Scareware pops-up at FoxNews

Summary:There have been numerous reports from affected users that a scareware variant of PersonalAntivirus and ExtraAntivirus has been poping-up at FoxNews.com during the last couple of days, through a malvertising campaign.

There have been numerous reports from affected users that a scareware variant of PersonalAntivirus and ExtraAntivirus has been poping-up at FoxNews.com during the last couple of days, through a malvertising campaign.

This most recent case of malvertising (MSN Norway serving Flash exploits through malvertising; Fake Antivirus XP pops-up at Cleveland.com) once demonstrates that whenever a direct access to a high-trafficked site cannot be obtained through a compromise, cybercriminals are logically exploiting third-party content/ad networks to achieve their goals.

Reproducing malvertising campaigns is tricky due to the geolocated nature in which the ads are served, as well as the cybercriminals' awareness on the fact that the amount of traffic which they expose to scareware is logically increasing the risk of having their campaign exposed. A risk which they hedge by temporarily inactivating the campaign or basically rotating the geolocation preferences and displaying the malicious ads to random countries.

Interestingly, in FoxNews.com's case Google's Safe Browsing diagnostic page is stating that "Malicious software is hosted on 3 domain(s), including 2mdn.net/, s3.wordpress.com/, llnwd.net" with 2mdn.net part of DoubleClick's network, with another interesting note stating that "Yes, this site has hosted malicious software over the past 90 days. It infected 18 domain(s)", confirmed by another report as well. These isolated incidents in the sense that the campaign's lifecycle is shortened based on collective reporting of affected users, are also taking place at other ad networks such as ContextWeb, and Yieldmanager.com.

Here's a brief analysis of the campaign which now appears to have been removed by FoxNews. Until the next time. According to SandShark, the warning issued by Google's Safe Browsing was in respect to the a domain redirector rd-point .net which is still active and is redirecting to the rogue ExtraAntivirus (extrantivirus .com) followed by previous known redirectors to another scareware RapidAntivirus.

It's worth pointing out that a scareware pop-up at a high-trafficked web site that is basically relying on the social engineering factor, is not as ugly as the introduction of a hybrid scareware demanding ransom for the decryption of files, or client-side exploits. With the list of the major web properties that have been historically affected by much more malicious malvertising incidents (e.g. MySpace, Excite, Expedia, Rhapsody) continuously expanding, maintaining a decent situational awareness next to a client-side vulnerabilities free host, mitigates a great percentage of the currently active threats.

Who's to blame anyway - the advertising networks for working with phony content publishers, the affected web sites for not policing themselves, or the web site visitor for the lack of situational awareness on emerging threats/scams like scareware?

Talkback!

Topics: Security, Browser

About

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.