Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anatomy of an Attempted Malware Scam

Posted by samzenpus on from the dial-M-for-malware dept.

Dynamoo writes "Malicious advertisements are getting more and more common as the Bad Guys try to use reputable ad networks to spread malware. Julia Casale-Amorim of Casale Media details the lengths that some fake companies will go to to convince ad networks to take the bait."

18 of 139 comments (clear)

  1. 127.0.0.1 for Casale by ScottCooperDotNet · · Score: 4, Insightful

    They've been on my HOSTS block for years, ever since one of those annoying GIF popups damn near gave me a seizure bouncing in its frame. Have they improved since?

    1. Re:127.0.0.1 for Casale by Anonymous Coward · · Score: 3, Informative

      Better to use 0.0.0.0 - since it's a real invalid IP, connecting to it fails instantly, while a program trying to connect to 127.0.0.1 will take a while before giving up.

  2. I'm Surprized... by powerspike · · Score: 4, Insightful

    I read the article, and in doing reference checks in the digital age, esp when there is a large chance of fraud, that checking domain reg's etc only came in last. It's not hard to program in automatic checking, and by the sounds of it, would stop how easy this type of scam would be implemented. Also they could do reverse phone number checks etc as well. I'm quite sure if they had that information automatically populated during an application, any attempts to defraud the companies would be found out with alot less time.

    1. Re:I'm Surprized... by adamofgreyskull · · Score: 5, Insightful

      I'm also suitably stupefied. All the "pink" and "red" flags that they are obviously so clever to spot, and which she spends almost the entire article talking about, are just her dancing around the elephant in the room: that she and her team are complete fucking idiots.

      Seriously. The important things they learnt, consolidated in the "6 steps" at the bottom of the article are pure common-sense. Even if they're not concerned about "malvertisements" (ick) they should already have been checking references properly (i.e. using a bank's listed number, not one provided by the "agency" and checking the certificates of incorporation of them and their referees). It's common fucking sense even when you are just trying to establish whether or not to extend a line of credit to them! I wish I could have avoided swearing, but it makes me feel physically sick to think that someone can publically admit to being such a colossal moron and still have a job. Not only that, but to have people thanking her for her insight!! Idiots! How much time was wasted by her, her sales droids, her marketers etc.? Idiots! Using the word "creative" as a noun when referring to banner-ad files? Idiot!! AAAGHHH!

    2. Re:I'm Surprized... by jimicus · · Score: 4, Interesting

      I'm also suitably stupefied. All the "pink" and "red" flags that they are obviously so clever to spot, and which she spends almost the entire article talking about, are just her dancing around the elephant in the room: that she and her team are complete fucking idiots.

      Part of me wonders if there is a difference in industries which makes this look so damn stupid.

      Anyone in IT has probably seen so much malware, so many phishing and scam attempts that there's a strong chance most of us would have checked any company registration numbers with the relevant authorities, checked WHOIS information and contacted the bank directly using one of the banks' own published numbers before even returning the first email. But if you didn't normally meet such rubbish (because the IT department has already filtered out most of the malware, scams and phishing attempts before they even hit your mailbox), I wonder if you'd develop the same level of cynicism?

  3. Pink flag by kaoshin · · Score: 3, Funny

    "We've also highlighted some pink flags"

    Is that close to a fuchsia, because I like totally need a flag like that to match my new outfit.

  4. Such high standards! by Anonymous Coward · · Score: 4, Insightful

    I'm comforted to know that Casale Media will pass on obnoxious mortgage refinance advertising from only verified and legitimate predatory lenders!

    These checks aren't in place out of any concern for the security of ad viewers. Casale Media here is only concerned that the phantom business will disappear without paying once the botnet is established. Ad networks have demonstrated they don't give a damn so long as they get their cut.

    My AdBlock Plus stays on.

  5. Big Surprise by VonSkippy · · Score: 5, Insightful

    And site owners and advertisers wonder why users go to such extremes with Adblock plus and NoScript to block ad's.

    If the sites (or ad distributors) can't guarantee the safety of their own sites, then users have to do whatever is necessary to protect their own systems. If that means no advertising income for those sites - tough luck.

    1. Re:Big Surprise by Tapewolf · · Score: 3, Insightful

      And site owners and advertisers wonder why users go to such extremes with Adblock plus and NoScript to block ad's.

      This. I don't mind advertisements, but after I got stung by a drive-by exploit on a work machine (either on Slashdot itself or one of its linked articles), I went straight for Adblock Plus.

      I can't remember what the payload was now - something that installed 'XP Antivirus 2010' or whatever (*) - but at the time, only two AV suites could detect it and the company-mandated AV wasn't among these.

      (*) Which gleefully detected 'viruses' in several ARM, MIPS and SH3 binaries before I was able to kill it

  6. Maybe it's me by rk · · Score: 4, Insightful

    But if a WHOIS lookup on a new customer's domain isn't in your SOP from the get-go, you're strictly amateur hour.

  7. reputable ad networks? by stephanruby · · Score: 4, Interesting

    reputable ad networks? What are those? Is he speaking of google ad-sense? or Hulu ads? Personally, I don't consider ad networks that use banner ads as anything that are reputable (this includes any of the shady ad-networks that Google purchased as well). Non-obtrusive text ads, I can deal with. Even Hulu ads, I can deal with since it's film on film. It's just that I hate banner ads, or animated ads, when I'm in reading-mode.

  8. Re:Good Job Scott... apk by agrif · · Score: 4, Informative

    Good post, but for the record...

    Using "0.0.0.0" instead of "127.0.0.1" is not more efficient because of size. There's only 2 bytes difference between the two; if your computer has a noticeable speedup just because it's reading 2 bytes less per HOSTS entry, you have way too many entries and probably more important problems.

    The speedup, as pointed out by a different reply to GP, is because "0.0.0.0" is widely recognized as an invalid IP address, and just about every operating system will immediately fail if you try to connect to it. Using simply "127.0.0.1", the connect call has to go through the local loopback interface, and actually tries a connection, which adds up if you're accessing a lot of places at once (such as on a web page). The problem is even worse when the computer you're on is actually running something on port 80, in which case an actual connection is made, then fails, taking up more time. Or even worse: the connection times out!

    Using "0.0.0.0" is good advice; I just wanted to make sure your reasons for using it are valid.

  9. Re:Malicious malverts by asdf7890 · · Score: 3, Informative

    Ultimately, how does the end users computer get infected by this `malware'?

    The site linked to by the advert includes code that exploits a drive-by install using an unpatched exploit for the user's browser/OS, or uses some form of human engineering to get them to install it (i.e. like the many many "your machine is infected, follow these instructions to fix this" things that are seen out there).

    At least one ad network I've seen seems to allow advertises to include custom javascript in their adverts, either that or the advertisers have found a way around the filtering the ad network does on the content, at which point such unpatched flaws can be exploited without the user needing to click the ad at all.

  10. I'm righter than you by Anonymous Coward · · Score: 3, Informative

    I've been told it's weird when ACs try so hard. Also futile.

    So disregard everything I said, I suck cocks.

    APK

  11. You lost me at "reputable ad networks" by erroneus · · Score: 5, Insightful

    In so many words others have expressed what I have summarized down to "advertisers don't respect their audience." Their approach has almost always been the capitalist "what the market will bear" approach and as people have grown accustomed to being assaulted with ever more eye-catching colors, styles, techniques and technologies, the limits of what the market will bear erode. People no longer realize they are being disrespected. Their paid-for internet connection are being utilized. Their time is being wasted. They will install software that resists being uninstalled and drains performance and stability from their computers. I see no end to what they will do.

    There is a blurry and indistinguishable line between "reputable ad networks" and "the bad guys." The reputable are certainly not constrained by morals and not by law. How can we know they aren't simply being complicit?

  12. Do something about pages that wont load noscript'd by Marrow · · Score: 3, Insightful

    There are plenty of pages where the site just will not load unless you give permission to run layers and layers of 3rd,4th,5th party scripts. What can we do as consumers or developers to prevent such behavior on the part of websites?

  13. Re:Do something about pages that wont load noscrip by pushf+popf · · Score: 4, Insightful

    There are plenty of pages where the site just will not load unless you give permission to run layers and layers of 3rd,4th,5th party scripts. What can we do as consumers or developers to prevent such behavior on the part of websites?

    Install User Agent Switcher and browse as Google.

    nobody blows off Google.

  14. Re:Thanks, & see URL @ bottom of this reply by agrif · · Score: 3, Informative

    Yeah, in a file with that many entries, the extra 8 bytes per line would create a large performance hit.

    I'm going to agree with the AC in a sibling thread, though: if your HOSTS file is larger than 10MB*, you're doing something with HOSTS it was never meant to do. It may be easier than setting up a proper DNS server, but it's not as efficient.

    (I appreciate distributing a HOSTS file is easier than telling people how to setup a DNS server, though.)

    I think if you start worrying about efficiency enough to start shaving bytes off of lines, you should consider the efficiency of loading a 10MB file instead of a proper DNS server, which can store this data more efficiently than a plain-text list.

    My point stands for sane use cases. In my opinion, what you're doing is an abuse of HOSTS, even if it's a handy abuse.

    * 10MB is an estimate. ~10 bytes per line * ~1 million lines