Malvertising Hits DailyMotion, Serves Up Angler EK

[JerkyMcDilerino]

Source: >>> Click Here <<<

 

We have been tracking an attack via.eu sites for several days but were missing the final payload. However, this changed when we managed to reproduce a live infection via ad ad call coming from popular video streaming site DailyMotion, ranked among Alexa's top 100 sites. 

 

This malversiting incident happended via real time bidding(RTB) withing the WWWPromoter marketplace. A decoy ad(pictured below) from a rogue advertiser initiates a series of redirections to .eu sites and ultimately loads the Angler Exploit Kit.

 

The bogus advertiser is using a combination of SSL encryption, IP blacklisting and JavaScript obfuscation and only displays the malicious payload once per(genuine) victim. In addition, Angler Exploit Kit also fingerprints potential victims before launching its exploits to ensure the user is not a security researcher, honeypot or web crawler. 

We immediately contact Atomx, the online media exchange platform used in the ad call, who informed us the issue was coming from WWPromoter and more specifically a malicious buyer(the rogue advertiser) on their network.

 

The incident was resolved very rapidly once the proper contacts were made and the problem isolated. For this, we would like to them all parties involved in taking such prompt action, therefore limiting the potential damage to innocent users.

 

This particular malvertising attack is one of a few campaigns we have been tracking which is much more sophisticated then the average incidents we encounter daily. We can say that lately threat actors have really stepped up their game in terms of being very stealthy and making a particular ad call look benign when reproduced in a lab environment. 

 

Indeed, the problem comes when we suspect foul play but can't prove it with a live infection. It is difficult to convince ad networks to take action, when on the surface there's nothing wrong with a particular advertiser.

 

Technical Details

1. Publisher: dailymotion.com/video/xv1pn7_the-x-factor-uk-s09e22-live-shows-10-11-2012-part-1_shortfilms
2. Ad call: p.ato.mx/placement?v=8&id=9146&size=728×90&type=iframe&b=0&domain=&screen=1600x900x24
   &timezone=300&cookies=1&flash=1&r=http%3A%2F%2Fwww.dailymotion.com
   %2Fvideo%2Fxv1pn7_the-x-factor-uk-s09e22-live-shows-10-11-2012-part-1_shortfilms
3. Malvertising: creative.wwwpromoter.com/pop-imp/1491/11672
4. Fake advertiser (loads advert picture and JS): {sanitized}.eu/advertising.html
5. Fake advertiser (booby trapped JS): {sanitized}.eu/scripts/media.js?
6. Fake advertiser: {sanitized}.eu/advertising.html?tm=1449123577264
7. Redirector (SSL) to Angler EK: worldbesttraffic.eu/
8. Angler EK: ftuifio.vpkoqbs.eu/civis/viewforum.php?f=3s5&sid=vk830.1892qo288&

 

Fiddler View

[EChondo]

Time to add it to the blacklist.

[Arty]

Why you on dailymotion anyway....

[vanished]

Why you using internet explorer?

[JerkyMcDilerino]

Why you on dailymotion anyway....

Because i can?

 

Why you using internet explorer?

Because  Microsoft default browser? 

[vanished]

Because  Microsoft default browser? 

Is that supposed to be a reason you should use it?

[JerkyMcDilerino]

Is that supposed to be a reason you should use it?

Yeah. 

[zacRupnow]

Redirectors should be illegal.

[Alurit]

Ads should not use javascript

[SSL]

But adblocking is stealing, yo.

[jagdtigger]

But adblocking is stealing, yo.

BS.... <_< This is just another good reason why you should use an adblocker.

Edited December 9, 2015 by jagdtigger

[SSL]

BS.... <_< This is just another good reason why you should use an adblocker.

 

I was being surcistic.

[GoodBytes]

This news doesn't meet the posting guidelines:

http://linustechtips.com/main/topic/11724-read-before-posting-in-this-section/

-> We do not allow plagiarism of news, use quotes.

-> Explain the news in your own words.

Thread lock until it is fixed. PM me when @JerkyMcDilerino when you fixed it or if you need help.