Spyware Sucks

Ponderings about the New York Times malvertizing incident

It has been all over the popular press – the New York Times web site had been tricked into accepting a malvertizement that was hijacking some visitors to that site and dumping them at a web site touting fake security software.  And, in a move that is kind of unusual, the New York Times web site displayed a warning about the malvertizement.

It just so happens that over on yort.com (author: Troy Davis) there is a screenshot demonstrating how the hijack was triggered:

New York Times incident as reported on yort.com	Similar incident as reported on Spyware Sucks

As you can see from the screenshots above, the two incidents are very similar, and the important stuff – the stuff that caused the hijack – is the code starting at “var a1” in both screenshots.  Depending on various conditions and controls (geolocation, IP address, time of day etc) some visitors would have received JUST the advertisement – others would have seen **the same advertisement** but would have also received the extra code (as pointed out above, starting at var a1).

The IP address of the hijacking domain, tradenton.com, is:

• at a known bad IP (as reported on this blog on the 10th of September)
• other bad domains were discovered in the same IP range as far back as 4 September
• was very new (registered just this month)
• was registered using a known problematic Registrar

I have said many times on this blog and elsewhere that reputational checks are of CRITICAL IMPORTANCE when accepting advertisements.  Information was available to warn those alert to potential danger that caution was needed as far back as the 4th of September (cite: my alert about vonage-inc.com on 4 September 2009).

Please… take advantage of services such as http://www.anti-malvertising.com/ and start conducting indepth research when somebody tries to sell you advertising.  One day, your web site may not be hit by an advertisement that simply redirects your visitors to a fake security website.  Instead, your visitors may be redirected to:

• a p0rn0graphic web site, complete with streaming video and sound on the opening page:
  http://msmvps.com/blogs/spywaresucks/archive/2007/12/31/1428144.aspx
  
• a web site that tries to infect your visitor’s computers using various security exploits:
  
  http://msmvps.com/blogs/spywaresucks/archive/2009/09/12/1722754.aspx
  http://msmvps.com/blogs/spywaresucks/archive/2009/07/22/1704910.aspx

The New York Times hijack in progress, as captured and reported by yort.com… 

I have been reading the report at wired.com about this incident, and think it is worthwhile pondering some of the points made in the article.

wired.com: “The move comes after a security loophole allowed scammers over the weekend to swap an innocuous advertisement for one serving a fake virus-warning, and hawking a deceptive scareware product intended to sell bogus security software.”

wired.com: ““Over the weekend, the ad being served up was switched so that an intrusive message, claiming to be a virus warning from the reader’s computer, appeared.”

wired.com are correct when they say that the incident occurred because of a “security loophole” (that is, the New York Times allowed content to be displayed on its web site that was hosted remotely by a domain outside of their direct command and control – an extremely common behavior and certainly not unusual to the New York Times). 

That being said, I find it interesting that an “innocuous advertisement” would be “swapped out” or “switched”.  Standard modus operandi for incidents such as the one caught by yort.com has always been to simply add additional malicious code when certain conditions were met – the advertisement itself has not changed in previous incidents (except for when there is an industry-standard rotation of advertisements, which is not the same as a deliberate swapping out). 

wired.com: “Readers who clicked on the ad found their browsers hijacked while a fake virus-scan was displayed. If they allowed the malicous (sic) website to serve its executable payload, they’d be stuck with a fake scareware program that badgers them into buying supposed anti-virus software.”

Wrong.  No user interaction is required for the hijack to occur.  Nobody needed to click on anything.

Also, as evidenced by the yort.com report, if a person was not hijacked (and therefore had the opportunity to click on the advertisement), then they were redirected to a legitimate website (in the yort.com example, the BVLGARI advertisement was linked to the URL http://www.bulgari.com/main.php?lang=6/ref=680).

bulgari.com
ICANN Registrar: GROUP NBT PLC AKA NETNAMES
Created 17 February 1998
AUTH200.NS.UU.NET
AUTH210.NS.UU.NET
NS.BULGARI.COM

Registrant:
Bulgari SpA
Lungotevere Marzio 11
Roma
00186
IT

wired.com: “The Times declined to identify the “national advertiser” the scammers originally impersonated.”

Again, let’s refer to yort.com.  From that article I can retrieve the URL of the advertisement used – you can see it to left of screen (I should warn you that there *may* have been more than one advertisement being supplied by the miscreants – we should not assume that this was the only advertisement that a victim may have seen).

The author also writes:

“A comment gave the campaign ID as Vonage01_1163613_nyt12, though it was obviously unrelated to Vonage.”

I wonder if the domain vonage-inc.com was used by whoever it was that sold the malvertizing to the New York Times.  vonage-inc.com used to have the IP address 212.117.166.71, and known to be used by cybercriminals to impersonate the real Vonage.  Thankfully, vonage-inc.com seem to have been handed over to the *real* Vonage on or about 5 September.

I wrote about vonage-inc.com back on 4 September 2009.

Edit: I see that the New York Times has admitted that Vonage was impersonated:

“The creator of the malicious ads posed as Vonage, the Internet telephone company, and persuaded NYTimes.com to run ads that initially appeared as real ads for Vonage. At some point, possibly late Friday, the campaign switched to displaying the virus warnings.

Because The Times thought the campaign came straight from Vonage, which has advertised on the site before, it allowed the advertiser to use an outside vendor that it had not vetted to actually deliver the ads, Ms. McNulty said. That allowed the switch to take place. “In the future, we will not allow any advertiser to use unfamiliar third-party vendors,” she said.”

Just to repeat what I said above, information was available on the net, warning that Vonage was being impersonated, as far back as 4 September.

So, what do we know about the domains implicated in this latest incident?

tradenton.com
ICANN Registrar: BIZCN.COM, INC
Created 2 September 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 212.117.166.69 - Luxembourg, Root Esolutions (a known bad IP address – also, note how close the IP address is to what used to be the IP address for vonage-inc.com)

Currently shares IP with harlingens.com, kennedales.com, newadsresults.com, relunas.com and waveadvert.com

Registrant:
Tradenton
Shawn Brownell (shawn@tradenton.com)
978-214-3972 fax: 978-214-3972
3051 Pearlman Avenue
Wilmington MA 01887
US

*****

harlingens.com
ICANN Registrar: BIZCN.COM, INC
Created 2 September 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

Registrant:
harlingens.com
Richard Andrew (admin@harlingens.com)
956-893-2463 fax: 956-893-2463
4859 Carolina Avenue
Harlingen TEX 78550

*****

sex-and-the-city.cn
ICANN Registrar: Chinese
Created 3 September 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 94.102.48.209 - Noord-holland, Amsterdam, As29073 Ecatel Ltd

Registrant: oregon.artscomm@state.or.us

*****

Finally, yort.com mentions adxbigad - I have found several references to adxbigad in scripts designed to remove advertising from the New York Times web site (cite: http://userscripts.org/scripts/review/56684)