Slashdot Mirror
Anatomy of an Attempted Malware Scam
Dynamoo writes "Malicious advertisements are getting more and more common as the Bad Guys try to use reputable ad networks to spread malware. Julia Casale-Amorim of Casale Media details the lengths that some fake companies will go to to convince ad networks to take the bait."
They've been on my HOSTS block for years, ever since one of those annoying GIF popups damn near gave me a seizure bouncing in its frame. Have they improved since?
I read the article, and in doing reference checks in the digital age, esp when there is a large chance of fraud, that checking domain reg's etc only came in last. It's not hard to program in automatic checking, and by the sounds of it, would stop how easy this type of scam would be implemented. Also they could do reverse phone number checks etc as well. I'm quite sure if they had that information automatically populated during an application, any attempts to defraud the companies would be found out with alot less time.
"We've also highlighted some pink flags"
Is that close to a fuchsia, because I like totally need a flag like that to match my new outfit.
I'm comforted to know that Casale Media will pass on obnoxious mortgage refinance advertising from only verified and legitimate predatory lenders!
These checks aren't in place out of any concern for the security of ad viewers. Casale Media here is only concerned that the phantom business will disappear without paying once the botnet is established. Ad networks have demonstrated they don't give a damn so long as they get their cut.
My AdBlock Plus stays on.
And site owners and advertisers wonder why users go to such extremes with Adblock plus and NoScript to block ad's.
If the sites (or ad distributors) can't guarantee the safety of their own sites, then users have to do whatever is necessary to protect their own systems. If that means no advertising income for those sites - tough luck.
But if a WHOIS lookup on a new customer's domain isn't in your SOP from the get-go, you're strictly amateur hour.
reputable ad networks? What are those? Is he speaking of google ad-sense? or Hulu ads? Personally, I don't consider ad networks that use banner ads as anything that are reputable (this includes any of the shady ad-networks that Google purchased as well). Non-obtrusive text ads, I can deal with. Even Hulu ads, I can deal with since it's film on film. It's just that I hate banner ads, or animated ads, when I'm in reading-mode.
Good post, but for the record...
Using "0.0.0.0" instead of "127.0.0.1" is not more efficient because of size. There's only 2 bytes difference between the two; if your computer has a noticeable speedup just because it's reading 2 bytes less per HOSTS entry, you have way too many entries and probably more important problems.
The speedup, as pointed out by a different reply to GP, is because "0.0.0.0" is widely recognized as an invalid IP address, and just about every operating system will immediately fail if you try to connect to it. Using simply "127.0.0.1", the connect call has to go through the local loopback interface, and actually tries a connection, which adds up if you're accessing a lot of places at once (such as on a web page). The problem is even worse when the computer you're on is actually running something on port 80, in which case an actual connection is made, then fails, taking up more time. Or even worse: the connection times out!
Using "0.0.0.0" is good advice; I just wanted to make sure your reasons for using it are valid.
SOP from the get-go, you're strictly amateur hour. pgup http://www.klimaservisii.com/
But, I'm not really surprised the lengths these "fake companies" will go. Money is a precious thing in this world and if you can't 'seem' to make it legally, you may just turn to crime. Even people who would have never considered doing something like this may be driven to new heights in desperation.
However, some of these people may or may not be the desperate, dirt poor, starving, "means-to-an-end" people I portrayed but, take a minute and think of the things you would probably do if there was truly, no other way you could think to survive in this messed up little world.
*Process is Irrelevant, Progress is Paramount*
Ultimately, how does the end users computer get infected by this `malware'?
"I got stung by a drive-by exploit on a work machine .. something that installed 'XP Antivirus 2010"
Run your browser from a read-only device, that way you won't ever get stung.
Pendrive
Yes, I am aware that reading more data from the disk is slower. However, I would like to point out that the time it takes to read an additional two (or even eight) sequential bytes off the disk is insignificant compared to the potential time wasted in a timeout.
Using "0.0.0.0" is more efficient, but not because of the primary reason you listed, even if that is a contributing factor. It's like saying that the water is boiling faster because the air is drier, but not mentioning that you turned up the burner.
I was not aware of your other post, and I apologize for the redundancy.
I've been told it's weird when ACs try so hard. Also futile.
So disregard everything I said, I suck cocks.
APK
In so many words others have expressed what I have summarized down to "advertisers don't respect their audience." Their approach has almost always been the capitalist "what the market will bear" approach and as people have grown accustomed to being assaulted with ever more eye-catching colors, styles, techniques and technologies, the limits of what the market will bear erode. People no longer realize they are being disrespected. Their paid-for internet connection are being utilized. Their time is being wasted. They will install software that resists being uninstalled and drains performance and stability from their computers. I see no end to what they will do.
There is a blurry and indistinguishable line between "reputable ad networks" and "the bad guys." The reputable are certainly not constrained by morals and not by law. How can we know they aren't simply being complicit?
God says... Whereas Into killed understand Old initiated credibility Madness increase feet approve helper convict closing harmed twice perisheth triumpheth Apostolic
I block tons of spam that have Subjects that are a lot like that ... but they have wavy images of pills attached. ;-)
There are plenty of pages where the site just will not load unless you give permission to run layers and layers of 3rd,4th,5th party scripts. What can we do as consumers or developers to prevent such behavior on the part of websites?
...is an oxymoron.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
There are plenty of pages where the site just will not load unless you give permission to run layers and layers of 3rd,4th,5th party scripts. What can we do as consumers or developers to prevent such behavior on the part of websites?
Install User Agent Switcher and browse as Google.
nobody blows off Google.
Yeah, in a file with that many entries, the extra 8 bytes per line would create a large performance hit.
I'm going to agree with the AC in a sibling thread, though: if your HOSTS file is larger than 10MB*, you're doing something with HOSTS it was never meant to do. It may be easier than setting up a proper DNS server, but it's not as efficient.
(I appreciate distributing a HOSTS file is easier than telling people how to setup a DNS server, though.)
I think if you start worrying about efficiency enough to start shaving bytes off of lines, you should consider the efficiency of loading a 10MB file instead of a proper DNS server, which can store this data more efficiently than a plain-text list.
My point stands for sane use cases. In my opinion, what you're doing is an abuse of HOSTS, even if it's a handy abuse.
* 10MB is an estimate. ~10 bytes per line * ~1 million lines
Take your business elsewhere.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Dude, get mental help. And no, I am not any of the ACs posting here.
Why can't you just get an account so we can fucking block your whining, retarded drivel?
You may have answered your own question.
They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
Attacking your abuse of HOSTS files is not an attack on you. Please understand that.
Now for an attack on you: How can you have a degree and yet think it's consistent to say that shaving 2 bytes per line off (going from 127.0.0.1 to 0.0.0.0) cuts a file size down by 9MB but then shaving an additional 6 bytes per line off (0.0.0.0 -> 0) cuts only 4MB?
Now I need to force myself to stop replying to this thread, I feel like I'm being drawn into this sort of situation: http://xkcd.com/386/
I mean, the browser is hanging on approval to run the script. If I run the script, I take the risks. If I dont run the script, then the content stops loading.
I think it was more of a rhetorical question. Perhaps they know each other in real life and this is how they bro-fist over the internet.
"If you're not confused by quantum mechanics, you really don't understand it." - Niels Bohr
Now I need to force myself to stop replying to this thread, I feel like I'm being drawn into this sort of situation: http://xkcd.com/386/
Agreed. :D
I see those from time to time. I just google whatever topic I was wanting information on and go top one of those sites instead.
Sites that require all that crap to be even vaguely useful far too often prove that sufficiently advanced incompetence is indistinguishable from malice.
From my experience, any speedup gained from using 0.0.0.0 instead of 127.0.0.1 would only be detectable by measurement. I've been using a long, custom /etc/hosts file for many years now. I had one on my 800 MHz, single-core, G3 iBook and there was absolutely no noticeable slowdown--and I even had Apache up and running, serving up a custom 404 so I could see a note whenever it blocked an ad (in an IFRAME; images just came in as broken) and it even logged all 404s because I never bothered to turn logging off. It ran just fine, and today's hardware is one or two orders of magnitude faster. However, the speedUP due to blocked ads was QUITE noticeable.
Here's how to test: go to 127.0.0.1/blop. Maybe relead a few times. Watch how fast the page loads. Does it take a while? No? Then don't worry about it. I'm on an iMac right now with web serving off and when I type in that address and press 'enter', Safari finishes drawing its error message before my finger is off the key.
By the way, AdBlock and proxy servers are also cool but the thing I like about /etc/hosts is that it works with every browser, for every user, and needs no configuration. Then I also install a flash blocker on a per-browser basis and the Web is a happy place.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
nobody blows off Google.
But lots of people blow off Bing.
"Little does he know, but there is no 'I' in 'Idiot'!"
"During our investigation we discovered the phone number provided in the credit application was not a legit phone number for the bank. We also learned that the domains of each of the references provided were registered within two days of each other... and that the registrations took place only days before Bellas Interactive's request for credit was issued - despite the fact that the references "claimed" to be working with Bellas across a 6-24 month spread. And finally, the Bellas Interactive website claimed to be in operation since 1994, despite the fact that the domain was registered in April of this year."
Isn't this extremely basic stuff you should have checked beforehand?
"In Summary
Entities like this are cunning and smart."
No, greedy marketing fucks are stupid. A little research goes a long way. You idiots extended credit to a company without even verifying their "bank's" phone number? I know where to go if I ever need some quick cash.
"have created a false environment designed specifically to validate their non-existence." try "have created a false dichotomy (good guys and bad guys in the spyware advertising business) designed specifically to validate their parasitic existence." Wow. I'd never have thought that Casale would claim such a high moral ground. Serious labour has gone into removing their stuff from spyware ridden computers.
Jedis are stupid. If they were so powerful, why couldn't they handle counseling for a kid who missed his mom?
1.) Learn to count... 6!=8
2.) This particular comment was meant very seriously in an attempt to help you, and not as an attack at all. Please take it under consideration.
I'm not sure what about 50% of your rambling there means. The math in my previous comment stands for itself as I'm sure other readers can see. If you care to contest the fact that 2 bytes * x = 9MB and 6 bytes * x = 4MB are fundamentally inconsistent, please do so directly and succinctly (for example by providing a value for x for which both those equations work).
Also, I repeat my assertion that I have not posted as AC in this thread. Those you claim are impersonating you, are not me.
Making a HOSTS file smaller with 0's is not an abuse of HOSTS. In fact, I never contested your assertion that smaller HOSTS files are quicker to read. Go ahead and tout that as another "win". The fact is, HOSTS files were simply not designed for millions of lines (no, I don't have a cite... it's common sense). DNS servers were designed for that. You are abusing HOSTS by using it to replace the functionality of a DNS server. Because the OS is not designed for such huge HOSTS files, it will be slower than using DNS as intended (even for example a DNS server running on your local machine to blackhole all those domains for you)
See here (and other google results if you care) for Microsoft MVPs stating that having a large HOSTS file is a known cause for the DNS Cache service (which handles that file) consuming 100% CPU
http://www.tomshardware.com/forum/117268-45-svchost-consumes-startup
This will be my last reply to you in this thread. Consider yourself victorious if you so desire. Those reading the thread can decide for themselves.
Sorry, one last reply (yes, I'm bad at stopping myself). I will say that me questioning your degree just because of your inconsistent numbers was an uncalled-for attack, and I apologize for that.
Check the timestamps on the posts for your claim (the actual ones, not the random ones you made up while quoting). And I did apologize for the earlier attack and you claimed to accept my apology. Now you made me _actually_ break my word by replying :(
I am sorry for any offense I have caused you.