said the other day:
It is strongly recommended that any advertisement that has been created with Fuse be treated with extreme caution. In fact, let me go further - it may be worthwhile considering implementing a policy to refuse any advertisement that has been created using Fuse.
I also strongly recommend that you treat anybody who supplies such creatives with "extreme prejudice". Do everything you can to check into their bona fides. Complete not only the standard address, phone number and credit checks, but also undertake a comprehensive reputation check - look into the background and history of the advertiser and anybody providing a credit reference. Take a close look at their web sites - who hosts them, who shares their IP address, who shares their mail server and their name server - check what web sites are within the same IP range. If you have access to a domaintools.com Gold Membership take a close look at their hosting history. Check into their WHOIS history as well using the same service. Write to people such as myself and ask for advice and guidance.
I do not advise this course of action lightly. I ask that you seriously consider it unless and until we have found a reliable way to improve the detection of these newer types of malvertizements.
Even if an advertiser is not offering a Fuse creative, you should still exercise caution. If the advertiser is in a rush - if they want the ads to run as soon as possible - and if the advertiser is relatively unknown you have to ask yourself - how likely is it that such an unknown player would have been given a particular advertising campaign - especially if the advertisements feature well known brands. I find it amazing when we do not question how smaller advertising networks could end up with names such as Colgate in their stable of clients, or question why big names would have surprisingly small advertising budgets.
Follow your instincts people... if you smell a rat, or something just doesn't sit right, then proceed with extreme caution. And, be careful of any letter of mandate or authority that you may be given - back when the skyauction malvertizements were being distributed, the fraudsters pushing the advertisements were using a fake letter of mandate to convince victim sites of their bona fides.
Staff at the victim site commented that there is "a lot of action scripting for such a simple ad". I agree with their observation (hindsight is a wonderful thing). It is something to bear in mind when assessing a creative.