Researchers detect Malvertising in PlentyOfFish

Photo Courtesy: Malwarebytes

Researchers from Malwarebytes Unpacked, a security firm, have detected a malvertising, which derived from “malicious advertising" uses online advertising to spread malware and it involves malware-laden advertisements into legitimate online advertising websites, in the PlentyOfFish, a Vancouver-based online dating service which makes money from advertising.

The researcher have warned the users not to click on the adverts as they are automatically targeted by using an attack that detects if their computer can be infected (via outdated software), and launches directly that way.

Soon after the flaw detected, they have contacted the company concerned to make them aware of this issue.

According to the researchers, the attack chain uses the Google URL shortener as intermediary to load the Nuclear exploit kit.

“While we see this mechanism quite frequently within our telemetry, it is particularly difficult to reproduce it in a lab environment,” the researcher wrote in a blogpost. The ad network involved in the malvertising campaign ( was familiar and it turns out that we had observed it in a rare attack captured by our honeypots just one day prior.”

The sample was collected from the Tinba banking Trojan. Given that the time frame of both attacks and that the ad network involved is the same, chances are high that pof[dot]com dropped that Trojan as well.

According to a news report published in The Register, the attack against PlentyOfFish comes against the backdrop of the fallout from the data dump by hackers who breached cheaters’ hook-up website Ashley Madison, and the earlier attack against AdultFriendFinder.

 There’s nothing to link the three attacks directly, however it’s fair to say that dating and adult hook-up websites are very much in the firing line of hackers, so extra precautions ought to be applied.

Cyber Criminals abuse Yahoo's advertising network to spread malware

Cyber Criminals are targeting Yahoo’s advertising networks to deliver malware directly to the computers of users who is viewing the ads.

Security firm Malwarebytes, who discovered the attack on July 28, says that Yahoo is a victim of malvartising attacks in which exploit kits are used to redirect victims to the malware website.

The malvertising attack which does not require any user interaction, is believed to be one of the biggest in recent times due to the massive amount of traffic in Yahoo. 

In one of the campaigns, the attackers used the Angler Exploit Kit - This exploit kit usually infect victim's machine with annoying software and malware that forces victims to pay the money to unlock their system.

The security firm said that it had informed Yahoo about the attack the very same day. Yahoo said that the malware campaign has been stopped and that the company is investigating the matter.

Although it is not yet possible to determine exactly how many people have been affected by the hack, but it could be large as Yahoo gets 6.9 billion visits a month.

Malicious Ad Network "Kyle and Stan" serves Windows and Mac Malware

Cyber Criminals have been placing malicious ads on a number of popular websites including YouTube, Yahoo that serves malicious software.  The campaign also targets Mac users.

The malicious network, uncovered by Cisco Researchers comprise of over 700 domains.  They observed nearly 10,000 connections to the malicious domains.

The operation has been dubbed "Kyle and Stan" because most of the domains used in this campaign for distributing malicious software contain "kyle" and "stan" strings in the sub-domain name.

The users website who visit the websites containing malicious ad will be redirected to another website.  Users will then be redirected to another page that will serve mac or windows malware based on their user agent.

"The attackers are purely relying on social engineering techniques, in order to get the user to install the software package. No drive-by exploits are being used thus far" Armin Pelkmann, Cisco researcher, wrote in a blog post.

YouTube ads serve Banking Trojan Caphaw

Number of Malvertising attacks are appeared to be increasing day by day, even top websites fall victim to such kind of attacks - YouTube is to be the latest popular organization affected by malicious ads.

Security experts from Bromium have discovered that the cyber criminals were distributing a malware via YouTube ads.

According to researchers,  malicious ads attempt to exploit vulnerabilities in outdated Java.  It loads different malicious jar file, to ensure the exploit is compatible with the installed java version.

The Exploit kit used in this attack "Styx Exploit Kit" which was the same one used by cybercriminals to infect users of toy maker

If the user's machine is having vulnerable plugins, it will exploit the vulnerability and drops a Banking Trojan known as "Caphaw".  Researchers say they are working with Google Security team. 

Thousands of websites using MadAdsMedia ads blocked by Google Safe Browsing

Thousands of websites' owners using MadAdsMedia ads service became mad after Google Safe Browsing blocked their websites.

A number of users have reported in Google forums and Digital Point forums that their website is blocked by GSB and showing the following warning message "This web page at [site] has been reported as an attack page and has been blocked based on your security preferences."

Even after removing the MadAdsMedia script from their website, it is still showing the Malware warning.

"In my webmaster tools it lists the suspicious snippets as the links to madads. As I said before I removed them, then I tried to request a review in my webmaster tools but when I submit it I get: 'Your request can't be processed at this time because your site isn't currently flagged for malware. If you see a malware warning in your browser, it is likely a cross-site warning.' " One of the user posted in DigitalPoint forums.

It is still unknown whether Google mistakenly blocked those websites or the MadAdsWebsite is hacked to serve malicious ads.  We are not sure how many number of websites have been affected.

According to fz6-forum, one of the MadAdsMedia advertising vendors' server was hacked and few ads have been injected with malicious code.

"This message is regarding the recent malware notifications that some of our publishers may have experienced. Just before noon today, our engineers discovered that one of our ad serving locations had been hacked."
"Since this attack was discovered, our engineering team worked diligently until 3:45pm EST to ensure that the appropriate action was taken to secure our ad server. Unfortunately during that time, this attack effected 7.8% of our publishers' domains. " Mail from MadMAdsMedia reads.

Malvertising on Aftonbladet news site targets IE users with Fake Antivirus

A largest Sweden Newspaper website Aftonbladet is found to be serving malicious ads that redirect users to a malicious website serving Fake Antivirus.

Security researcher at Kaspersky said the website was spreading malware not because they got hacked, but because cybercriminals compromised a third-party ads running on the site.

The malicious script used in the malvertising attack checks whether the user is using Internet Explorer browser or not.  Only IE users are being redirected to malware website.

The malware page is not exploiting any vulnerabilities but displays a fake virus alert message from Microsoft Security essential that it has detected potential threats in the user's computer and recommends to clean the malware.

Once user click on the picture, it will not clean any viruses, it will download a malicious obfuscated Visual Basic Executable file. 

"Large websites often include content from other websites, and if the bad guys compromise any of those websites they can also manipulate the content which is getting included by the large website." researcher said.

Malvertising attack on South African Mail & Guardian website serves Fake AV

South African Mail & Guardian news portal is the latest victim of Malvertising attack.  This is third report on Malvertising attacks targeting top organizations in 2014.

A large number of visitors to the are being served a malicious ad that redirects to malicious page which is hosted in Server in Netherlands, according to Blue Coat, a California based security firm.

The landing page shows a fake malware infection alert saying "Microsoft Antivirus has found critical process activity on Your pc. you need to clean your computer to prevent the system breakage.".

Clicking the "OK" button downloads "setup.exe" file which is nothing other than Fake Antivirus. 

Few days back,  Users of Yahoo ads got redirected to a page hosting Magnitude Exploit kit.  Following that incident, Malicious ads in Daily Motion lead to Fake AV.

Symantec AdVantage(Anti-Malvertising): Armorize and Symantec partnered and launched

Armorize Technologies(malware blog) and Symantec joined together to fight against Malvertisement. They launched a AdVantage(Anti-Malvertising) Technology, cloud based scanner to detect the malvertising(malware advertisement) in online.

“Malvertising poses a serious risk to online publishers and their customers, reputation and revenue. Highly publicized malvertising infections can damage the reputation of even the most trusted online sites. Symantec AdVantage will provide ad publishers the tools they need to protect their businesses by fighting back against these threats.”
– Fran Rosch, Vice President, Identity and Authentication Services, Symantec Corp.

 Symantec Advantage will scan, detect and report malvertising on websites by automatically alerting publishers and identifying the location of malicious advertisements so customers can remove malicious ads that may damage their business’ reputation. A real-time performance dashboard complements these automatic reports by providing essential insights. For example, Symantec AdVantage will enable customers to compare safe ads to malicious advertisements and discover how and when malvertising occurred by visually tracing and identifying the path and source of infected advertisements .

Symantec AdVantage is scheduled to be made available to publishers and ad networks through a free early access program beginning in November 2011.

The service will be available here:

Few days back, the famous site " KickAssTorrent(" served malvertising, detected by Armorize.

KickAssTorrents( infected and serving malware through Malvertising

A Famous Torrent website's(alexa Rank:321) KickAssTorrents( OpenX platform compromised, and served a fake antivirus "Security Sphere 2012" through malvertising(stands for malicious advertisement),detected by armorize.When the user click the ad, it will redirect to fake page. This page infects users without their knowledge.

Coincidentally, KickAss Torrents published a blog post on Oct 10th in response to the website being flagged by antivirus vendor Avast. In it they said:
Our users that are using the Avast anti-virus might have noticed that suddenly became labeled as a dangerous website for users that are not logged in. We want to assure our users that KickassTorrents has no malware or viruses of any kind and it is absolutely safe to use our website. We already contacted Avast and currently we are trying to find and fix the cause of this problem. You will help us if you choose the "Report the file as a false positive" option if you get the alert.

In another thread, KickAss Torrents said:

Now what the hell does this error mean?
First of all, don't flip out, don't go post on the KAT site, post down here if you experience the same problem.
Secondly, report down here if you experience this error.
Thirdly, add to the safe URLs in your AV.
And lastly, please go to this site and report the problem (Avast! users only):
Avast! forum thread
Back on topic. What is this error? Does error roughly means that your anti-virus software has found some bad code in an iFrame. This could be from the site itself, or from advertisements. An iFrame is a piece of code that allows you to do several things. Embedding something to your site is a good example.
I hope this topic helps a little and I certainly hope the error is going to be fixed now.
A: Nope, just some error.
Q: Is it really safe to visit KAT?
A: Yes, it is.
KickAss Torrents also referred to this discussion thread on Avast's forum. At the end of the forum it appears that Avast has acknowledged that it was indeed a false positive and have addressed the issue:


It should be solved, if not let us know please.

Miroslav Jenšík
AVAST Software a.s.

Well, that time it might have been a false positive from Avast, but this time the website is absolutely infecting its visitors, as seen in our video.

The attacker injected the malicious script using the following url:§ion=1939940

At the time of detection , only 2 out of 42 detected the malware in virustotal analysis.

According to Armorize,this attacker is responsible for incident.

Using DynDNS domains for their exploit server. Domain names are auto-calculated using Javascript. The algorithm used generates a (predicable) different domain name every hour, in the format of, where ABCD are characters with a fixed seed and incremented by one character every different UTC hour.

The new dyndns domain for the next hour is generated every hour precisely at minutes 2 to 5, so this may be done by an automated mechanism.

All generated domains resolve to a single IP: (AS21788, United States Scranton Network Operations Center Inc), located in the US.

The domain: resolves to this IP and is serving the same exploit pack. This domain was registered on Aug 4th through an Russian registrar, 1'ST DOMAIN NAME SERVICE At this time the domain resolved to an Netherlands IP The domain started to resolve to on Aug 23rd. This IP and the domain are both currently still up and working.

This video show how the users infected: